TCS 2020 FAQ

INFOSHARE SLIDES 

Q  = Question.   R = Recommendation

Q: Will we still have access to the DigiCert portal after 30th April 2020?

A: Based on the contract between GÉANT and DigiCert, "upon termination, DigiCert shall provide entities operating under the GÉANT Association Ac-count with a Transition Period during which DigiCert shall continue to support the GÉANT Association Account, the NREN Accounts, and each Participant’s account, including continued use of DigiCert’s Certificate revocation services. However, Participants and NRENs may not order any new Certificates during the Transition Period. DigiCert shall continue to provide revocation services for the Certificates until all Certificates issued under this Agreement expire." You and your members will be able to order DigiCert certificates until 30 April and they will remain valid until their expiration date, will have access to the portal to see your existing certificates and receive notifications, but will not be able to order new certificates.

Q: Where can I find documentation for Sectigo?

A quick start guide can be found at: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l000000vFnd

MRAO guide: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000bvJA

Full admin guides (including API documents) can be found at: https://support.sectigo.com/Com_KnowledgeProductPageSectigo?c=Admin_Guides&k=&lang=.

Q: When will the new certificate chains for the Sectigo supplier be available?

The certificates can be found at: https://crt.sh/?CAName=%25GEANT+Vereniging%25. 

Q: What Membership Category is  my NREN?

Q: What is the last day we can use the DigiCert platform?

NRENs will be able to use the DigiCert platform and issue certificates up to and including the 30th April 2020. After this date, it will be possible to revoke certificates but not add new organisations or issue certificates.

Q: Will it be possible to migrate data to Sectigo?

Yes, you can either:

• Use the "csv" option in the DigiCert interface to pull out organisational data and we can share this with Sectigo.
• use the DigiCert API to pull out data.

Q: Is State mandatory for Sectigo?

For now, State is mandatory and the European users are advised to out the city as the state and the validation team will correct anything that is wrong. 

However, Sectigo is working on implementing the change per your concerns (to make State field not mandatory). No ETA at this time, but they have it as a High priority in their backlog. 

Q: What are the Support Hours for Sectigo?

Sectigo staffs and operates 4 support centres globally in North America (Ottawa, Canada and Salt Lake City, Utah), United Kingdom (Manchester) and India (Chennai) respectively. Ticketing, telephone and chat service is available 365x7x24 in the English language, with multiple language capability available from our North American facility (Ottawa, Canada). 

Once all the NREN’S have been fully on-boarded onto SCM platform and are ok with how to use platform we will then begin the Premier Support Handoff.  As of right now all NREN “MRAO” admins can only contact support via the following below. After the on-boarding to Premier Support all NREN’s will then need to utilize contacting their respected SAM/TAM “Premier Support Rep” for any concerns they have.

Support Contact Info: https://support.sectigo.com/Com_KnowledgeMainPage

Submitting a Ticket: https://sectigo.com/support-ticket

Q: I am an NREN MRAO, why does my organisation have to be validated? 

Some NRENs are not legal entities and therefore cannot be validated, but the MRAO is representing the NREN (and not the University, which is a legal entity). 

The NREN Accounts must be tied to an Organization that can be validated if they want to be able to order certificates. If not, Sectigo can add them however, the NREN MRAO Admin will not be able to place orders for SSL or Code Signing Certificates. They can still play with the platform just not order certificates.

For those Universities that will be added by the NREN MRAO admins and will be managed by the Organization admin not an NREN MRAO then they will be a RAO admin Only. If the NREN MRAO Admin is going to be placing order they do not need to be an RAO and those Organisations must be validated before ordering can be done.

Q: What is the difference between MRAO and RAO?

NREN MRAO Admins Managing Includes:

• Adding New Organizations
• Validating New Organization “Triggering OV Anchor”
• Creating the first RAO Admin for New Organizations > If an RAO “the main rao” admin leaves the “NREN” is then responsible for creating the next RAO responsible for managing that org if one does not exist already
• Training of RAO Admins on how to use SCM platform
• Handling any Q&A directed to them about how to use SCM
• Responsible for Premier Support Contact as no RAO/DRAO admins are allowed to contact Premier Support or obtain Premier Support information.

RAO Admin Managing includes:

• Adding/delegating/dcv domains
• Adding/delegating admins “RAO or DRAO”
• Department Creation “If Needed”
• Notification Creation
• Discovery Creation
• Placing orders “SSL/Client Authentication “s/mime”/ Code Signing Certificates”
• Reports
• Contacting Support/Validation:  If an issue arises the RAO/DRAO can contact Level 2 support/validation for assistance during normal business hours Monday – Friday 4am – 8pm EST.  *If an issue occurs after normal business hours they can reach out to the NREN “MRAO” admins to raise a concern with Premier support.

Q: Can Sectigo login to the MRAO accounts?

Support along with the Onboarding Team Members have the access to login as any MRAO in the system. The process is only used to support a MRAO who has questions regarding SCM or Support/Validation Related issues. In the process any of Sectigo staff needing to login as a MRAO they will notify the MRAO who asked for support or if we deem something is wrong they may just login as prior to responding.  

Q: How do I enable SAML?

To enable SAML for admin access to SCM:

• Step 1: If you do not see the "your institution" button on the home page, please set up an IdP Template: under “admin” in cert-manager please select “add template” and then tick the RAO Admin - SSL and the organisation box below that.
• Step 2: make sure that the Sectigo SP is imported in your federation: the entityID is https://cert-manager.com/shibboleth, you can also check https://met.refeds.org/met/search_service/?entityid=cert-manager.com.
• Step 3: check that all the needed attributes are correctly released at the following URL: http://cert-manager.com/customer/<YOURID>/ssocheck/
• Step 4: in the SCM enter the ePPN of the admin you want enable in the "IdP Person ID" field.

To use SAML "self-enrollment" for server certificates (allows users outside of SCM admin to request server certificates):

• Step 1: go to Settings>Organizations>select organization.
• Edit the organization and select the SSL certficates tab.
• Select "self enrollment using SAML". This will provide you with a unique url that can be shared with users.
• The token string used in the url can be changed by administrators if issues occur.

To use SAML in order to allow users to order client certificates:

• https://cert-manager.com/customer/[YOURNREN]/idp/clientgeant.
• Configure your IdP correctly for Sectigo. See below.
• Edit your organization in SCM (Settings>Organizations>select) and set "Academic code (SCHAC Home Organization)" to the same value as your IdP sends for schacHomeOrganization. It will typically be your main domain, but confirm this with your IdP admins.
  
• Edit your organization object and set "Secondary Organization Name" to the name used in grid certificates (ASCII). Please check existing certificates. As grid certificate subjects are used as "usernames" in systems, it is vital that the whole subject string is kept as it was before for your users.
  

IdP must release the following information:

Q: What is needed to validate an organisation?

The rules for validation are set by the CA/B Forum.   The rules are as follows:

If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s address of existence or operation. The CA SHALL verify the identity and address of the Applicant using documentation provided by, or through communication with, at least one of the following: 
1.A government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition;
2.A third party database that is periodically updated and considered a Reliable Data Source; 
3.A site visit by the CA or a third party who is acting as an agent for the CA; or
4.An Attestation Letter.

The CA MAY use the same documentation or communication described in 1 through 4 above to verify both the Applicant’s identity and address. Alternatively, the CA MAY verify the address of the Applicant (but not the identity of the Applicant) using a utility bill, bank statement, credit card statement, government-issued tax document, or other form of identification that the CA determines to be reliable.

Q: Where can I find maintenance and status information for the service?

For Sectigo Cert Manager: https://sectigo.status.io/pages/5938a0dbef3e6af26b001921.

For the Seamless Access SAML discovery service: https://status.seamlessaccess.org/.

R: Use of OV vs Multi-domain OV

When a TCS member orders a GÉANT OV SSL certificate in Cert Manager for a name, such as mail.sample.example.org, in the Subject Alternative Names, they get a correct entry for DNS:mail.sample.example.org but they also get DNS:www.mail.sample.example.org. I have confirmed this by looking at issued certificates in our SCM instance.  We recommend ordering GÉANT OV Multi-Domain for the time being instead of GÉANT OV SSL.    This issue has been raised with the supplier.