Digital Certificates Service - Technical FAQ

Last update 09/01/2025

On-boarding:

Which information is required for being on-boarded?
When will our organization be on-boarded?

Harica Certificate Manager:

How do I login to the Harica Certificate Manager?
How can I get the Admin and Approver role?
Can we receive notifications?
What is the CAA DNS record to use for Harica?
How to do a Domain Control Validation for all (root) domains?
Where can I find more information about the interface?

Features:

Will there be ACME support?
Can we use an API?
SAML support

About certificates:

What certificates are available with Harica?
What are the subcategories of SSL Certificates?
Can we still have Grid Certificates equivalent in Harica?
Can I request a Personal/Client Certificate?
Can I request an EV (Extended Validation) certificate?
Are Document Signing Certificates available via Harica?
Are code signing certificates available?
My server certificate is not issued by a well known Certificate authority (CA). Did I forget something?

Generic certificate related information:

What is a PKI?
What is a CSR?
Are Unicode or ASCII encoded strings valid in CSR?
What about key length?
What's a PKCS-12 file?
What are SHA-1, SHA-2, SHA-256, SHA-384, etc. ?

Which information is required for being on-boarded?

To on-board your organization we need some details:

Legal name of your organization (like listed in the Crossroads Bank for Enterprises)
Enterprise number
Notification email alias
Primary domain, preferable used for your email

When will our organization be on-boarded?

We will start on-boarding organizations from 14 January 2025.

These are the steps for the on-boarding proces:

Belnet will add the information for your organization to the Harica Certificate Manager
Harica will do some basic checks and activate your organization (without organization validation!)
Your admins can register for a new account on https://cm.harica.gr (see below)
When the email matches the provided primary domain, you will be linked to your organization.
If you are not linked to your organization after login, let us know so we can do this manually
The first user of your organization must request the Enterprise Admin role to Belnet
Once you have the Enterprise Admin role, you can add domains and complete domain validation
DV certificates will then be available for validated domains

Upon request, Harica will perform the organization validation. Once completed, you can also request OV certificates.

More information can be found in the Enterprise Admin Guide.

How do I login to the Harica Certificate Manager?

Go to https://cm.harica.gr
The first time you need to register your account:
- Click on 'Sign Up'
- Provide the Email address, preferably within the provided primary domain
- Complete the required fields
- Check your email to confirm the registration of your account
Now login with your newly created account
Enable 2 Factor Authentication
- In the top right click on your name → Profile
- Then enable "Two-Factor Authentication (2FA)"
- You can use your preferred TOTP-app (eg Google Authenticator)
When your login used the primary domain, you will login to your enterprise account

How can I get the Admin and Approver role?

First you have to enable 2FA on your account
Next another admin or your organization or Belnet can assign the admin and/or approver role to you

More information can be found in the Enterprise Admin Guide and Enterprise Approver Guide.

Can we receive notifications?

Currently all notifications (new requests ready for approval, certificate expiration warnings, etc) are sent to the email address provided. We recommend using an email alias for this, so you can redistribute to the necessary users.

What is the CAA DNS record to use for Harica?

When you are using CAA DNS records for your domains to limit certificate issuance by certain CA only, make sure you have the CAA record for Harica:

yourdomain.be. 3600 IN CAA 0 issue "harica.gr"

How to do a Domain Control Validation for all (root) domains?

Info not yet available

Where can I find more information about the interface?

Find all the necessary information on: https://guides.harica.gr/

Will there be ACME support?

More information soon

Can we use an API?

Currently only the basic API is available: https://developer.harica.gr/

The Enterprise Admin API function will be available later.

SAML support

Organizations that are also Identity Providers in eduGAIN must release the following attributes:

givenName
sn
email
edupersonTargetedID

and may also release:

eduPersonPrimaryAffiliation
eduPersonPrincipalName (required by GEANT for GRID Client Authentication Certificates)
eduPersonEntitlement (values TBD)

to the following HARICA EntityIDs:

PRODUCTION
- “https://www.harica.gr/simplesamlphp/module.php/saml/sp/metadata.php/pki-grnet-sp”
STAGING:
- “https://cm-stg.harica.gr/simplesamlphp/module.php/saml/sp/metadata.php/harica-cm-stg-sp”
DEV:
- “https://cm-dev.harica.gr/saml/module.php/saml/sp/metadata.php/harica-cm-dev-sp”.

Known issues:

Multiple values in the mail attribute is currently not supported.

What certificates are available with Harica?

SSL Certificates
S/Mime (Client)

What are the subcategories of SSL Certificates?

DV SSL
OV SSL

Can we still have Grid Certificates equivalent in Harica?

To check

Can I request a Personal/Client Certificate?

To check

Can I request an EV (Extended Validation) certificate?

EV certificates are not included.

Are Document Signing Certificates available via Harica?

To check

Are code signing certificates available?

More information soon

My server certificate is not issued by a well known Certificate authority (CA). Did I forget something?

You probably forgot to download and install the keychainfile of trust along with your certificate in your webserver.

What is a PKI?

PKI (public key infrastructure) is an operational deployment of a public key cryptographic system, using certificates, CAs, RAs, etc. Its purpose is to let different parties verify the digital identities of people or servers. While not mandatory, PKI uses certificates as its basic building block.

What is a CSR?

CSR (certificate signing request) is a document containing all data that need to be signed in order for a certificate (public key and identity) to be issued by a certificate authority.

Are Unicode or ASCII encoded strings valid in CSR?

Yes, both are valid. Simply select the type within the request page (Unicode is set by default, but you may use ASCII if you prefer).

What about key length?

We recommend a minimum of 2048-bit for key length.

What's a PKCS-12 file?

It is a file format to handle certificates as a whole (including public and private keys) and to permit to the transport of certificates from one machine to another one, for example.

What are SHA-1, SHA-2, SHA-256, SHA-384, etc. ?

SHA stands for Secure Hash Algorithm. SHAs are split into several families: currently SHA-1, SHA-2 and SHA-3. All are algorithms that compute a hash of a message with a certain length in terms of the number of bits used:

SHA-1 hashes are 160 bits long.
SHA-2, lengths are of 224, 256, 384 and 512 bits long (and thus the associated names SHA-256, SHA-384, etc.)
SHA-3 is the future new NIST standard to replace SHA-2 but, while known and documented, is not published as a standard yet, and thus, not considered as an algorithm to be used in production environments.

Did you find this FAQ useful?

Your opinion is important to us, could you explain what needs to be improved to make this FAQ more useful or clearer?

Service concerned

CAPTCHA

What code is in the image?

Enter the characters shown in the image.

This question is to verify whether you are a human visitor and to prevent automated spam messages.