Unlimited server certificates should be offered to members under this agreement.  A maximum cap on the number of organisations supported per service year may be agreed with GÉANT after which additional costs may be occured. 

• Must support issuance of an unlimited number of domain validated server certificates (DV).
• Must support issuance of an unlimited number of organisation validated certificates (OV).
• Root certificates must be accepted by majority of browsers, platforms, software including as a minimum Chrome, Mozilla, Apple, Oracle, Microsoft, Android (Google Trust Program).
• Must offer ECC and RSA encryption algorithms. 
• Must offer support for multidomain and wildcard certificates.
• Must support request of certificates via ACME with full EAB allowing for differentiate sets of domains to be managed via different ACME credentials and the ability to create multiple ACME accounts and assign them rights to use only certain domains / subdomains / subdomain hierarchies (using wildcards). 
• Must show a development path for subscribers to efficiently manage domain validations when data reuse periods are reduced (as per CA/B-Forum SC081v3).
• Must be able to support all appropriate organisation validation modes allowed by the CAB Forum and be able to work with the national processes in all GÉANT member states (including organisations that do not have chamber of commerce). 

Please explain how you currently deliver ACME integration within your platform 

Please explain the validation process for organisations and demonstrate how this process is managed across all of the geographical locations of the GÉANT membership. 

Please explain the key lengths that will be supported within the contract. 

Please describe how you will approach the shift to post-quantum cryptography (PQC) and what impact this may have on service delivery during this contract period. 

Unlimited email and client certificates should be offered to members under this agreement.  A maximum cap on the number of organisations supported per service year may be agreed with GÉANT after which additional costs may be occured. 

• Must support for both Email only, OV and (IV+OV) S/MIME certificates.  
• Must support for client certificates that meet the defined GÉANT Personal Authentication, Personal Automated Authentication and Organization Automated Authentication profiles including the appropriate sub-CA infrastructure and private roots as described in the TCS practice statementTCS Repository 2025 and support for a GÉANT intermediary authority for these certificate profiles.

Unlimited IGTF ( as per IGTF and CABF OV public trust) server certificates should be offered to members under this agreement.  A maximum cap per service year may be agreed with GÉANT after which additional costs may be occured

• Support for a GÉANT intermediary authority for these certificate profiles.
• Must support IGTF compliant server certificates as described in the TCS practice statements: TCS Repository 2025 including the sub-CA infrastructure. Particular attention should be paid to the asciification requirements for these profiles. 
• Must support issuing IGTF certificates via ACME. 
• Must support effective management of diacritics in certificates. 

• Ability to offer private Research and Education Trust Roots and mechanism for setting up and costing such roots for different use cases.

• Members have the option to order other certificate types directly from the Service Provider at favourable cost – a set price list should be agreed with GÉANT and not require the revalidation of information already available within the service.  

Please explain which certificates can be included (e.g. code signing and document signing), how you will be able to offer these certificates to organisations, any additional validation steps needed, delivery models (e.g. key attestation) and provide pricing models, and a clear process for how these will be purchased (e.g. NREN bundles, direct purchase etc). 

• Interface for ordering and managing certificates with differentiated user groups and permission sets per organisation.  
• Must support a hierarchical arrangement with NRENs supporting organisations supporting end-users.
• NRENs must have the ability to create, update and disable users and administrators. 
• NRENs must have the ability to set a minimum key strength based on appropriate algorithms. 
• Must support the use of departments within organisations with differentiated admininstrative rights. 
• Login must support SAML authentication and accept SAML assertions from NRENs for identity vetting where this is a certificate requirement. Administrator-level functionality in Management Interface must be protected with Multi-Factor Authentication, except when using API Keys for API access.
• Interface should support ordering requests directly from end-users, with separated authorisation processes for administrators where appropriate.
• Interface should be able to manage diacritics and other language localisation issues effectively.  

• Ability for members to request and issue certificates via an API including:
  • usage statistics, reporting and certificates issuance data
  • management of organisations
• Advanced certificate lifecycle functions
  
  • management of domain validations
  • management of domains 

• Service must be able to manage a hierarchical relationship from GÉANT to NREN Partners to NREN customers with a minimum requirement of providing regular statistics on service usage to GÉANT and the NREN in an automated fashion.  

• Service must have a clear path for proposing bug fixes and work with GÉANT on managed releases to address bug fixes.
• Service should suggest a clear development path for any features that currently do not meet the minimum technical requirements and a roadmap to work with GÉANT on those requirements. 

• CA must be a member of the CA/B Forum and be committed to follow and stay in line with relevant industry standards, including CAB Forum requirements. 
• EU acceptable terms and conditions / contracts that are at a minimum compliant with EU security and privacy legislation. 
• All root and intermediate certificates issued by the service within the contract period should remain valid for the validity period assigned at certificate issuance unless revoked by the certificate owner (revocations in accordance with the CA/B forum requirements notwithstanding). 
• Support for public CT logs and CRL.
• Service to be made available to all NRENs subscribers that are GÉANT Association members (see scope).
• Training, including additional support for understanding automation processes.
• A support desk with relevant SLAs must be provided to answer queries and support cases from members of the service. 
• The root or intermediate certs required for public WebPKI trust and recognition in the root programmes for all platforms (Win, Linux, Android, iOS etc) MUST NOT depend on cross-signed certs from any other provider to attain such recognition. All platforms (Win, Linux, Android, iOS etc) MUST use be able to use the same chains.

Please describe the customer facing support systems (along with planned procedures designed to deal with reporting and scheduled maintenance) available to GÉANT and its Members. Bidders must provide a single point of contact (one phone number, one e-mail address) for all operational and technical issues.

A response must show:

1. How you will be providing full end-user support or escalation through customer help desk during normal European business hours.
2. If the offered service provides a written user guide in English.
3. How you provide a training programme for NREN staff members as an induction and as an ongoing programme for new NRENs and staff.
4. How you provide and manage a helpdesk for existing and potential TCS members;
5. What service levels associated with the support services you will offer, (reporting intervals, time take to respond to registration requests, hours & availability of the support desk, availability and access to online support systems, etc) and what service credits will be applicable when your proposed service levels are not met;
6. If and how you continuously perform maintenance and support of the offered service.
7. How you manage notifications to customers and GÉANT and the timeframe for announcing changes to the system.