...
Full admin guides (including API documents) can be found at: https://support.sectigo.com/Com_KnowledgeProductPage?c=Admin_Guides&k=&lang=
Details on S/MIME Validation can be found in the attached slideset.
Q: Where can the Sectigo certificate chains be found?
...
Q: What Membership Category is my NREN?
| Membership category | NRENS in category |
| 1 | IS, BG, LV, MT, ME, MK, MD, AM |
| 2 | BY, LU, LT, EE, RS, AL, LB, CY, GE |
| 3 | SI, HR, MA, OM, SK, AZ |
| 4 | CZ, HU, RO, IE |
| 5 | DK, GR, FI, PT, IL |
| 6 | NL, CH, BE, SE, TR, AT, PL, NO |
| 7 | ES |
| 8 | DE, UK, FR, IT |
Q: What
...
are the Support Hours for Sectigo?
Sectigo staffs and operates 4 support centres globally in North America (Ottawa, Canada and Salt Lake City, Utah), United Kingdom (Manchester) and India (Chennai) respectively. Ticketing, telephone and chat service is available 365x7x24 in the English language, with multiple language capability available from our North American facility (Ottawa, Canada).
Once all the NREN’S have been fully on-boarded onto SCM platform and are ok with how to use platform we will then begin the Premier Support Handoff. As of right now all NREN “MRAO” admins can only contact support via the following below. After the on-boarding to Premier Support all NREN’s will then need to utilize contacting their respected SAM/TAM “Premier Support Rep” for any concerns they have.
Support Contact Info: https://support.sectigo.com/Com_KnowledgeMainPage
Submitting a Ticket: https://sectigo.com/support-ticket
Q: I am an NREN MRAO, why does my organisation have to be validated?
Some NRENs are not legal entities and therefore cannot be validated, but the MRAO is representing the NREN (and not the University, which is a legal entity).
The NREN Accounts must be tied to an Organization that can be validated if they want to be able to order certificates. If not, Sectigo can add them however, the NREN MRAO Admin will not be able to place orders for SSL or Code Signing Certificates. They can still play with the platform just not order certificates.
For those Universities that will be added by the NREN MRAO admins and will be managed by the Organization admin not an NREN MRAO then they will be a RAO admin Only. If the NREN MRAO Admin is going to be placing order they do not need to be an RAO and those Organisations must be validated before ordering can be done.
Q: What is the difference between MRAO and RAO?
NREN MRAO Admins Managing Includes:
- Adding New Organizations
- Validating New Organization “Triggering OV Anchor”
- Creating the first RAO Admin for New Organizations > If an RAO “the main rao” admin leaves the “NREN” is then responsible for creating the next RAO responsible for managing that org if one does not exist already
- Training of RAO Admins on how to use SCM platform
- Handling any Q&A directed to them about how to use SCM
- Responsible for Premier Support Contact as no RAO/DRAO admins are allowed to contact Premier Support or obtain Premier Support information.
RAO Admin Managing includes
NRENs will be able to use the DigiCert platform and issue certificates up to and including the 30th April 2020. After this date, it will be possible to revoke certificates but not add new organisations or issue certificates.
Q: Will it be possible to migrate data to Sectigo?
Yes, you can either:
- Use the "csv" option in the DigiCert interface to pull out organisational data and we can share this with Sectigo.
- use the DigiCert API to pull out data.
Q: Is State mandatory for Sectigo?
For now, State is mandatory and the European users are advised to out the city as the state and the validation team will correct anything that is wrong.
However, Sectigo is working on implementing the change per your concerns (to make State field not mandatory). No ETA at this time, but they have it as a High priority in their backlog.
Q: What are the Support Hours for Sectigo?
Sectigo staffs and operates 4 support centres globally in North America (Ottawa, Canada and Salt Lake City, Utah), United Kingdom (Manchester) and India (Chennai) respectively. Ticketing, telephone and chat service is available 365x7x24 in the English language, with multiple language capability available from our North American facility (Ottawa, Canada).
Once all the NREN’S have been fully on-boarded onto SCM platform and are ok with how to use platform we will then begin the Premier Support Handoff. As of right now all NREN “MRAO” admins can only contact support via the following below. After the on-boarding to Premier Support all NREN’s will then need to utilize contacting their respected SAM/TAM “Premier Support Rep” for any concerns they have.
