SANET TCS 2020- Information for administrators

This is for administrators at SANET TCS members for the 2020- "Sectigo generation" of the SANET TCS service.

For the 2015-2020 "DigiCert generation" of the SANET TCS Service, please see SANET TCS 2015-2020 FAQ for administrators. End users, please see SANET TCS documentation at your organization.

Our SANET instance of SCM

Our SANET instance of the Sectigo Certificate Manager is at https://cert-manager.com/customer/sanet

To access it, you need to have your organization and your admin user(s) set up. See below under "Getting access to the system".

Getting help

Help from SANET TCS

Email tcs@sanet.sk after making sure that this document does not contain the answer to your question or a solution to your problem.

Help from Sectigo Support

If instructed by SANET TCS or this document, contact Sectigo Support using https://sectigo.com/support-ticket with your support question/problem. Unless instructed otherwise, select "SCM Support" as the reason for the ticket. In the description, include a line saying "We are a SANET member of the GEANT TCS service, using the https://cert-manager.com/customer/sanet SCM instance."

Sectigo Documentation

Sectigo documentation can be found at https://support.sectigo.com/Com_KnowledgeProductPage?c=Sectigo_Certificate_Manager_SCM

Some highlights:

Differences from the DigiCert generation 2015-2020

New vendor, new web interface

Sectigo is the new vendor for TCS instead of DigiCert. We are using their Sectigo Certificate Manager (SCM) instead of DigiCert CertCentral. The rest of this section describes the most important changes you need to understand.

No "division" objects in the new system

There is no concept of divisions in SCM as there was in DigiCert CertCentral.

No "User level users"

In DigiCert CertCentral, there were two basic kind of users: "Administrators", who could order/approve certificates, change settings and do other admin level stuff, and "Users" who could only request certificates (but who were nevertheless authenticated by logging into CertCental just like the Administrators).

In the SCM, there are basically only Administrator level users. In fact, the SCM does not talk about users, it talks about admins. That means that you cannot have users logging in to the SCM who can only request certificates. See below under "SSL certificates" for solutions to this.

Departments

The SCM lets you create Departments under Organizations. Just like the Organization name is what goes into the O= of a certificate, the Department name is what goes into the OU= of a certificate. You can use Departments in two ways:

MRAO, RAO, DRAO!

There are three levels of admins in the SCM, all called something with RAO (Registration Authority Officer) in the name:

It is a bit more complicated than that: a RAO is connected to one or more organizations, and a DRAO to one or more departments, and there is also the possibility to only have the right for SSL certificates, client certificates and/or code signing certificates. Thus, an admin could be "RAO - SSL Certificates" and "RAO - client certificates" for Organization A, while also being "DRAO - SSL Certificates" for a department belonging to another organization.

The first admin you will get when joining with your organization will be RAO for all certificate types and for your organization.

Getting access to the system

Members of the "Digicert generation" 2015-2020 service

To get access to the new system, email tcs@sanet.sk with a subject line like "TCS2020: organization name" and tell us:

1. The statutory name of your organization.. e.g. Example university.

2. Identification number (IČO) assigned to your organization (this is often stated in the Description of your DigiCert Division but please verify it - search the Register of Organizations provided by the Statistical Office).

e.g. IČO 01234567

3. Do you specifically require key escrow to be enabled for Personal Certificates issued within your Org? The private keys would be stored at Sectigo, so that an admin can recover them. SANET discourages this. It is a choice that cannot be changed once made. e.g. No!
4. Org admin's first name. e.g. Jan
5. Org admin's last name. e.g. Novák
6. Org admin's email address. e.g.: jan.novak@example.com
7. Org admin's phone number. e.g. +421 x yyyyyyyy
8. Org admin's preferred user name. e.g.: jnovak
9. Org admin's initial password. ASCII chars only, can be shor: replaced immediately upon first login e.g. example-password

We know that Sectigo uses at least http://www.orsr.sk/Default.asp?lan=en and https://www.zrsr.sk/default.aspx?LANG=en and possibly also https://finstat.sk/ and https://rpo.statistics.sk/rpo/?lang=en to check address and postal code, so please try to find a record there for your organization and use that address line and postal code if it is not obviously wrong (it's not likely that people will rely on the address information in your OV certificates to send you paper mail...). Also, they seem to prefer the visiting address over the mailing adress (korešpondenčná adresa) so please use the former.

