Digital Certificates Service - Technical FAQ

Last update 21/01/2025

On-boarding:

Which information is required for being on-boarded?
When will our organization be on-boarded?
 

Harica Certificate Manager:

How do I login to the Harica Certificate Manager?
How can I get the Admin and Approver role?
Can we receive notifications?
What is the CAA DNS record to use for Harica?
How to do a Domain Control Validation for all (root) domains?
Can I delete domains linked to my company?
Where can I find more information about the interface?
When changing role and/or validator Groups on the Account Info page, the new values are now shown after Save 
Why does certificate request remain Pending?
 

Features:

How to use ACME?
Can we use an API?
SAML support
 

About certificates:

What certificates are available with Harica?
What are the subcategories of SSL Certificates?
Can I request OV Certificates?
Can we still have Grid Certificates equivalent in Harica?
Can I request a Personal/Client Certificate?
Can I request an EV (Extended Validation) certificate?
Are Document Signing Certificates available via Harica?
Are code signing certificates available?
My server certificate is not issued by a well known Certificate authority (CA). Did I forget something?

Generic certificate related information:

What is a PKI?
What is a CSR?
Are Unicode or ASCII encoded strings valid in CSR?
What about key length?
What's a PKCS-12 file?
What are SHA-1, SHA-2, SHA-256, SHA-384, etc. ?

Which information is required for being on-boarded?

To on-board your organization we need some details:

• Legal name of your organization (like listed in the Crossroads Bank for Enterprises)
• Enterprise number
• Notification email alias
• Primary domain, preferable used for your email

When will our organization be on-boarded?

We will start on-boarding organizations from 14 January 2025.

These are the steps for the on-boarding proces:

• Belnet will add the information for your organization to the Harica Certificate Manager
• Harica will do some basic checks and activate your organization (without organization validation!)
• Your admins can register for a new account on https://cm.harica.gr (see below)
• When the email matches the provided primary domain, you will be linked to your organization.
• If you are not linked to your organization after login, let us know so we can do this manually
• The first user of your organization must request the Enterprise Admin role to Belnet
• Once you have the Enterprise Admin role, you can add domains and complete domain validation
• DV certificates will then be available for validated domains

Upon request, Harica will perform the organization validation. Once completed, you can also request OV certificates.

More information can be found in the Enterprise Admin Guide.

How do I login to the Harica Certificate Manager?

• Go to https://cm.harica.gr
• The first time you need to register your account:
  • Click on 'Sign Up'
  • Provide the Email address, preferably within the provided primary domain
  • Complete the required fields
  • Check your email to confirm the registration of your account
• Now login with your newly created account
• Enable 2 Factor Authentication
  • In the top right click on your name → Profile
  • Then enable "Two-Factor Authentication (2FA)"
  • You can use your preferred TOTP-app (eg Google Authenticator)

• When your login used the primary domain, you will login to your enterprise account

   

How can I get the Admin and Approver role?

• First you have to enable 2FA on your account
• Next another admin or your organization or Belnet can assign the admin and/or approver role to you

More information can be found in the Enterprise Admin Guide and Enterprise Approver Guide.

Can we receive notifications?

Currently all notifications (new requests ready for approval, certificate expiration warnings, etc) are sent to the email address provided. We recommend using an email alias for this, so you can redistribute to the necessary users.

What is the CAA DNS record to use for Harica?

When you are using CAA DNS records for your domains to limit certificate issuance by certain CA only, make sure you have the CAA record for Harica:

yourdomain.be. 3600 IN CAA 0 issue "harica.gr"

Optional for wildcard certificates:

yourdomain.be. 3600 IN CAA  0 issuewild "harica.gr"

How to do a Domain Control Validation for all (root) domains?

Before you can request a certificate for a domain, you must add the domain to your organization and then perform domain validation (DCV).

An Enterprise Admin can perform domain validation (DCV) from the Enterprise → Admin menu.
More information can be found in the Enterprise Admin Guide

Can I delete domains linked to my company?

It is not possible to delete domains linked to your company in the Harica portal, even if you have the Enterprise Admin role. 

To delete domains, please create a ticket at the Belnet service desk. We will forward the request to Harica.

Where can I find more information about the interface?

Find all the necessary information on: https://guides.harica.gr/

When changing role and/or validator Groups on the Account Info page, the new values are now shown after Save

When editing Account Info for an an Enterprise Admin/Approver, you could have spotted that the change you made is not displayed. 

To be displayed properly, one has to exit the Users pane, navigate to something else and go back to check again Account Info settings. The information should now be correctly displayed.

Why does certificate request remain Pending?

Each certificate request must always be approved by another approver. So you cannot approve your own application yourself. 

Therefore, each organization needs at least 2 approvers.

How to use ACME?

