Versions Compared

Old Version 118

changes.mady.by.user Kent Engström

Saved on

compared with

New Version Current

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Help from SUNET TCS

Email tcs@sunet.se after after making sure that this document does not contain the answer to your question or a solution to your problem. Do not email Kent's personal email address.

Help from Sectigo Support

If instructed by SUNET TCS or this document, or if you are waiting for a certificate stuck in Applied, contact Sectigo Support using :

...

  • Use

...

  • type "Validation Support" and

...

  • reason "Certificate Validation" for

...

  • issues related to certificates (delays, problems with the contents, etc).

    • Use case type "Technical Support" and case reason "Sectigo Certficate Manager (SCM)" for issues with SCM not related to certificates per se

  • Include the certificate order number in the specific field for that.

    • If the ticket is about more than one certificate, include one order number (the most important one?) in that field, and include all of the order numbers in the description. 

...

  • In the description, include a line at the top saying "We are a SUNET member of the GEANT TCS service, using

...

  • the https://cert-manager.com/customer/sunet SCM instance."
  • Describe the problem, for example "The following certificates are stuck in Applied instead of being issued. Please issue them or tell us what we need to do."

If you need urgent support, contact tcs@sunet.se  for help with escalation. Tell us the support case number. Also tell us other information we need to know (for example order numbers and CNs in the case of delayed certificates).

Sectigo Documentation

Sectigo documentation can be found at https://support.sectigo.com/Com_KnowledgeProductPage?c=Sectigo_Certificate_Manager_SCM

...

The SCM lets you create Departments under Organizations. Just like the Organization name is what goes into the O= of a certificate, the Department name is what goes into the OU= of a certificate. You can use Departments in two ways:

  • Just as a tool to sort certificates and get the correct OU= set, but it will still be the Organization's admins doing the approval.
  • To delegate approval of certificates to department admins for their department. In most(?) cases that would be combined with registering a subdomain (or a completely different domain) and restrict the department to that.

Since the summer of 2022, OU is no longer present in the certificates due to decisions within the CA/B forum.

MRAO, RAO, MRAO, RAO, DRAO!

There are three levels of admins in the SCM, all called something with RAO (Registration Authority Officer) in the name:

...

See below under Notifications about adding that for DCV Expiration.

Deleting Domains

There is no way for a RAO or DRAO to delete a domain from the system. If this is needed, contact tcs@sunet.se for help.

Additional organizations

...

  • Go to Organizations and click on the organization line to check it, then use the the Add Departments button to bring up the listing window and press (plus)in the card shown for the Organization.
  • Fill in the desired department name in the Department Name field. The rest of the name components will be as for your organization. Do not fill in the Secondary Organization Name or Academic code.
  • Do not enter EV Details. In the Certificate Settings tabOn the second page, select Client Certificates and disable "Allow Key Recovery by Master Administrators"" and  and "Allow Key Recovery by Department Administrators", respectively). It will already be disabled for Organization Administrators as that was part of the organization setup done by SUNET.
  • Do not fret over other options on the various tabs, as they can be changed later. Do not enable or change things you do not understand. Finish using the OK Save button.

Admins connected to the department

...

We strongly recommend that you create personal admin users (not shared ones), to be able to see who has done what in the system.

It has been reported was earlier the case that some privileges (management of peer admins, Allow DCV) cannot could not be assigned by one RAO to another. If that affects your organization email tcs@sunet.se to have it fixed manually. Tell us the usernames involved and what privileges you want to add. We'd like that email to come from an admin that already has "Allow creating/editing of peer admin users" instead of the admin who wants more privileges.

Locked Account

This is no longer the case - if you can create/edit peer admin users, you can delegate your privileges too.

Note: the Automatically approve certificate requests privilege seems to be a bit misnamed after recent changes. Without it, the admin does not get the manual Approve button either. Thus, you need to set this privilege for admins that should be able to request and approve certificates.

Locked Account

You can get locked if You can get locked if you fail to login a number of times. You will then get an "Incorrect login details, account is locked, password has expired or your source IP is blocked." message when you try to login, even if you use the correct password. It will be the case even if your password have been changed by another admin who can do that for you. This requires the lock to be reset and that can only be done by an MRAO, so you need to contact tcs@sunet.se.

...