If you try to use other address/postal code information you risk having your organization validation delayed. You are encouraged to include a direct link to the matching record in your email.

New members (not in the "DigiCert generation" 2015-2020 service)

If you have not been a member of the 2015-2020 "DigiCert generation" of the service, you are still welcome to join. SANET TCS is available to all Research and/or Educational and/or non-commercial members of SANET without extra charge. Contact tcs@sanet.sk about membership in the service. Do not send any paper documents before that.

Please note that during the spring of 2020 we are prioritizing bringing the current members over to the new service.

Validation

Domains

You must validate one or more domains before you can have certificates issued. There are multiple steps in this process. This is how you add the domain example.org:

  1. Make sure that you are not having CAA records in your DNS zone that forbids Sectigo from issuing certificates for the domain. If that is the case, domain validation will fail too. Having no CAA records is OK, as is having CAA records mentioning "sectigo.com" as approved.
  2. Go to Settings → Domains → Delegations and press the Add button. Fill in the domain name (example.org) and the optional description. Select the type of certificates (SSL, client, CS) that should be enabled for this domain. For your main domain you would typically enable all of them, but for most additional domains you would only enable SSL certificates. If you have set up Departments and this domain should be delegated to the DRAOs of that department, expand the selection line and enable the domain for the right department and the appropriate types too.
  3. Use Add again, embrace the cargo cult, and redo exactly the same step for the domain name with "*." prepended to it (*.example.org in our example).
  4. Wait for a SANET MRAO to approve your domain delegations. Unfortunately, this step is necessary at this time, but we have asked Sectigo to remove it. When this is done, the delegation status will be Approved and you can proceed to the next step.
  5. Switch from the Delegations to the DCV tab.  Click on the the right line to check it, and use the DCV button that appears to initiate DCV. Select method:
  6. Follow the instructions for the method you selected. 
  7. When the validation is OK, you will see Validation Status as Validated in the DCV tab. In the Delegations tab, the domain itself should also be shown as Validated. The extra record with "*." prepended will still show as Not Validated for some time (hours to a day) and will then be updated to be Validated too.
  8. You are now ready to use this domain and its subdomains for certificate requests. You do not have to wait for the "*"-prepended domain to be shown as Validated.

Additional organizations

If you need additional organization names (values for the O= part of a certificate), that will have to be added by a SANET MRAO for you. Follow the same steps as for your first organization (see above under "Getting access to the system"), but instead of providing information about a "first admin", tell us the usernames for the administrators of your "main organization" that should also be RAOs for the new organization.

Note: you will not add an extra organization ("Banicka skola" in addition to "Banícka škola") for a name without non-ASCII characters for grid certificates, as that will be handled differently. We will update this document when Sectigo has provided the details.

Departments

To add a department:

Admins connected to the department

You can now go on to create admins (see below) that are DRAOs connected to just this department instead of being RAOs for the whole organization.

Domains connected to the department

If you add department admins (DRAOs) that can approve certificates for their department, you will most likely want to limit them to their own domain (department-example.com) or a subdomain of your main domain (department.example.org) if we imagine that your main domain is example.org.

In the first case with a completely new domain for the department, follow the normal domain validation procedure above to add department-example.com and *.department-example.com with delegation to the department and initiate DCV as you did for your main domain.

In the second case with a subdomain of your already validated main domain, you will still add department.example.org and *.departement.example.org with delegation to the department but you will not have to initiate DCV again, as the SCM is smart enough to know that example.org is already validated. As for your main domain, you should expect department.example.org to show as Validated at once, and *.department.example.org with some delay.

Admins

You create additional admins (RAOs for your whole organization or DRAOs for departments you have created) under the Admins tab with the Add button. You can also edit existing admins by clicking on the line to check them and then using the Edit button.

We strongly recommend that you create personal admin users (not shared ones), to be able to see who has done what in the system.

