TLS certificates FAQ

The supplier is HARICA. This is part of the Greek NREN organisation and has already provided certificates for a number of years to Greek Education and Research institutions.

• Part of the deal between HARICA and GÉANT is that GÉANT can be a sub-CA. That is why certificates from HARICA might show up as Issued by GÉANT OV RSA CA 4 (or similar).
• If you follow the certification path you will end up with the HARICA Certificate Services.

Currently, intermediate certificates do not work, yet.

• You can request DV and OV server certificates. These are used to authenticate the server’s identity to the client.
• You can also get a client or personal certificate. These can be used to authenticate the user to the server. More commonly, they are used to sign data, such as email messages and documents.
• The third kind of certificate you can request is a Code Signing certificate. It allows you to sign the applications you write. Depending on what environment you write your applications, signing can be mandatory before users are able to install the software.
• Somewhere in 2025, It will also be possible to request a Document Signing certificate.

The standard UT certificate is an OV type certificate. The OV stands for Organization Verified. The supplier of the certificate has verified it’s the university that requests the certificate. That will also be shown in the certificate itself.

The second kind of certificate is the DV type. This is mainly used for encryption and not to certify the organization. Let's Encrypt provides DV certificates.

• You can not request Let’s Encrypt certificates from LISA. LISA does not offer support for these certificates.
• You can directly request certificates from the Let’s Encrypt website. They are allowed on the university’s network.

• We advise against the use of wildcard certificates as they pose too many risks.
• Therefore wildcard certificates are prohibited at the top-level of the main domains of the university.
• They are also prohibited if the scope is too large, like for a whole faculty, research institute or service department.
• Wildcard certificates are allowed for students, student associations and dedicated domains for projects.

Short answer: No

Long answer: All domains in a request should be under control of the university.

• You see SSL still mentioned everywhere as a general term for the encryption of traffic using certificates. The SSL protocol itself is out-of-date, insecure and therefore it is not allowed to be used at the university.
• TLS (Transport Layer Security) is the new version of the encryption protocol. Version 1.2 is the current protocol. Version 1.3 is the emerging one. Versions prior to 1.2 are not allowed.

None of the SSL versions (v1 to v3) are allowed.

Only versions 1.2 and newer are allowed.

Cipher suites describe how the server and client negotiate the ways they set up a secure communication. Cipher suites show what type of system is used for Key exchange, Certificate verification, Bulk encryption and Hashing.

TLS 1.2 example: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS 1.3 example:  ECDHE RSA TLS_AES_256_GCM_SHA384

"Still allowed" in this context means you have to plan for the removal of these systems so you won't end up without a certificate next time you want to renew it and the system is not allowed anymore.

More information can be found on the website of the Dutch Nationaal Cyber Security Centrum.

• Qualys offers an easy online test at https://ssllabs.com/. Make sure you have a score of A or better. This site only tests websites on the standard port, 443.
• If your score is lower because you do not have the right certificate yet, you can still request a certificate.
• If your server is not accessible from outside the university’s network you can (temporarily) give access to the SSLlabs servers. You can find the current IP addresses on their site.

HARICA supports ACME but not yet in a way we find secure. The current planning has April 2025 as the moment when ACME is supported in a secure way.

We advise users to use ACME to request and install certificates. Currently, the default lifespan of a certificate is 1 year. In the future, it will probably go down to 90 days or less.

• Most web server software supports tools to implement ACME.
• IIS on Microsoft Windows does not yet natively support ACME. You can install PowerShell modules or separate Windows tools, though.
• Dedicated devices with web capabilities, like networking equipment, IoT devices etc, often have no support for ACME. You can use ACME on a separate system and upload the certificates to your device.

You have to make sure you have a new certificate installed on your system before the current one expires. The best moment for a new request is about one month in advance. That gives everybody time to handle the request and solve any issue that may arise.

If you use ACME, requesting and installing certificates on most systems will happen automatically.

We do not yet know the details of the reminder service at HARICA.

You don't need a reminder when you use ACME. ACME handles certificate renewal in time before expiration of the old certificate.

If you want to start using ACME, contact the Service desk ICT.

If your system does not support ACME, you can use the HARICA website. Use Academic Login to authenticate. A few days after you finish the process, you will receive your certificate.

We advise you to make plans to start using ACME for all your certificates, as the lifetime of certificates will get shorter in the next couple of years. Eventually, perhaps, to about one month.

DO NOT request a personal certificate on a computer that is not your own personal or work computer. Even though, later on in the process, you will need to provide a password to secure access to the certificate, if it's on a public computer, people can get access to it and try to break your password.

If your system does not support ACME, you can use the HARICA website. Use Academic Login to authenticate. A few days after you finish the process, you will receive your certificate.

• Use the HARICA website. Select Academic Login to authenticate.
• In the menu part, Certificate Requests, select Email.
• Select Email-only. On the next page check your Email Address. If correct, click Next.
• Click Next on the validation page.
• Review the application. If correct, select the check box and click Submit.

You will receive a mail from "HARICA Certificate Manager (CM) <noreply@harica.gr>" with a link to Confirm your address. Click the link and confirm your address. Next, you can Enroll your Certificate.

• The best way to ensure your certificate will work with most email clients and web browsers use the default Algorithm and Key size.
• Have your Password Manager generate a new password. Remember that password as you need it after downloading the certificate. If you don't have a Password Manager, we advise you to get one first. If you want the certificate, come up with a strong password. Enter it twice.
• Select the check box and click Enroll Certificate.
• Download the certificate.

You can now import it into your application using the password you provided earlier.

Certificates supplied by the university have a lifespan of one year.

Be aware, this will probably change to 90 days, or less, in the next couple of years.

Personal certificates have a lifespan of two years.

Different systems use different methods to generate a CSR. On most systems you can use a tool like OpenSSL. Some applications allow the generation of a CSR inside the application. Check the manual for your environment.

• The CSR should be generated in PEM format.
• It should have a minimum strength of 2048 bits.
• The hash must comply with at least SHA-256.
• Each CSR should at least contain a CN (Common Name) which has to be the hostname of the system or the application. The C (Country) should be “NL”. L (Locality) should be “Enschede” and O (Organization) is “University of Twente”.
• You can add Subject Alternative Names (SAN’s) to a maximum of 20 entries.

• Wildcards are allowed in CN, but a SAN is not possible anymore.
• Wildcards are only allowed when the scope is small enough, like a student association. Using a wildcard to cover all systems in a faculty is prohibited.

• If your application offers to generate CSR’s, it probably does too for installing certificates. Use that.
• Installing certificates is dependent on the system you use. Check the manual for your systems and the certificate tool you use.

Yes, but only the GEANT-branded sub-CA certificate (CN = GEANT OC RSA CA 4 of similar)

• Qualys offers an easy online test at https://ssllabs.com/. Make sure you have a score of A or better. This site only tests websites on the standard port, 443.
• If your score is lower because you do not have the right certificate yet, you can still request a certificate.
• If your server is not accessible from outside the university’s network you can (temporarily) give access to the SSLlabs servers. You can find the current IP addresses on their site.