The self-service portal is located at https://cert-manager.com/customer/sunet/idp/clientgeant


For it to work for your users, you need to

  • Have your IdP configured correctly for Sectigo. See below under "SAML Configuration".
  • Edit your organization object (use the pencil icon when the main Edit Organization card is shown) and set "Academic code (SCHAC Home Organization)" to the same value as your IdP sends for schacHomeOrganizationfor schacHomeOrganization. It will typically be your main domain, but confirm this with your IdP admins. If you cannot edit this yourselves, contact tcs@sunet.se and tell us what to enter.

For it to work for your users who need IGTF/grid certificates, you also need to:

  • Edit your organization object (use the pencil icon when the main Edit Organization card is shown) and set "Secondary Organization Name" to the name used in grid certificates (with åäö transcribed correctly to ASCII if needed, and with the same upper/lowercase conventions that you have used before with DigiCert). Please check existing certificates if you are unsure or as a last resort, ask us at SUNET TCS to help you check. As grid certificate subjects are used as "usernames" in systems, it is vital that the whole subject string is kept as it was before for your users.
  • Email tcs@sunet.se about this so that we can ask for a validation of the secondary name as you cannot perform this step yourself.

...

For the grid/IGTF certificates, make sure that your servers have an up-to-date IGTF Trust Anchor Distribution that includes trust for "/C=NL/O=GEANT Vereniging/CN=GEANT eScience Personal CA 4" (for example found in the ca_GEANTeSciencePersonalCA4-1.105-1.noarch.rpm or newer RPM package)

Using the portal

. From September 2023,  you also need "C=NL, O=GEANT Vereniging, CN=GEANT TCS Authentication RSA CA 4B" (and the corresponding ECC version) and its root "O=Research and Education Trust, CN=Research and Education Trust RSA Root CA" (and its corresponding ECC version).

Revalidating your organisation


After the change at the beginning of September 2023, your organisation needs to be revalidated to be able to issue "GÉANT Personal email signing and encryption" certificates. Send an email to tcs@sunet.se with the subject "Validering" followed by your organization name so we can take care of this for you. If you try to do it yourselves you may accidentally lose the ability to issue server certificates while the validation is ongoing.

Using the portal

The instructions The instructions here are geared towards certificate-aware RAOs. You may need to expand on this when providing instructions for your end users, for example by showing them where to import certificates in your supported web browsers, etc.

...

  • Go to https://cert-manager.com/customer/sunet/idp/clientgeant, select your organization's IdP and login there.
  • Select the right certificate profile:
    • Use "GÉANT Personal Certificateemail signing and encryption"  for normal client certificate for email signing etc outside of the grid/IGTF world .(this used to be "GÉANT Personal Certificate")
    • Use "GÉANT IGTF-MICS Personal Authentication" for a grid/IGTF personal (client) certificate for normal use Use (this used to be "GÉANT IGTF-MICS Personal")
    • Use "GÉANT Personal Automated Authentication-Robot Personal" for a grid/IGTD robot personal certificate (seldom used, this used to be "GÉANT IGTF-MICS-Robot Personal")
  • Select the number of days the certificate should be valid.
  • Select if you want the key generated on the server side or locally. While the former is more convenient, there may be policy reasons or technical reasons for not using that:
    • Use "Key Generation" as Enrollment Method if you want a certificate with the key generated on the server side.
    • Use "CSR" as Enrollment Method if you do not want the key generated on the server side. You will have to provide the CSR file via file upload or by pasting it into the text box.
  • If you choose to provide the CSR, you must first have created your key and CSR locally, using whatever software you use for that. With OpenSSL, that could be:

    openssl req -new -newkey rsa:2048 -out usercert_request.pem -keyout userkey.pem -subj '/CN=Mitt Namn'
chmod go= userkey.pem
cat usercert_request.pem
  • If you choose to generate the certificate on the server side, you must provide:
    • The requested type and key size. Choose RSA-2048 if do not need a longer key and have tested that it works. Contact SUNET TCS if you need elliptic curve client certificates or RSA-8192).
    • The password used to encrypt the PKCS#12 file that will be generatedfile that will be generated.
    • 2023-06-12: It seems the default key protection algorithm "Secure AES256-SHA256" does not work on MacOS for importing into the Keychain, while it does work for direct import in Firefox). Select the non-default key protection algorithm "Compatible TripleDES-SHA1" instead.
  • Click "Submit" and accept the click-through license.
  • After a short while, you will get to dowload your certificate. The format depends on your choice above:
    • With "Key Generation", you will get a PKCS#12 file called certs.p12 containing key and certificate. You can import that in your browser using "Import Certificate" or similar.
    • With "CSR", you will get a PEM-formatted certs.pem containing just the certificate. If you need it in your web browser, you need to create a PKCS#12 file yourself. With OpenSSL as above, that could be:

      openssl pkcs12 -export -inkey userkey.pem -in certs.pem -out certs.p12

...