It has been reported that some privileges (management of peer admins, Allow DCV) cannot be assigned by one RAO to another. If that affects your organization email tcs@sanet.sk to have it fixed manually. Tell us the usernames involved and what privileges you want to add. We'd like that email to come from an admin that already has "Allow creating/editing of peer admin users" instead of the admin who wants more privileges.

Locked Account

You can get locked if you fail to login a number of times. You will then get an "Incorrect login details, account is locked, password has expired or your source IP is blocked." message when you try to login, even if you use the correct password. It will be the case even if your password have been changed by another admin who can do that for you. This requires the lock to be reset and that can only be done by an MRAO, so you need to contact tcs@sanet.sk.

SSL Certificates

Applying for and approving certificates in the SCM as an admin

Go to Certificates → SSL Certificates and press Add to request a certificate.

If your admin has the "Allow SSL auto approve" privilege selected, the certificate will be automatically approved (which makes sense, because why would you have entered all the information above if you did not want to approve the certificate?) and will show up as "Applied".

If your admin does not have that privilege selected, the certificate will show up as "Requested" and you will have to approve it by selecting it and using the Approve button.

When the certificate has been issued, its status will be shown as "Issued" and you will get an email about it.

If needed, you can also download the certificate by clicking on the line to check it and using the Details button, then the Select button to the right of "Download The Certificate".

Notes on specific certificate types

GÉANT OV SSL

Currently (2020-04-08), if you use the GÉANT OV SSL type and request a certificate for mail.test.example.org, you will get that name put in a DNS Subject Alternative Name, but you will also get a DNS Subject Alternative Name for www.mail.test.example.org . We recommend that you use GÉANT OV Multi-Domain instead if you do not want this, as no extra www-prepended name is added for that type. This has been reported to GÉANT.

EV Certificates

If you need EV certificates, talk to tcs@sanet.sk about how to proceed before you do anything at all in the SCM, as the procedure will not be to just to request an individual EV certificate. Also, we would very much like to work with you to document the process, so we can document it here for the benefit of other members.

IGTF (Grid) Certificates

We are waiting for the grid certificate profiles to be correct before advising you about them.

Allowing non-admins to request certificates

You can allow persons who are not admins in the SCM to request certificates ("enroll" in Sectigo-speak). To do that, go to Settings → Organizations and select your organization and select Edit. (Or, if this should apply only to a departement, after selecting the organization, use the Departments button, select the department, and use Edit on that instead).

Client Certificates

Self-service portal via SAML

Configuring your IdP and the SCM to enable the portal

The self-service portal is located at https://cert-manager.com/customer/sanet/idp/clientgeant

For it to work for your users, you need to

For it to work for your users who need IGTF/grid certificates, you also need to:

Configuring your relying servers (for grid/IGTF)

For the "normal" client certificates, you should not need to configure anything.

For the grid/IGTF certificates, make sure that your servers have an up-to-date IGTF Trust Anchor Distribution that includes trust for "/C=NL/O=GEANT Vereniging/CN=GEANT eScience Personal CA 4" (for example found in the ca_GEANTeSciencePersonalCA4-1.109-1.noarch.rpm or newer RPM package)

Using the portal

The instructions here are geared towards certificate-aware RAOs. You may need to expand on this when providing instructions for your end users, for example by showing them where to import certificates in your supported web browsers, etc.

This is how you get a certificate:

Revoking client certificates

End users cannot revoke certificates themselves in the self-service portal. Instruct them to contact you if revocation is needed. You as RAOs can revoke certificates by going to Certificates → Client Certificates, selecting the right person, clicking Certificates, selecting the right certificate and clicking Revoke.

Issuing client certificates using the SCM

Note: this is a backup solution. The main way to issue client certificates is via the self-service portal discussed above. With that understood, this is how you can issue personal certificates using the SCM:

Things worth noting:

Code Signing Certificates

We will update this section when a SANET TCS member has found the need for a code signing certificate, gone through the procedure and shared the experience with us.

Notifications

Under Settings → Notifications you can add and edit what notifications the system will send you when certain conditions are met. Use the Add button to have a look at the various Notification Types that are available.

