You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Current »

All documentation for the TCS will be added here.  We are working to update the specific TCS Practice Statements, until further notice the Technical Addendum for the 5th generation TCS server augments the existing TCS CPS documents (both for Server and Personal certificates). Products not described therein are subject to the provider (HARICA) CP and CPS:

Table of Contents

Certificate Practice Statements and Addenda

The following GEANT TCS specific practices and technical addenda are applicable to the 5th generation TCS service:

The Technical Addendum is an integral part of the CPS document suite and augments the TCS CPS for both Server and Personal certificates.

Private Root and Issuing Authorities (5th generation TCS)

Certificate revocation lists for each of these CAs:

The OCSP end-point for the GEANT TCS private CAs is http://ocsp.geant-prv.harica.gr 

Root and Intermediate for server (TLS) certificates

For the RSA certificate chain

For the ECC certificate chain

Installation in Apache httpd's mod_ssl

To create the 'SSLCertificateChainFile' for Apache, concatenate the issuing CA (e.g. CN=GEANT TLS RSA 1) and the cross-signed root (e.g. CN=HARICA TLS RSA Root CA 2021 in its cross-signed variety), and specify this file in the Apache mod_ssl configuration. The server certificate itself goes into a separate file ('SSLCertificateFile') in PEM format, and the private kay also in its own file ('SSLCertificateKeyFile').

Installation in Nginx

For Nginx in the ssl_certificate directive in the http {} section, you would include your server certificate (downloaded from CM), the issuing CA (e.g. CN=GEANT TLS RSA 1) and the cross-signed root (e.g. CN=HARICA TLS RSA Root CA 2021 in its cross-signed variety) in that order in a single file. The private key goes (separately) in the file specified under ssl_certificate_key .

Obtained your TLS server certificate before March 6?

Note: in case you obtained an OV certificate before March 6, 2025, you will have received server certificates signed by the 'generic' HARICA TLS issuer:

Policy Management Authority

The GEANT TCS Policy Management Authority consists of PKI policy experts appointed by GÉANT, the contracting party for the TCS. The TCS PMA members oversee the TCS CPS texts.  For efficiency purposes, TCS PMA membership is restricted to a limited number of participants selected from the community. GÉANT is ultimately responsible for the TCS PMA membership.

  • No labels