You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Next »

How do I access the HARICA service?

HARICA Cert Manager is available at: https://cm.harica.gr.  HARICA services can also be accessed via the API - API documentation can be found here: https://developer.harica.gr/ and https://guides.harica.gr/docs/Guides/Developer/1.-Register-and-log-in/

https://cm-stg.harica.gr/ can be used to test and get to know the service. 

How do I get support from HARICA?

Please use the following support address: support-tcs@harica.gr. 

What are the "levels" of authorisation called in the HARICA Service?

  • Enterprise Manager = NREN Staff.
  • Enterprise Admin = Organisational Staff with authorisation.

What is the onboarding process for HARICA?

The process is shown in the image below: 


Where can I find supporting material for HARICA?

There are detailed support guides available at: https://guides.harica.gr/

The following guides have also been created to explain the "Enterprise" workflow used for TCS: 

Is SAML Supported? 

TCS members that are also Identity Providers in eduGAIN must release the following attributes:

  • givenName (oid:2.5.4.42)
  • surname (oid:2.5.4.4)
  • mail (oid:0.9.2342.19200300.100.1.3)
  • edupersonTargetedID (oid:1.3.6.1.4.1.5923.1.1.1.10)

and may also release:

  • eduPersonPrimaryAffiliation (oid:1.3.6.1.4.1.5923.1.1.1.5)
  • eduPersonPrincipalName (required by GEANT for IGTF Personal Certificates) (oid:1.3.6.1.4.1.5923.1.1.1.6)
  • eduPersonEntitlement (required for IGTF Personal Certificates) (oid:1.3.6.1.4.1.5923.1.1.1.7)
    • Make sure you only send the values associated with TCS to HARICA SPs. Use "urn:mace:terena.org:tcs:personal-user" to signal permission to issue IGTF Personal Certificates
  • schacHomeOrganization (oid:1.3.6.1.4.1.25178.1.2.9),

to the following HARICA EntityIDs:

Known issues:

  • Multiple values in the mail attribute is currently not supported.

Can I order EV Certificates?

EV certificates are NOT included in the HARICA TCS offer as we no longer see any value in supporting this certificate type as a default option. It is possible to purchase these (EV TLS) and other types of certificates (Code Signing, Qualified Electronic Signatures/Seals, QWACs) and remote signing services on an individual basis from HARICA if required for specific use cases.

Where can I find information about the HARICA roots?

This is available at: https://repo.harica.gr/rep_dyn

How Do I use ACME?

You will need to use: https://acme.harica.gr/TCS-DV/directory and to follow the instructions at: https://guides.harica.gr/docs/Guides/Server-Certificate/ACME-Instructions/.  You will also need the KeyID and HMAC key – please contact your NREN for this information. 

What Type of Certificate Do I Need?

Domain Validation (DV), Organisation Validation (OV) and Extended Validation (EV) certificates were designed to give a different level of confidence in the certificate types because the Certificate Authority carries out more stringent checks on the organisation requesting the certificate at each level.  Browsers used to signal this in the address bar, and the idea was the user could make different decisions based on this security level.  Placing this level of technical knowledge on the user has now been broadly debunked and this information is no longer prominently signalled.

For the same key size and encryption algorithm DV/OV/EV certs are indistinguishable in terms of encryption security.  In most popular browsers, there is now no easily visible difference between these certificate types unless the user looks deep into the certificate settings.  The increased levels of validation requirements also make automation harder, and with changes to certificate validity periods once more being discussed by the CA/B Forum, automation should now be considered essential by all organisations. 

For the majority of use cases, DV certificates should serve your purposes well.  You may find certain implementations or use cases still insist on OV or EV certificates and these can still be obtained via TCS (at an extra cost for EV), but we recommend using DV for most circumstances. 

Why Not Just Use Let's Encrypt?

Let's Encrypt is a great free service and works well for many use cases, but has some limitations that a managed service like TCS can help with.  This includes:

  • Certificate life cycle management through an easy to use and read portal - any administrator can get a clear overview of ordered certificates and their lifespan. 
  • Ability to order multiple certificate types from one place. 
  • OV and EV as an option for specific use cases. 
  • Support for IGTF certificates (coming soon!). 
  • A support desk. 
  • No rate limits (Let's Enrypt limits the number of requests you can make in certain time periods).
  • EU based terms and conditions and contractual terms negotiated for you. 
  • Additional certificate types alongside server certificates. 

Why Is My Certificate Not Trusted?