Harica currently offers limited ACME support: 

• DV certificates only 
• Does not use pre-validation of your domains, so validation is required with each request, via HTTP-01 or DNS-01 challenge.
• EAB (External Account Binding) required, but only 1 account without settings 

Harica anticipates expanded ACME support, presumably in March 2025. 

Please open a ticket through our ServiceDesk to request ACME details. 

Here is an example of how to use ACME via certbot (on Linux):

• First you register the account on the server

 certbot register --email <your_email_address> --agree-tos --server https://acme.harica.gr/TCS-DV/directory --eab-kid <your_eab_kid> --eab-hmac-key <your_hmac>

• Then with each certbot call use '--server ...' , e.g. to request a new certificate:

certbot certonly --apache --server https://acme.harica.gr/TCS-DV/directory -d test.belnet.be,newtest.belnet.be

Can we use an API?

Currently only the basic API is available: https://developer.harica.gr/

The Enterprise Admin API function will be available later.

SAML support

Organizations that are also Identity Providers in eduGAIN must release the following attributes:

• givenName
• sn
• email
• edupersonTargetedID

and may also release:

• eduPersonPrimaryAffiliation
• eduPersonPrincipalName (required by GEANT for GRID Client Authentication Certificates)
• eduPersonEntitlement (values TBD)

to the following HARICA EntityIDs:

• PRODUCTION
  • “https://www.harica.gr/simplesamlphp/module.php/saml/sp/metadata.php/pki-grnet-sp”
• STAGING:
  • “https://cm-stg.harica.gr/simplesamlphp/module.php/saml/sp/metadata.php/harica-cm-stg-sp”
• DEV:
  • “https://cm-dev.harica.gr/saml/module.php/saml/sp/metadata.php/harica-cm-dev-sp”.

Known issues:

• Multiple values in the mail attribute is currently not supported.

What certificates are available with Harica?

• SSL Certificates

• S/Mime (Client)

   

What are the subcategories of SSL Certificates?

• DV SSL

• OV SSL (After validation of the organization by Harica)

   

Can I request OV Certificates?

Initially, only DV (Domain Validated) certificates will be available. 

OV certificates can only be requested when your organization has been validated by Harica. This is expected to be from the end of January (2025). 

Belnet provides the OV 'evidence' to Harica. So you no longer need to upload this yourself as Enterprise Admin.

Can we still have Grid Certificates equivalent in Harica?

To check

Can I request a Personal/Client Certificate?

To check

Can I request an EV (Extended Validation) certificate?

EV certificates are not included.

Are Document Signing Certificates available via Harica?

To check

Are code signing certificates available?

Code signing certificates are not included.

My server certificate is not issued by a well known Certificate authority (CA). Did I forget something?

You probably forgot to download and install the keychainfile of trust along with your certificate in your webserver.

Harica uses 2 recent root certificates: 'HARICA TLS RSA Root CA 2021' and 'HARICA TLS ECC Root CA 2021'. These are included in the Trust store of recent software.
But to ensure compatibility with older clients, there are also versions of these root certificates that are cross-signed by an older root certificate, e.g. 'Hellenic Academic and Research Institutions ECC RootCA 2015'.
When downloading your certificate you can choose PEM Bundle, this also contains the 2015 RootCA.
You can also look up and download the necessary CA certificates yourself at https://repo.harica.gr/rep_dyn.php.

What is a PKI?

PKI (public key infrastructure) is an operational deployment of a public key cryptographic system, using certificates, CAs, RAs, etc. Its purpose is to let different parties verify the digital identities of people or servers. While not mandatory, PKI uses certificates as its basic building block.

What is a CSR?

CSR (certificate signing request) is a document containing all data that need to be signed in order for a certificate (public key and identity) to be issued by a certificate authority.

You generate the CSR preferably on your server. But if necessary, you can also use Harica's online tool: https://www.harica.gr/en/Tools/KeyGeneration

Are Unicode or ASCII encoded strings valid in CSR?

Yes, both are valid. Simply select the type within the request page (Unicode is set by default, but you may use ASCII if you prefer).

What about key length?

We recommend a minimum of 2048-bit for key length.

What's a PKCS-12 file?

It is a file format to handle certificates as a whole (including public and private keys) and to permit to the transport of certificates from one machine to another one, for example.

What are SHA-1, SHA-2, SHA-256, SHA-384, etc. ?

SHA stands for Secure Hash Algorithm. SHAs are split into several families: currently SHA-1, SHA-2 and SHA-3. All are algorithms that compute a hash of a message with a certain length in terms of the number of bits used:

• SHA-1 hashes are 160 bits long.
• SHA-2, lengths are of 224, 256, 384 and 512 bits long (and thus the associated names SHA-256, SHA-384, etc.)
• SHA-3 is the future new NIST standard to replace SHA-2 but, while known and documented, is not published as a standard yet, and thus, not considered as an algorithm to be used in production environments.