Support Contact Info: https://support.sectigo.com/Com_KnowledgeMainPage
Submitting a Ticket: https://sectigo.com/support-ticket
Q: I am an NREN MRAO, why does my organisation have to be validated?
Some NRENs are not legal entities and therefore cannot be validated, but the MRAO is representing the NREN (and not the University, which is a legal entity).
The NREN Accounts must be tied to an Organization that can be validated if they want to be able to order certificates. If not, Sectigo can add them however, the NREN MRAO Admin will not be able to place orders for SSL or Code Signing Certificates. They can still play with the platform just not order certificates.
For those Universities that will be added by the NREN MRAO admins and will be managed by the Organization admin not an NREN MRAO then they will be a RAO admin Only. If the NREN MRAO Admin is going to be placing order they do not need to be an RAO and those Organisations must be validated before ordering can be done.
Q: What is the difference between MRAO and RAO?
NREN MRAO Admins Managing Includes:
- Adding New Organizations
- Validating New Organization “Triggering OV Anchor”
- Creating the first RAO Admin for New Organizations > If an RAO “the main rao” admin leaves the “NREN” is then responsible for creating the next RAO responsible for managing that org if one does not exist already
- Training of RAO Admins on how to use SCM platform
- Handling any Q&A directed to them about how to use SCM
- Responsible for Premier Support Contact as no RAO/DRAO admins are allowed to contact Premier Support or obtain Premier Support information.
RAO Admin Managing includes:
- Adding/delegating/dcv domains
- Adding/delegating admins “RAO or DRAO”
- Department Creation “If Needed”
- Notification Creation
- Discovery Creation
- Placing orders “SSL/Client Authentication “s/mime”/ Code Signing Certificates”
- Reports
- Contacting Support/Validation: If an issue arises the RAO/DRAO can contact Level 2 support/validation for assistance during normal business hours Monday – Friday 4am – 8pm EST. *If an issue occurs after normal business hours they can reach out to the NREN “MRAO” admins to raise a concern with Premier support.
...
IdP must release the following information for Authentication certificates:
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | Johnny Doe | USED for CN for Authentication certs. |
| cn | urn:oid:2.5.4.3 | John Doe | fallback for CN for CNAuthentication certs. |
| sn | urn:oid:2.5.4.4 | Doe | fallback for CN for Authentication certs. required for email signing certs (used for CN). |
| givenName | urn:oid:2.5.4.42 | John | fallback for CN for Authentication certs. required for email signing certs (used for CN). |
urn:oid:0.9.2342.19200300.100.1.3 | johndoe@example.edu | yesrequired | |
eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | jd@example.edu | yesrequired |
eduPersonEntitlement | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | urn:mace:terena.org:tcs:personal-user | yes |
schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 | example.edu | yes |
Q: What is needed to validate an organisation?
The rules for validation are set by the CA/B Forum. The rules are as follows:
If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s address of existence or operation. The CA SHALL verify the identity and address of the Applicant using documentation provided by, or through communication with, at least one of the following:
- A government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition;
- A third party database that is periodically updated and considered a Reliable Data Source;
- A site visit by the CA or a third party who is acting as an agent for the CA; or
- An Attestation Letter.
...
:terena.org:tcs:personal-user | required | ||
schacHomeOrganization | required |
Q: What is needed to validate an organisation?
The rules for validation are set by the CA/B Forum. The rules are as follows:
If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s address of existence or operation. The CA SHALL verify the identity and address of the Applicant using documentation provided by, or through communication with, at least one of the following:
- A government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition;
- A third party database that is periodically updated and considered a Reliable Data Source;
- A site visit by the CA or a third party who is acting as an agent for the CA; or
- An Attestation Letter.
The CA MAY use the same documentation or communication described in 1 through 4 above to verify both the Applicant’s identity and address. Alternatively, the CA MAY verify the address of the Applicant (but not the identity of the Applicant) using a utility bill, bank statement, credit card statement, government-issued tax document, or other form of identification that the CA determines to be reliable.