  • Yes, the key is always generated on the server side when you use this method. There is no option of uploading a CSR to keep use a key generated on the client side. This may not be acceptable for users due to policy (not allowed to have the key generated on the server side) or technical reasons (key not exportable from hardware device). You can upload a CSR when you use the self-service portal.
  • There is also the option of enabling a AccessCode, which is a shared secret between you and all users than enable them to get a client certificate as long as they have access to their email. We advise you not to use that.
  • There is also the possibility to enter a SecretID per user, to enable them to get a client certificate by entering that together with their email address. For occasional client certificates, we do not see the upside of this as compared to the invitation method above, and for bulk issuing we will rely on the self-service portal via SAML as soon as that is ready.

Code Signing Certificates

  • . For occasional client certificates, we do not see the upside of this as compared to the invitation method above, and for bulk issuing we will rely on the self-service portal via SAML as soon as that is ready.

Code Signing Certificates

Since spring 2023, both kinds of code signing certificates (OV and EV) needs to have the key generated on and confined to a hardware token (before this, "soft" OV code signing certificates were possible, were you generated the key on a normal computer).

See the GEANT FAQ for general information.

We will update this section when a SUNET the first Sunet TCS member has shared the experience of using the new interface to order a Code Signing certificateordered an OV code signing certificate and gone through the process with us.

Notifications

Under Settings → Email Notifications you can add and edit what notifications the system will send you when certain conditions are met. Use the Add button to have a look at the various Notification Types that are available.

...

Authentication is via login name and password for a RAO or DRAO admin. The customerUri is "sunet"..

For semiautomatic API use, for example scripts run by a person on the command line, it is fine to use the normal admin user for that person.

For fully automated API use, we We recommend that your create separate RAO or DRAO admins to use with the API instead of reusing the same admins as for web UI work. To create an API-only admin:

  • Use your RAO to create the new admin as you would create a "normal web UI admin", including setting a temporary password. You will not be able to use the API with this temporary password.
  • Login to the new admin in the SCM and perform the mandatory initial password change for it.
  • Back with your original RAO, edit select the new admin and set the "WS API use only" flag for ituse the Change Type button to change this user to an API user.

More gotchas we have discovered, so you do not have to discover them too:

  • To be allowed to use the You may need to enable API calls for handling certificates, you must edit the appropriate Organization or Department object, and on the SSL Certificate tab, enable the Web API checkbox. You will be required to provide a value for the Secret Key field too. Enter a good random value there and promptly forget it (it is not used for the current REST API but for an older SOAP API)your Organization or Department. Select it in the admin interface, use the Certificate Settings button in the information card at the right, Select SSL Certificates in the dialog, enable "Enable Web / Rest API" and save.
  • Be aware that the "serverType": -1 in their certificate enroll example refers to the "other" Server Software type, so if you have removed that when cleaning up useless Server Software types, that example will not work.

As inspiration for API use, Fredrik Domeij at UmU LADOK has provided bash scripts to request and retrieve certificates. You find them as umu-example-api-bash.tarladok-sectigo-bash-2024-02-09.zip.

 ACME support

There is support for ACME and some of the test members have started to try that. We will update this section as we get feedback.

...

Do we really need all those certificates in the chain?

No. You Your webserver or similar should be fine with only sending the GEANT-branded sub-CA certificate (CN = GEANT OV RSA CA 4 or similar) configured as a chain certificate in your together with the server certificate. That The GEANT sub-CA certificate is signed by a version of CN= USERTrust RSA Certification Authority that is present in modern browser/OS trust stores and similar.(this version is self-signed, and does not rely on CN = AAA Certificate Services).

If you need the good version of CN= USERTrust RSA Certification Authority  to import in some software (for example newer versions of VMware that does not like the CN = AAA Certificate Services root),  you can find it via the link on Sectigo's documentation page Sectigo Chain Hierarchy and Intermediate Roots

Where can we check if our server sends the correct chain?

...