All documentation for the TCS will be added here. We are working to update the specific TCS Practice Statements, until further notice the Technical Addendum for the 5th generation TCS server augments the existing TCS CPS documents (both for Server and Personal certificates). Products not described therein are subject to the provider (HARICA) CP and CPS:
- HARICA Certificate Practice Statement
- HARICA Subscriber Agreement
- HARICA Privacy Notice
- HARICA Repository and authority meta-data
Table of Contents
Certificate Practice Statements and Addenda
The following GEANT TCS specific practices and technical addenda are applicable to the 5th generation TCS service:
The Technical Addendum is an integral part of the CPS document suite and augments the TCS CPS for both Server and Personal certificates.
Private Root and Issuing Authorities (5th generation TCS)
Certificate revocation lists for each of these CAs:
- Research and Education Trust RSA Root CA 5: CRL http://crl.geant-prv.harica.gr/GEANT-TCS-Root-R5.crl
- Research and Education Trust ECC Root CA 5: CRL http://crl.geant-prv.harica.gr/GEANT-TCS-Root-E5.crl
- GEANT TCS Authentication RSA CA 5: CRL http://crl.geant-prv.harica.gr/GEANT-TCS-Client-Auth-R5.crl
- GEANT TCS Authentication ECC CA 5: CRL http://crl.geant-prv.harica.gr/GEANT-TCS-Client-Auth-E5.crl
The OCSP end-point for the GEANT TCS private CAs is http://ocsp.geant-prv.harica.gr
Root and Intermediate for server (TLS) certificates
For the RSA certificate chain
- Issuing CA for GEANT OV TLS (RSA): CN=GEANT TLS RSA 1,O=Hellenic Academic and Research Institutions CA,C=GR
- Cross-signed Intermediate Root CA for GEANT OV TLS (RSA): CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR (for maximum compatibility applications, otherwise do not include in chain)
For the ECC certificate chain
- Issuing CA for GEANT OV TLS (ECC): CN=GEANT TLS ECC 1,O=Hellenic Academic and Research Institutions CA,C=GR
- Cross-signed Intermediate Root CA for GEANT OV TLS (ECC): CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR (for maximum compatibility applications, otherwise do not include in chain)
Just in case you obtained an OV certificate before mid-February 2025 from the 'generic' TLS issuer:
- Issuing CA for HARICA OV TLS (RSA): CN=HARICA OV TLS RSA,O=Hellenic Academic and Research Institutions CA,C=GR
- Issuing CA for HARICA OV TLS (ECC): CN=HARICA OV TLS ECC,O=Hellenic Academic and Research Institutions CA,C=GR
- use the same cross-signed intermediate Root CA (RSA and ECC respectively) as for the GEANT-specific issuer if needed (see above)
To create the 'CertificateChainFile' for Apache, concatenate the issuing CA (e.g. CN=GEANT TLS RSA 1) and the cross-signed root (e.g. CN=HARICA TLS RSA Root CA 2021 in its cross-signed variety), and specify this file in the Apache mod_ssl configuration. For Nginx in the ssl_certificate directive in the http {} section, you would include your server certificate (downloaded from CM), the issuing CA (e.g. CN=GEANT TLS RSA 1) and the cross-signed root (e.g. CN=HARICA TLS RSA Root CA 2021 in its cross-signed variety) in that order in a single file. The private key goes (separately) in the file specified under ssl_certificate_key .
Policy Management Authority
The GEANT TCS Policy Management Authority consists of PKI policy experts appointed by GÉANT, the contracting party for the TCS. The TCS PMA members oversee the TCS CPS texts. For efficiency purposes, TCS PMA membership is restricted to a limited number of participants selected from the community. GÉANT is ultimately responsible for the TCS PMA membership.