If you are seeing an issue where a HARICA certificate shows as not trusted or not valid, this typically means that the system using the certificate does not have access to the root or intermediary certificate.  There's normally a way for these to be added - we suggest you contact the service owner or helpdesk for the service.  All roots and intermediaries can be found at: https://repo.harica.gr/rep_dyn

Some of examples of where we have found solutions to these problems:

Why won't my CSR upload? 

  • Make sure it is a csr and not the certificate itself!  (-----BEGIN CERTIFICATE REQUEST-----). 
  • Make sure there's no spaces or breaking lines before or after the request. 

How Do I Request a Wildcard?

Wildcard certificates can be requested using the normal processes.  If you request a wildcard (e.g. *.geant.org) there's no need to also include geant.org in the request.

How Do I Request an IGTF OV Server Certificate?

Firstly, the organisation must be configured to enable IGTF certificates. A “Tags” button has been added to the Enterprise Information page (upper right corner). This can be used to toggle IGTF certificate issuance on. 

Organisations can then request an IGTF server certificate as part of the normal server workflow by ticking the appropriate box.

How are notfication emails for expiring S/MIME-certs done? 

For single requests the users receive an expiration notification 30, 15, 5 and 1 day prior from the CertManager portal, to their email address which is in the certificate.

For bulk requests the users receive an expiration notification only 30 days prior, from the CA, to their email address which is in the certificate. The email is like the following message.

The certificate with serial number xxxxxxxxxxxx, for the entity with Distinguished Name E=xxxxx@auth.gr, CN=Aristotle University of Thessaloniki, O=Aristotle University of Thessaloniki,L=Thessaloniki,C=GR, which has been issued by CN=HARICA S/MIME RSA SubCA R3, O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR, expires on 2025-05-14 10:14:45+03:00.

When the s/mime certificates from bulk requests will be registered to s/mime certificates tab also, then the users will receive an expiration notification 30, 15, 5 and 1 day prior from CertManager portal, to their email address which is in the certificate.

How do I order an IGTF Personal / Personal Automated certificate? 

For users logging into CertManager via SSO, whose identity provider supplies both the eduPersonPrincipalName (ePPN) and the entitlement urn:mace:terena.org:tcs:personal-user, the following options will be
available:

GÉANT Personal Authentication
GÉANT Personal Automated Authentication

Additionally, if the Enterprise admin has enabled the IGTF-Organization tag, the GÉANT Organization Automated Authentication option will also be available.

As discussed, the SubjectDN will be automatically ASCII-fied. However, if a custom ASCII-fied name is required, an Enterprise admin may submit a request directly to HARICA support at support-tcs@harica.gr.
We will then update the custom value in the Name ASCII-fied field under their Enterprise, which will override the automated ASCII-fication.

Finally, Enterprise Admins can assign the Client Authentication Approver role to members. While no approvals are required for IGTF client authentication certificates, since they are issued automatically, these approvers will still have visibility into all certificate requests submitted within their Enterprise.

How do I use ACME? 

There are two options for using ACME with HARICA

Enterprise AdminAvailable in all accounts TLS OVinstead of ACME challenges, the validations in CertManager (in the list of domains) are used(sub)domains both with include and exclude configurable in CertManager
Enterprise User  (End Users)Can be switched on manually (see below)TLS DVuser must always do an ACME challenge (http or dns) for domain validationall domains within the Enterprise

A domain MUST have been added to the Enterprise before ACME can be used for that domain. 

ACME for Enterprise Admins

Enterprise Admins can create EAB (External Account Binding) credentials that can be used for specific domains. It is then possible to skip domain validation in your ACME client.

  • Go to “Enterprise” → “Admin” and then select the “ACME” tab at the top:


  • Accounts can be created with "Create+". The friendly name is here intended to help you identify the account more easily in the list: 

  • Once the account is created, you need to define the scope of domains. To do this, select the account and go to the "Domains" tab:

  • After this, use the EAB credentials under "Details" in your favorite ACME client or communicate them via a secure channel to the administrator who will be working with them. 

ACME for End Users

This is an additional implementation of ACME, which has functionally similar to Let's Encrypt: end users are given access (with a personal HMAC key) to an ACME server on which they can request certificates, as long as they can perform DCV during the ACME transaction.

  • Enabling is done once by an Enterprise Admin via Enterprise → Admin → select Enterprise → Click on the organization under "Legal Name" → press the "tags" button at the top right (picture of a label). There the switch for #ACME-Personal can be turned on:

Harica_CertManager_-_Enterprises.jpeg


  • This will make a new ACME button available to all users in the left menu to manage ACME accounts. When using Personal ACME, a DNS-01 or HTTP-01 challenge must be performed for each certificate and the HMAC key must be specified.


  • No labels