The TCS Service offers services in multiple trust categories: public (web) server SSL, S/MIME email, and client "TCS Authentication" ('IGTF') private trust. Corresponding to these categories there are several (self-signed) trust anchors and intermediate 'issuing' authorities. Ensure that all relevant trust anchors are installed for your services to support the intended use case. Specifically, if your application relies on client authentication after August 28, 2023, install the "Research and Education Trust" roots, as well as the client "TCS Authentication" issuing authorities.
TCS Private Trust Anchors after August 28, 2023
Due to changes in the industry standards (CA/Browser Forum), dedicated client authentication certificates will be introduced by TCS by mid-August 2023. These are issued from a private trust hierarchy ("Research and Education Trust") and cannot be used for digitally signing emails ("S/MIME").
At the same time, the subject naming of email signing "S/MIME" certificates will change significantly - you cannot and must not rely on subject name uniqueness for these email signing certificates, and they must not be used for authentication purposes.
Make sure to install the "Research and Education Trust" roots, and (depending on the application) also the "GEANT TCS Authentication (RSA|ECC) CA 4B" on the server-side to continue supporting client authentication!
Public Trust Roots
| Trust anchor name | Key technology | Certificate | CRL Distribution Point | meta-data | Trust purposes |
|---|---|---|---|---|---|
| USERTrustRSACertificationAuthority | RSA4096/SHA384 | https://crt.sh/?id=1199354 | http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl | info-file | any |
| USERTrustECCCertificationAuthority | ECC P384/SHA384 | https://crt.sh/?id=2841410 | http://crl.usertrust.com/USERTrustECCCertificationAuthority.crl | info-file | any |
Public Intermediate (issuing) Authority certificates
| Trust anchor name | Key technology | Certificate | CRL Distribution Point | meta-data | Trust purposes |
|---|---|---|---|---|---|
| GEANT OV RSA CA 4 | RSA4096/SHA384 | https://crt.sh/?id=2475254782 | CABF BR | ||
| GEANT OV ECC CA 4 | P-256/SHA384 | https://crt.sh/?id=2475254970 | CABF BR | ||
| GEANT EV RSA CA 4 | RSA4096/SHA384 | https://crt.sh/?id=2475254991 | CABF EV | ||
| GEANT EV ECC CA 4 | P-256/SHA384 | https://crt.sh/?id=2475254963 | CABF EV | ||
| GEANT eScience SSL CA 4 | RSA4096/SHA384 | https://crt.sh/?id=2475254968 | CABF BR, IGTF | ||
| GEANT eScience SSL ECC CA 4 | P-256/SHA384 | https://crt.sh/?id=2475255001 | CABF BR, IGTF | ||
| GEANT Personal CA 4 | RSA4096/SHA384 | https://crt.sh/?id=2475255043 | CABF SMIME | ||
| GEANT Personal ECC CA 4 | P-256/SHA384 | https://crt.sh/?id=2475254903 | CABF SMIME | ||
| GEANT eScience Personal CA 4 | RSA4096/SHA384 | https://crt.sh/?id=2475253350 | CABF SMIME**, IGTF | ||
| GEANT eScience Personal ECC CA 4 | P-256/SHA384 | https://crt.sh/?id=2475254888 | CABF SMIME**, IGTF | ||
| GEANT Code Signing CA 4 | RSA4096/SHA384 | https://crt.sh/?id=2475254247 | Oracle Java, MS apps |