For S/MIME certificates, the CA/B forum requires:
- Formal name of the Legal Entity;
- A registered Assumed Name for the Legal Entity (if included in the Subject);
- An organizational unit of the Legal Entity (if included in the Subject);
- An address of the Legal Entity (if included in the Subject);
- Jurisdiction of Incorporation or Registration of the Legal Entity; and
- Unique identifier and type of identifier for the Legal Entity.
Q: Where can I find maintenance and status information for the service?
...
It is currently possible to order Document Signing Certificates on a preconfigured USB token from Sectigo. order Document Signing Certificates on a preconfigured USB token from Sectigo. These can be ordered here: https://www.sectigo.com/ssl-certificates-tls/document-signing-certificates. Participants can use the following discount code which will only charge you for the token and not the certificate itself: QQY1XB49V9. More information on this process is available in this GUIDE.
Q: Are eIDAs Certificates available via Sectigo?
eIDAS certificates can be ordered via: https://sectigo.com/ssl-certificates-tls/eidas-signing-certificates-for-citizens. There is a charge for these certificates.
Q: How Do I Order OV Code Signing Certificates?
Code Signing Certificates can be ordered directly from cert manager. From From 8th May 2023 it will only be possible to order code signing certificates that comply with specific HSM standards OR that are supplied directly on a token by Sectigo. More information is available here: https://sectigo.com/knowledge-base/detail/Changes-to-Sectigo-Code-Signing-Offerings/kA03l000000BoIs. Currently supported devices are:
...
If you have a specific device you want to use that is not currently supported, please let the TCS Service Owner know and we can raise with Sectigo. supported, please let the TCS Service Owner know and we can raise with Sectigo. We STRONGLY recommend that you purchase your own device rather than ordering one from Sectigo as the delivery times cannot be guaranteed and you may be charged additional international shipping / customs charges which are outside of our control.
More information about using your own Yubikey to order a certificate can be found at: https://www.sectigo.com/knowledge-base/detail/Key-Generation-and-Attestation-with-YubiKey/kA03l000000roEV. -Attestation-with-YubiKey/kA03l000000roEV.
To order an OV Code Signing certificate on a device configured by Sectigo please order at https://www.sectigo.com/ssl-certificates-tls/code-signing and use discount code 2GE8AFN0T1.
To order an OV Code Signing certificate on your own device, please order via Cert Manager.
Q: How Do I Order EV Code Signing Certificates?
Similarly to document signing certificates, EV Code Signing Certificates need to be provided on a preconfigured USB token from Sectigo. More information on this process is available in this GUIDE.These can be ordered here: https://www.sectigo.com/ssl-certificates-tls/code-signing using discount code: 3GE5YPN6T8.
Q: How do I create an EV Anchor?
...
These can be reported following the information at: https://sectigo.com/support/report-abuse.
Q: What are the names of the grid certificates in Sectigo?
For the grid products, the mapping is:
Grid Host SSL -> GEANT IGTF Multi Domain
Grid Premium -> GEANT IGTF-MICS Personal RSA
Grid Robot Email -> GEANT IGTF-Classic Robot Email RSA
Grid Robot Name -> GEANT IGTF-MICS Robot Personal RSA: https://sectigo.com/support/report-abuse.
Q: My Code Signing request is stuck in applied status?
...
Yes, due to slight differences in the industry requirements the set of 'authentic information sources' that Sectigo has to use for organisation validation is different. Whereas for SSL validation an independent information source may be used, for S/MIME only government agency sources and Legal Entity Identifier (LEI) data references are allowed. This means Sectigo has to do re-validation. This is not triggered automatically - it needs to be requested by an MRAO. We strongly recommend that you DO NOT SELECT TO REVALIDATE AN ORGANISATION as this will block the ability to issue SSL certificates as well. Instead, choose to edit an organisation and enter an organisational identifier in the new relevant field...this is typically a VAT number or equivalent. If you do not have this, enter FIXME in the field and the validation team will attempt to find the correct number.
Q: is GÉANT looking at the impact of the changing / volatile certificate market?
Yes, we have prepared a briefing paper for NRENs and will be undertaking a series of information gathering and discussion workshops in 2024.