This is for administrators at SUNET TCS members for the 2020- "Sectigo generation" of the SUNET TCS service.

For the 2015-2020 "DigiCert generation" of the SUNET TCS Service, please see SUNET TCS 2015-2020 FAQ for administrators. End users, please see SUNET TCS documentation at your organization.

Getting help

Help from SUNET TCS

Email tcs@sunet.se after making sure that this document does not contain the answer to your question or a solution to your problem.

Help from Sectigo Support

If instructed by SUNET TCS or this document, contact Sectigo Support using https://sectigo.com/support-ticket with your support question/problem. Unless instructed otherwise, select "SCM Support" as the reason for the ticket. In the description, include a line saying "We are a SUNET member of the GEANT TCS service, using the https://cert-manager.com/customer/sunet SCM instance."

Sectigo Documentation

Sectigo documentation can be found at https://support.sectigo.com/Com_KnowledgeProductPage?c=Sectigo_Certificate_Manager_SCM

Some highlights:

• "SCM - Sectigo® Certificate Manager Quick Start Guide" is a short introduction to the SCM system
• "SCM - Sectigo Certificate Manager Administrator's Guide" is the very much longer description
• "SCM - Sectigo Certificate Manager REST API" describes the REST API

Differences from the DigiCert generation 2015-2020

New vendor, new web interface

Sectigo is the new vendor for TCS instead of DigiCert. We are using their Sectigo Certificate Manager (SCM) instead of DigiCert CertCentral. The rest of this section describes the most important changes you need to understand.

No "division" objects in the new system

There is no concept of divisions in SCM as there was in DigiCert CertCentral.

• SUNET TCS has an instance of SCM at https://cert-manager.com/customer/sunet which is used by all SUNET TCS administrators (at your level and at the SUNET "superuser" level) but not by GEANT TCS members from other countries.
• At the SUNET level, we cannot just create a division for a SUNET TCS member and ask you to create an organization object yourselves with all relevant information, as you did in CertCentral. We have to create an Organization in the system to be able to add you. See below for more practical information on how you join.
• If you need to validate another organization (due to the need to have something different in the O= field of the certificates), that new organization will be "at the same level" as your original organization and there is no division that contains them. You will have acess to both organization due to the fact that we/you will add the same admins for both organizations.

No "User level users"

In DigiCert CertCentral, there were two basic kind of users: "Administrators", who could order/approve certificates, change settings and do other admin level stuff, and "Users" who could only request certificates (but who were nevertheless authenticated by logging into CertCental just like the Administrators).

In the SCM, there are basically only Administrator level users. In fact, the SCM does not talk about users, it talks about admins. That means that you cannot have users logging in to the SCM who can only request certificates. See below under "SSL certificates" for solutions to this.

Departments

The SCM lets you create Departments under Organizations. Just like the Organization name is what goes into the O= of a certificate, the Department name is what goes into the OU= of a certificate. You can use Departments in two ways:

• Just as a tool to sort certificates and get the correct OU= set, but it will still be the Organization's admins doing the approval.
• To delegate approval of certificates to department admins for their department. In most(?) cases that would be combined with registering a subdomain (or a completely difffent domain) and restrict the department to that.

MRAO, RAO, DRAO!

There are three levels of admins in the SCM, all called something with RAO (Registration Authority Officer) in the name:

• MRAO: the "superuser level" for SUNET people that can work with all organizations, departments, domain, certificates, admins, etc.
• RAO: the admin level for working with an organization and the departments, domains, certificates, admins etc that belong to that organization.
• DRAO: the admin level for working with a department, and the domains, certificates, admins etc that belong to that department.

It is a bit more complicated than that: a RAO is connected to one or more organizations, and a DRAO to one or more departments, and there is also the possibility to only have the right for SSL certificates, client certificates and/or code signing certificates. Thus, an admin could be "RAO - SSL Certificates" and "RAO - client certificates" for Organization A, while also being "DRAO - SSL Certificates" for a department belonging to another organization.

The first admin you will get when joining with your organization will be RAO for all certificate types and for your organization.

Getting access to the system

Members of the "Digicert generation" (2015-2020) service

First of all, if you are doing this before 2020-04-16, visit https://doodle.com/poll/6wgkprntgcve4ptb and select one of the three video meetings to participate in. You will be able to get information, ask for clarifications etc. Also, we will be able to "batch" the handling of new organizations and admins to match the meetings to make it less resource intensive.

To get access to the new system, email tcs@sunet.se with a subject line like "TCS2020: organization name" and tell us:

• First name, last name, email and preferred user name for the first admin (RAO) of your organization. That person should be a current Administrator in the DigiCert CertCental system.
• Organization name, adress line, postal code, city and county (län)..

We know that Sectigo uses at least https://www.infobel.com/en/sweden and https://proff.se/ to check address and postal code, so please try to find a record there for your organization and use that address line and postal code if it is not obviously wrong (it's not likely that people will rely on the address information in your OV certificates to send you paper mail...) If you try to use other address/postal code information you risk having your organization validation delayed.

New members

If you have not been a member of the 2015-2020 "DigiCert generation" of the service, you are still welcome to join. SUNET TCS is available to all SUNET customers without extra charge. Contact tcs@sunet.se about membership in the service. Do not send any paper documents before that.

Please note that during the spring of 2020 we are prioritizing bringing the current members over to the new service.