|
SANET TCS 2015 - 2020 FAQ for administrators |
Note: this document is about the DigiCert service 2015-2020. For the new Sectigo service 2020-, please see SANET TCS 2020- Information for administrators.
Use the Live Chat function at https://www.digicert.com/. If you cannot get the issue solved that way, contact SANET TCS.
Email tcs@sanet.sk after making sure that this FAQ list does not contain the answer.
At SANET TCS Server Subscriber Agreement (version 2015.1). As you can see, it contains the required legalese mandated in the model TCS Subscriber Agreement at the GÉANT document repository above.
For the moment, at GÉANT wiki: Trusted Certificate Service (new TCS) home. You will find information about the DigiCert portal there, as well as information learnt during the earlier testing phases.
It is the result of TERENA and DANTE joining forces. That also means that TCS now stands for Trusted Certificate Service, not TERENA Certificate Service. You may still see TERENA using in the certificate names, where it would hurt to change the names.
Follow the same procedure as new members (see next question).
Download SANET TCS Subscriber Registration Form (version 2.1). Fill it in and send it (all pages) to the address stated at the end. We will create a division for you in the DigiCert portal. As part of that, your chosen admin contact gets an email from DigiCert and will be able to set his/her password. He/she will become the first administrator for your division. Make sure that person is available to handle the email before you apply.
Your initial administatror can add more administrators using the New User button under Account → Manage Users. Do not forget to select the Administrator Role.
Use the New Organization button under Certificates → Organizations. We recommend that you use your official Slovak name as Legal name. Do not fill in Assumed name. Use the most senior member of your TCS team as your Validation Contact.
You might want to check that the organization name you request is the one that is used for your organization in databases listing companies, government agencies etc (e.g. Statistical Register of Organisations, well-known search sites like www.zlatestranky.sk, telefonny.zoznam.sk, etc.)
We recommend that you validate for all certificate types from start. You can read more at the GÉANT TCS Wiki page about Validation.
Yes, you can. If your university is made up of several legal entities (companies, foundations etc) you might have to register more than one organization. However, you should not create organizations for departments, schools etc that are really part of the same legal entity as the university (or similar) as such.
Use the Add Domain button under Certificates → Domains. The domain will be registered as belonging to an Organization you already added. Make sure that the domain is registered to that legal entity in the public databases (check with https://www.sk-nic.sk/ first for .sk domains). You can enter one or more domains for validation while the organization validation is still pending.
DigiCert will use public databases and may also make phone calls and send emails to verify the provided information. Make sure that you are available for that during the day.
Domain validation emails will be sent to a list of addresses based on the domain name (e.g. {admin,administrator,hostmaster,postmaster,webmaster}@yourdomain.sk) as well as addresses registered in WHOIS databases. All addresses are used simultaneously, but you only need to act on one of the emails.
Verify that you can receive email to at least one of the fixed addresses above before submitting the domain for validation. As of 2015-04-01, the automatic DigiCert emails are sent from support@digicert.com or admin@digicert.com. Before contacting DigiCert or SANET about emails not received, please check your spam filters.
During the test phase, DigiCert has validated our organizations and domains quickly. We expect that to be the case during production too. If the validation stalls with no detectable progress for a couple of hours, use the DigiCert Live Chat (see above) and ask them about the status.
During the test phase, we have seen instances of DigiCert being "helpful" and changing the organization name when they found something similar to what you asked for, for example validating "University of Whatever Holding AB" instead of "University of Whatever". If that happens to you, use the DigiCert Live Chat (see above) to explain that they have made an error and ask them to correct it at once.
Yes. As name components in grid (e-Science) certificates are not allowed to contain non-ASCII characters, you need to validate an additional organization with a name not containing the non-ASCII characters. For example, if you normal organization is "Technická univerzita v Košiciach", you should also get "Technicka univerzita v Kosiciach". Check your customer information in https://tcs.sanet.sk to make sure you request the same name as before.
You should then be able to add the domain or domains you want grid (e-Science) certificates for under the new special organization.
Yes! Go to Certificates → Organizations and select the right organization. Then click Submit for Validation. In the popup, check "EV" and select the right adminstrator as "EV Verified User". Then click Submit for Validation again.
No. You need a user in the system to be able to request a certificate. As an administrator, use the Add User button under Account → Users. Select the User Role, not Administrator, for this kind of user. The user will get an email and gets to set his/her password.
After logging in at http://www.digicert.com/account/, go to Certificates and press the Request a Certificate button. Select the right type of certificate, press Order Now, fill in the form and use Submit Certificate Request
This is for server certificates outside of the grid (e-Science) world. Use
For server and robot certificates in the grid (e-Science) world.
Do not request client/personal certificates using this portal.
See the GÉANT Wiki page about Document Signing certificates.
Logged in as an administrator, go to Certificates → Requests, select the pending request, and FIXME!
Logged in as an administrator, use Certificates → Orders and select the certificate. You will find buttons for downloading, reissuing and revoking the certificate.
It is included together with the certificate and instructions in the email the requester gets (and that you can download via Orders → Certificate Orders as discussed above).
No, they are different. Do not reuse your saved files from the Comodo system.
You could use openssl s_client -connect www.terena.org:443 (replacing www.terena.org with your address). You then have to check the lines following "Certificate chain" in the output to see that it contains more than the server certificate. The following is an OK example for an EV certificate:
Certificate chain 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=NL/serialNumber=40535155/street=Singel 468D/postalCode=1017 AW/C=NL/ST=Noord-Holland/L=Amsterdam/O=G\xC3\x89ANT Association/OU=Amsterdam office/CN=godzilla.terena.org i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA