A: Based on the contract between GÉANT and DigiCert, "upon termination, DigiCert shall provide entities operating under the GÉANT Association Ac-count with a Transition Period during which DigiCert shall continue to support the GÉANT Association Account, the NREN Accounts, and each Participant’s account, including continued use of DigiCert’s Certificate revocation services. However, Participants and NRENs may not order any new Certificates during the Transition Period. DigiCert shall continue to provide revocation services for the Certificates until all Certificates issued under this Agreement expire." You and your members will be able to order DigiCert certificates until 30 April and they will remain valid until their expiration date, will have access to the portal to see your existing certificates and receive notifications, but will not be able to order new certificates.
A quick start guide can be found at: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l000000vFnd
MRAO guide: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000bvJA
Full admin guides (including API documents) can be found at: https://support.sectigo.com/Com_KnowledgeProductPage?c=Admin_Guides&k=&lang=
The certificates can be found at: https://crt.sh/?CAName=%25GEANT+Vereniging%25.
|Membership category||NRENS in category|
|1||IS, BG, LV, MT, ME, MK, MD, AM|
|2||BY, LU, LT, EE, RS, AL, LB, CY, GE|
|3||SI, HR, MA, OM, SK, AZ|
|4||CZ, HU, RO, IE|
|5||DK, GR, FI, PT, IL|
|6||NL, CH, BE, SE, TR, AT, PL, NO|
|8||DE, UK, FR, IT|
NRENs will be able to use the DigiCert platform and issue certificates up to and including the 30th April 2020. After this date, it will be possible to revoke certificates but not add new organisations or issue certificates.
Yes, you can either:
For now, State is mandatory and the European users are advised to out the city as the state and the validation team will correct anything that is wrong.
However, Sectigo is working on implementing the change per your concerns (to make State field not mandatory). No ETA at this time, but they have it as a High priority in their backlog.
Sectigo staffs and operates 4 support centres globally in North America (Ottawa, Canada and Salt Lake City, Utah), United Kingdom (Manchester) and India (Chennai) respectively. Ticketing, telephone and chat service is available 365x7x24 in the English language, with multiple language capability available from our North American facility (Ottawa, Canada).
Once all the NREN’S have been fully on-boarded onto SCM platform and are ok with how to use platform we will then begin the Premier Support Handoff. As of right now all NREN “MRAO” admins can only contact support via the following below. After the on-boarding to Premier Support all NREN’s will then need to utilize contacting their respected SAM/TAM “Premier Support Rep” for any concerns they have.
Support Contact Info: https://support.sectigo.com/Com_KnowledgeMainPage
Submitting a Ticket: https://sectigo.com/support-ticket
Some NRENs are not legal entities and therefore cannot be validated, but the MRAO is representing the NREN (and not the University, which is a legal entity).
The NREN Accounts must be tied to an Organization that can be validated if they want to be able to order certificates. If not, Sectigo can add them however, the NREN MRAO Admin will not be able to place orders for SSL or Code Signing Certificates. They can still play with the platform just not order certificates.
For those Universities that will be added by the NREN MRAO admins and will be managed by the Organization admin not an NREN MRAO then they will be a RAO admin Only. If the NREN MRAO Admin is going to be placing order they do not need to be an RAO and those Organisations must be validated before ordering can be done.
NREN MRAO Admins Managing Includes:
RAO Admin Managing includes:
Support along with the Onboarding Team Members have the access to login as any MRAO in the system. The process is only used to support a MRAO who has questions regarding SCM or Support/Validation Related issues. In the process any of Sectigo staff needing to login as a MRAO they will notify the MRAO who asked for support or if we deem something is wrong they may just login as prior to responding.
You MUST be a member of eduGAIN to use SAML for the Sectigo Certificate Manager.
IdP must release the following information:
|Johnny Doe||USED for CN.|
|John Doe||fallback for CN.|
|Doe||fallback for CN.|
|John||fallback for CN.|
The rules for validation are set by the CA/B Forum. The rules are as follows:
If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s address of existence or operation. The CA SHALL verify the identity and address of the Applicant using documentation provided by, or through communication with, at least one of the following:
The CA MAY use the same documentation or communication described in 1 through 4 above to verify both the Applicant’s identity and address. Alternatively, the CA MAY verify the address of the Applicant (but not the identity of the Applicant) using a utility bill, bank statement, credit card statement, government-issued tax document, or other form of identification that the CA determines to be reliable.
For Sectigo Cert Manager: https://sectigo.status.io/pages/5938a0dbef3e6af26b001921.
For the Seamless Access SAML discovery service: https://status.seamlessaccess.org/.
Some of you may have noticed that the chain certificates we get from Sectigo contains a certificate at the top with
CN = AddTrust External CA Root and an expiration on 2020-05-30. For an explanation of why this should not cause problems for you, please see "Sectigo AddTrust External CA Root Expiring May 30, 2020" on the Sectigo site.
You may also notice that the next level down in the chain is
CN = USERTrust RSA Certification Authority which also expires on 2020-05-30, and that is the certificate that has signed the
CN = GEANT OV RSA CA 4 certificate that in turn has signed the SSL certificate for your server. That also seems bad, doesn't it? It turns out that certificate is there to support the CN = AddTrust External CA Root "feature" and that there is another version of
CN = AddTrust External CA Root present in the root store of the browsers (using the same key) which is valid until 2038-01-18, and that is the one that matters and makes the browser trust the GEANT-branded CA certificate and therefore your server certificate.
The conclusion is that things will work after 2020-05-30 too.
No. You should be fine with only the GEANT-branded sub-CA certificate (CN = GEANT OV RSA CA 4 or similar) configured as chain certificate in your server.
We recommend Qualys SSL Server Test which tests this and and a lot of other useful things (most of them related to you server configuration, not the certificates as such). For the chain specifically, look at the "Chain issues" heading where you want to see "None" (if you have trimmed the unnecessary certificates from the chain) or "Contains anchor" (if you have kept the full set).
When a TCS member orders a GÉANT OV SSL certificate in Cert Manager for a name, such as mail.sample.example.org, in the Subject Alternative Names, they get a correct entry for DNS:mail.sample.example.org but they also get DNS:www.mail.sample.example.org. I have confirmed this by looking at issued certificates in our SCM instance. We recommend ordering GÉANT OV Multi-Domain for the time being instead of GÉANT OV SSL. This issue has been raised with the supplier.
It is currently possible to order Document Signing Certificates on a preconfigured USB token from Sectigo. More information on this process is available in this GUIDE.
Code Signing Certificates can be ordered directly from cert manager.
Similarly to document signing certificates, EV Code Signing Certificates need to be provided on a preconfigured USB token from Sectigo. More information on this process is available in this GUIDE.
After the NREN MRAO validates all domains, organisations themselves have to set EV anchors and then order EV certificates. A draft of the EV Anchor guide is AVAILABLE.
These can be reported following the information at: https://sectigo.com/support/report-abuse.
For the grid products, the mapping is:
Grid Host SSL -> GEANT IGTF Multi Domain
Grid Premium -> GEANT IGTF-MICS Personal RSA
Grid Robot Email -> GEANT IGTF-Classic Robot Email RSA
Grid Robot Name -> GEANT IGTF-MICS Robot Personal RSA
Login in to the Portal > goto Settings>Certificate Profiles Filter Certificate Type Code Signing> Select Sectigo Public CA> click edit> Where Term is click the select button remove the multiple selected years and select only the one term form now (to three years only). This will temporarily fix the stuck in requested state.
Sectigo has a detailed Privacy Notice available for all users. As part of the procurement process, data protection and security measures at Sectigo were evaluated according to the standard GÉANT process for service procurement. The GÉANT GDPR team has prepared a document showing their overall review of the privacy position for Sectigo.
In order to meet the CA/B guidelines, it is essential that all location information is correctly entered in certificate fields. We recommend ONLY completing the Locality and Country information where possible - the more information entered, the more likelihood there is that something will go wrong. Certificates may be revoked for something as small as the different between Noord Holland and Noord-Holland in the State field. https://en.wikipedia.org/wiki/ISO_3166-2 is generally used a guide to the correct way to add information, but may not be completely consistent with official local sources given the nature of wikipedia. The most common problem is with incorrect use of State - we recommend not filling this in wherever possible. If this field is populated, please make sure it matches the ISO guidelines as described in the "sub-divisons" column in the cited wikipedia page. Do not abbreviate names (N-Holland is not allowed), or add excess data.
IGTF certificates must not contain non-ASCII characters. There are several ways to manage this:
There's a simple tool to create OpenSSL .csr files here: https://www.digicert.com/easy-csr/openssl.htm.
Sectigo provide a guide on the creation of .csr files here: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFIo.