SANET TCS Server: Frequently Asked Questions

Note: this FAQ is about the new generation of SANET TCS Server being introduced during the spring of 2015. You can also find an FAQ for the existing system that can be used until 2015-07-01.

Getting Help

How do we get help with DigiCert portal, validation and certificate issues?

Use the Live Chat function at https://www.digicert.com/. If you cannot get the issue solved that way, contact SANET TCS.

How do we contact SANET TCS to get help or to report problems?

Email tcs@sanet.sk after making sure that this FAQ list does not contain the answer.

Getting Information

Where do we find the Certificate Practice Statements and related documents?

At https://www.terena.org/activities/tcs/repository-g3/

Where do we find the the SANET TCS Server Subscriber Agreement (version 2015.1)?

At SANET TCS Server Subscriber Agreement (version 2015.1). As you can see, it contains the required legalese mandated in the model TCS Subscriber Agreement at the GÉANT document repository above.

Where do we find the GÉANT Association home pages for the new TCS?

For the moment, at GÉANT wiki: Trusted Certificate Service (new TCS) home. You will find information about the DigiCert portal there, as well as information learnt during the earlier testing phases.

What is the GÉANT Association?

It is the result of TERENA and DANTE joining forces. That also means that TCS now stands for Trusted Certificate Service, not TERENA Certificate Service. You may still see TERENA using in the certificate names, where it would hurt to change the names.

Starting to Use the New System

We were members of the Comodo generation of SANET TCS Server. How do we get access to the new system?

Follow the same procedure as new members (see next question).

We were not members of the Comodo generation of SANET TCS Server. How do we get access to the new system?

Download SANET TCS Subscriber Registration Form (version 2.1). Fill it in and send it (all pages) to the address stated at the end. We will create a division for you in the DigiCert portal. As part of that, your chosen admin contact gets an email from DigiCert and will be able to set his/her password. He/she will become the first administrator for your division. Make sure that person is available to handle the email before you apply.

How do we get the rest of our administrators added?

Your initial administatror can add more administrators using the New User button under Account → Manage Users. Do not forget to select the Administrator Role.

Gettting Validated

How do we get our organization validated for use?

Use the New Organization button under Certificates → Organizations. We recommend that you use your official Slovak name as Legal name. Do not fill in Assumed name. Use the most senior member of your TCS team as your Validation Contact.

You might want to check that the organization name you request is the one that is used for your organization in databases listing companies, government agencies etc (e.g. Statistical Register of Organisations, well-known search sites like www.zlatestranky.sk, telefonny.zoznam.sk, etc.)

We recommend that you validate for all certificate types from start. You can read more at the GÉANT TCS Wiki page about Validation.

Can we have more than one organization validated?

Yes, you can. If your university is made up of several legal entities (companies, foundations etc) you might have to register more than one organization. However, you should not create organizations for departments, schools etc that are really part of the same legal entity as the university (or similar) as such.

How do we get our domains validated for use?

Use the Add Domain button under Certificates → Domains. The domain will be registered as belonging to an Organization you already added. Make sure that the domain is registered to that legal entity in the public databases (check with https://www.sk-nic.sk/ first for .sk domains). You can enter one or more domains for validation while the organization validation is still pending.

What happens during validation?

DigiCert will use public databases and may also make phone calls and send emails to verify the provided information. Make sure that you are available for that during the day.

Domain validation emails will be sent to a list of addresses based on the domain name (e.g. {admin,administrator,hostmaster,postmaster,webmaster}@yourdomain.sk) as well as addresses registered in WHOIS databases. All addresses are used simultaneously, but you only need to act on one of the emails.

Verify that you can receive email to at least one of the fixed addresses above before submitting the domain for validation. As of 2015-04-01, the automatic DigiCert emails are sent from support@digicert.com or admin@digicert.com. Before contacting DigiCert or SANET about emails not received, please check your spam filters.

What if the validation stalls?

During the test phase, DigiCert has validated our organizations and domains quickly. We expect that to be the case during production too. If the validation stalls with no detectable progress for a couple of hours, use the DigiCert Live Chat (see above) and ask them about the status.

What if they validate the wrong thing?

During the test phase, we have seen instances of DigiCert being "helpful" and changing the organization name when they found something similar to what you asked for, for example validating "University of Whatever Holding AB" instead of "University of Whatever". If that happens to you, use the DigiCert Live Chat (see above) to explain that they have made an error and ask them to correct it at once.

We want grid (e-Science) certificates and have an organization name containing á, é, í, ĺ, ó, ŕ, ú, ý, č, ď, ľ, ň, š, ť, ž, ä or ô. Do we need to do something special?

Yes. As name components in grid (e-Science) certificates are not allowed to contain non-ASCII characters, you need to validate an additional organization with a name not containing the non-ASCII characters. For example, if you normal organization is "Technická univerzita v Košiciach", you should also get "Technicka univerzita v Kosiciach". Check your customer information in https://tcs.sanet.sk to make sure you request the same name as before.

You should then be able to add the domain or domains you want grid (e-Science) certificates for under the new special organization.

Can we validate more than one administrator for EV?

Yes! Go to Certificates → Organizations and select the right organization. Then click Submit for Validation. In the popup, check "EV" and select the right adminstrator as "EV Verified User". Then click Submit for Validation again.

Requesting Certificates

Can anybody enter a certificate request into the system?

No. You need a user in the system to be able to request a certificate. As an administrator, use the Add User button under Account → Users. Select the User Role, not Administrator, for this kind of user. The user will get an email and gets to set his/her password.

How do we request a certificate?

After logging in at http://www.digicert.com/account/, go to Certificates and press the Request a Certificate button. Select the right type of certificate, press Order Now, fill in the form and use Submit Certificate Request

What SSL Certificate types should we use?

This is for server certificates outside of the grid (e-Science) world. Use

What Grid Certificate types should we use?

For server and robot certificates in the grid (e-Science) world.

What Client Certificate types should we use?

Do not request client/personal certificates using this portal.

What Code Signing types should we use?

See the GÉANT Wiki page about Code Signing certificates.

What Document Signing types should we use?

See the GÉANT Wiki page about Document Signing certificates.

How do we approve requested certificates?

Logged in as an administrator, go to Certificates → Requests, select the pending request, and FIXME!

Managing Certificates

How do we manage existing certificates?

Logged in as an administrator, use Certificates → Orders and select the certificate. You will find buttons for downloading, reissuing and revoking the certificate.

Certificate Chaining

How do we get the certificate chain?

It is included together with the certificate and instructions in the email the requester gets (and that you can download via Orders → Certificate Orders as discussed above).

Are the chain and root certificates the same as for the Comodo generation of the service?

No, they are different. Do not reuse your saved files from the Comodo system.

How do we check if the server sends a good certificate chain?

You could use openssl s_client -connect www.terena.org:443 (replacing www.terena.org with your address). You then have to check the lines following "Certificate chain" in the output to see that it contains more than the server certificate. The following is an OK example for an EV certificate:

Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=NL/serialNumber=40535155/street=Singel 468D/postalCode=1017 AW/C=NL/ST=Noord-Holland/L=Amsterdam/O=G\xC3\x89ANT Association/OU=Amsterdam office/CN=godzilla.terena.org
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL High Assurance CA 3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA