The TCS Service offers services in multiple trust categories: public (web) server SSL, S/MIME email, and client "TCS Authentication" ('IGTF') private trust. Corresponding to these categories there are several (self-signed) trust anchors and intermediate 'issuing' authorities. Ensure that all relevant trust anchors are installed for your services to support the intended use case. Specifically, if your application relies on client authentication after August 28, 2023, install the "Research and Education Trust" roots, as well as the client "TCS Authentication" issuing authorities.

TCS Private Trust Anchors after August 28, 2023

Due to changes in the industry standards (CA/Browser Forum), dedicated client authentication certificates will be introduced by TCS by mid-August 2023. These are issued from a private trust hierarchy ("Research and Education Trust") and cannot be used for digitally signing emails ("S/MIME").

At the same time, the subject naming of email signing "S/MIME" certificates will change significantly - you cannot and must not rely on subject name uniqueness for these email signing certificates, and they must not be used for authentication purposes.

Make sure to install the "Research and Education Trust" roots, and (depending on the application) also the "GEANT TCS Authentication (RSA|ECC) CA 4B" on the server-side to continue supporting client authentication!

Public Trust Roots

Trust anchor nameKey technologyCertificateCRL Distribution Pointmeta-dataTrust purposes
USERTrust RSA Certification AuthorityRSA4096/SHA384https://crt.sh/?id=1199354http://crl.usertrust.com/USERTrustRSACertificationAuthority.crlinfo-fileany
USERTrust ECC Certification AuthorityECC P384/SHA384https://crt.sh/?id=2841410http://crl.usertrust.com/USERTrustECCCertificationAuthority.crlinfo-fileany

Public Intermediate (issuing) Authority certificates

Trust anchor nameKey technologyCertificateCRL Distribution Pointmeta-dataTrust purposes
GEANT OV RSA CA 4RSA4096/SHA384https://crt.sh/?id=2475254782http://geant.crl.sectigo.com/GEANTOVRSACA4.crl
CABF BR
GEANT OV ECC CA 4P-256/SHA384https://crt.sh/?id=2475254970http://geant.crl.sectigo.com/GEANTOVECCCA4.crl
CABF BR
GEANT EV RSA CA 4RSA4096/SHA384https://crt.sh/?id=2475254991http://geant.crl.sectigo.com/GEANTEVRSACA4.crl
CABF EV
GEANT EV ECC CA 4P-256/SHA384https://crt.sh/?id=2475254963http://geant.crl.sectigo.com/GEANTEVECCCA4.crl
CABF EV
GEANT eScience SSL CA 4RSA4096/SHA384https://crt.sh/?id=2475254968http://geant.crl.sectigo.com/GEANTeScienceSSLCA4.crlinfo-fileCABF BR, IGTF
GEANT eScience SSL ECC CA 4P-256/SHA384https://crt.sh/?id=2475255001http://geant.crl.sectigo.com/GEANTeScienceSSLECCCA4.crlinfo-fileCABF BR, IGTF
GEANT Personal CA 4RSA4096/SHA384https://crt.sh/?id=2475255043http://geant.crl.sectigo.com/GEANTPersonalCA4.crl
CABF SMIME
GEANT Personal ECC CA 4P-256/SHA384https://crt.sh/?id=2475254903http://geant.crl.sectigo.com/GEANTPersonalECCCA4.crl
CABF SMIME
GEANT eScience Personal CA 4RSA4096/SHA384https://crt.sh/?id=2475253350http://geant.crl.sectigo.com/GEANTeSciencePersonalCA4.crlinfo-fileCABF SMIME**, IGTF
GEANT eScience Personal ECC CA 4P-256/SHA384https://crt.sh/?id=2475254888http://geant.crl.sectigo.com/GEANTeSciencePersonalECCCA4.crlinfo-fileCABF SMIME**, IGTF
GEANT Code Signing CA 4RSA4096/SHA384https://crt.sh/?id=2475254247

Oracle Java, MS apps

** Client certificates from this issuing CA will be issued only until August 28th, 2023. Certificates will remain valid until their stated validUntil date, which is 395 days after issuance. No new certificates from this profile can be ordered after the sun-set date. Move to the Private Authentication Intermediate (issuing) Authority profiles after this date.

Private Research and Education Trust Roots

Installing these roots is required for use of the Private Authentication Intermediate (issuing) Authority certificates!

Trust anchor nameKey technologyCertificateCRL Distribution Pointmeta-dataTrust purposes
Research and Education Trust RSA Root CARSA4096/SHA384ResearchandEducationTrustRSARootCA.crt(PEM) http://crl.enterprise.sectigo.com/ResearchandEducationTrustRSARootCA.crlinfo-fileIGTF, Client Authentication
Research and Education Trust ECC Root CAP-384/SHA384ResearchandEducationTrustECCRootCA.crt (PEM)http://crl.enterprise.sectigo.com/ResearchandEducationTrustECCRootCA.crlinfo-fileIGTF, Client Authentication

Private Authentication Intermediate (issuing) Authority certificates

Installation of the corresponding Private Research and Education Trust Roots is required for these issuing intermediates to be trusted in your application!

Trust anchor nameKey technologyCertificateCRL Distribution Pointmeta-dataTrust purposes
GEANT TCS Authentication RSA CA 4BRSA4096/SHA384ca_GEANTTCSAuthenticationRSACA4B.crt (PEM)http://crl.enterprise.sectigo.com/GEANTTCSAuthenticationRSACA4B.crlinfo-fileIGTF, Client Authentication
GEANT TCS Authentication ECC CA 4BP-384/SHA384ca_GEANTTCSAuthenticationECCCA4B.crt (PEM)http://crl.enterprise.sectigo.com/GEANTTCSAuthenticationECCCA4B.crlinfo-fileIGTF, Client Authentication
  • No labels