If you have a need to change the text in the emails sent from the system, you can do that under Settings → Templates → Email TemplateIf you do, please report your experience with that feature (good or bad) to tcs@sanet.sk.

SAML Configuration

Configure your IdP to work with Sectigo

SAML login is activated for the SANET instance of SCM but you need to configure the attribute manually in your Identity Provider due to that the SCM entity in metadata has no defined entity category. The reason behind this is that Sectigo has registered their Service Provider in inCommon and they can't issue the European only entity category .GÉANT Dataprotection Code of Conduct.

The following single valued attributes should be released to the entityId https://cert-manager.com/shibboleth:

safeID will add instructions on how to configure Shibboleth IdP to release attributes required for TCS.

Test that your IdP is correctly configured

After your Identity Provider administrators has configured the attribute release you should test it at https://cert-manager.com/customer/sanet/ssocheck. In this test only eduPersonPrincipalName and mail is required but for the upcoming personal certificates givenName, sn, displayName, schacHomeOrganization and eduPersonEntitlement (also displayed in the test) will be required. To further dig down and test you can look at https://cert-manager.com/Shibboleth.sso/Session after a login to see what attributes was released from your Identity Provider and recognised by Sectigo.

Using the REST API

Sectigo REST API documentation can be found at https://support.sectigo.com/Com_KnowledgeProductPage?c=API_Documentation in the "SCM - Sectigo Certificate Manager REST API"  document.

Authentication is via login name and password for a RAO or DRAO admin. The customerUri is "sanet".

We recommend that your create separate RAO or DRAO admins to use with the API instead of reusing the same admins as for web UI work. To create an API-only admin:

More gotchas we have discovered, so you do not have to discover them too:

 ACME support

There is support for ACME and we will update this section as we get feedback from members testing ACME funcionality.

Miscellaneous Questions

What about the expiring certificates in the certificate chain?

Some of you may have noticed that the chain certificates we get from Sectigo contains a certificate at the top with CN = AddTrust External CA Root and an expiration on 2020-05-30. For an explanation of why this should not cause problems for you, please see "Sectigo AddTrust External CA Root Expiring May 30, 2020" on the Sectigo site.

You may also notice that the next level down in the chain is CN = USERTrust RSA Certification Authority which also expires on 2020-05-30, and that is the certificate that has signed the CN = GEANT OV RSA CA 4  certificate that in turn has signed the SSL certificate for your server. That also seems bad, doesn't it? It turns out that certificate is there to support the CN = AddTrust External CA Root "feature" and that there is another version of CN = AddTrust External CA Root present in the root store of the browsers (using the same key) which is valid until 2038-01-18, and that is the one that matters and makes the browser trust the GEANT-branded CA certificate and therefore your server certificate.

The conclusion is that things will work after 2020-05-30 too.

2020-06-02: There are reports from other NRENs that some TLS-inspecting software/boxes take exception to the expired certificates present in this chain. There is also reports of non-browser clients not working. To get an idea of what may break, you can have a look at documentation from Carnegie Mellon University on what has been affected (as they use Sectigo via InCommon).

If this affects you, update the chain to only include the GEANT CA certificate as described below. 

What if we see "AAA Certificate Services" instead of "AddTrust External CA Root"?

Starting at the beginning of May 2020, the chain we get from Sectigo instead contains the root certificate with CN = AAA Certificate Services expiring at the end of 2028, and the next level is CN = USERTrust RSA Certification Authority with the same expiry date. This is their new workaround for legacy environments, but as far as we know it will not cause problems for modern browsers/operating systems.

Do we really need all those certificates in the chain?

No. You should be fine with only the GEANT-branded sub-CA certificate (CN = GEANT OV RSA CA 4 or similar) configured as chain certificate in your server. That CA certificate is signed by a version of CN= USERTrust RSA Certification Authority that is present in modern browser/OS trust stores and similar.

Where can we check if our server sends the correct chain?

We recommend Qualys SSL Server Test which tests this and and a lot of other useful things (most of them related to you server configuration, not the certificates as such). For the chain specifically, look at the "Chain issues" heading where you want to see "None" (if you have trimmed the unnecessary certificates from the chain) or "Contains anchor" (if you have kept the full set).