HARICA Cert Manager is available at: https://cm.harica.gr. HARICA services can also be accessed via the API - API documentation can be found here: https://developer.harica.gr/ and https://guides.harica.gr/docs/Guides/Developer/1.-Register-and-log-in/.
https://cm-stg.harica.gr/ can be used to test and get to know the service.
Please use the following support address: support-tcs@harica.gr.
The process is shown in the image below:
There are detailed support guides available at: https://guides.harica.gr/.
The following guides have also been created to explain the "Enterprise" workflow used for TCS:
TCS members that are also Identity Providers in eduGAIN must release the following attributes:
and may also release:
to the following HARICA EntityIDs:
Known issues:
EV certificates are NOT included in the HARICA TCS offer as we no longer see any value in supporting this certificate type as a default option. It is possible to purchase these (EV TLS) and other types of certificates (Code Signing, Qualified Electronic Signatures/Seals, QWACs) and remote signing services on an individual basis from HARICA if required for specific use cases.
This is available at: https://repo.harica.gr/rep_dyn.
You will need to use: https://acme.harica.gr/TCS-DV/directory and to follow the instructions at: https://guides.harica.gr/docs/Guides/Server-Certificate/ACME-Instructions/. You will also need the KeyID and HMAC key – please contact your NREN for this information.
Domain Validation (DV), Organisation Validation (OV) and Extended Validation (EV) certificates were designed to give a different level of confidence in the certificate types because the Certificate Authority carries out more stringent checks on the organisation requesting the certificate at each level. Browsers used to signal this in the address bar, and the idea was the user could make different decisions based on this security level. Placing this level of technical knowledge on the user has now been broadly debunked and this information is no longer prominently signalled.
For the same key size and encryption algorithm DV/OV/EV certs are indistinguishable in terms of encryption security. In most popular browsers, there is now no easily visible difference between these certificate types unless the user looks deep into the certificate settings. The increased levels of validation requirements also make automation harder, and with changes to certificate validity periods once more being discussed by the CA/B Forum, automation should now be considered essential by all organisations.
For the majority of use cases, DV certificates should serve your purposes well. You may find certain implementations or use cases still insist on OV or EV certificates and these can still be obtained via TCS (at an extra cost for EV), but we recommend using DV for most circumstances.
Let's Encrypt is a great free service and works well for many use cases, but has some limitations that a managed service like TCS can help with. This includes:
If you are seeing an issue where a HARICA certificate shows as not trusted or not valid, this typically means that the system using the certificate does not have access to the root or intermediary certificate. There's normally a way for these to be added - we suggest you contact the service owner or helpdesk for the service. All roots and intermediaries can be found at: https://repo.harica.gr/rep_dyn.
Some of examples of where we have found solutions to these problems:
Wildcard certificates can be requested using the normal processes. If you request a wildcard (e.g. *.geant.org) there's no need to also include geant.org in the request.
Firstly, the organisation must be configured to enable IGTF certificates. A “Tags” button has been added to the Enterprise Information page (upper right corner). This can be used to toggle IGTF certificate issuance on.
Organisations can then request an IGTF server certificate as part of the normal server workflow by ticking the appropriate box.
