TLS certificates FAQ

The supplier is HARICA. This is part of the Greek NREN organisation and has already provided certificates for a number of years to Greek Education and Research institutions.

• Part of the deal between HARICA and GÉANT is that GÉANT can be a sub-CA. That is why certificates from HARICA might show up as Issued by GÉANT OV RSA CA 4 (or similar).
• If you follow the certification path you will end up with the HARICA Certificate Services.

Currently, intermediate certificates do not work, yet.

• You can request DV and OV server certificates. These are used to authenticate the server’s identity to the client.
• You can also get a client or personal certificate. These can be used to authenticate the user to the server. More commonly, they are used to sign data, such as email messages and documents.
• The third kind of certificate you can request is a Code Signing certificate. It allows you to sign the applications you write. Depending on the environment in which you write your applications, signing may be mandatory before users can install the software.

The standard UT certificate is an OV type certificate. The OV stands for Organization Verified. The supplier of the certificate has verified it’s the university that requests the certificate. That will also be shown in the certificate itself.

The second kind of certificate is the DV type. This is mainly used for encryption and not to certify the organization. Let's Encrypt provides DV certificates.

• You can not request Let’s Encrypt certificates from LISA. LISA does not offer support for these certificates.
• You can directly request certificates from the Let’s Encrypt website. They are allowed on the university’s network.

• We advise against the use of wildcard certificates as they pose too many risks.
• Therefore wildcard certificates are prohibited at the top-level of the main domains of the university.
• They are also prohibited if the scope is too large, like for a whole faculty, research institute or service department.
• Wildcard certificates are allowed for students, student associations and dedicated domains for projects.

Short answer: No

Long answer: All domains in a request should be under control of the university.

• You see SSL still mentioned everywhere as a general term for the encryption of traffic using certificates. The SSL protocol itself is out-of-date, insecure and therefore it is not allowed to be used at the university.
• TLS (Transport Layer Security) is the new version of the encryption protocol. Version 1.2 is the current protocol. Version 1.3 is the emerging one. Versions prior to 1.2 are not allowed.

None of the SSL versions (v1 to v3) are allowed.

Only versions 1.2 and newer are allowed.

Cipher suites describe how the server and client negotiate the ways they set up a secure communication. Cipher suites show what type of system is used for Key exchange, Certificate verification, Bulk encryption and Hashing. Refer to the Guidelines on using TLS certificates for the suites allowed.

More information can be found on the website of the Dutch Nationaal Cyber Security Centrum.

• Qualys offers an easy online test at https://ssllabs.com/. Make sure you have a score of A or better. This site only tests websites on the standard port, 443.
• If your score is lower because you do not have the right certificate yet, you can still request a certificate.
• If your server is not accessible from outside the university’s network you can (temporarily) give access to the SSLlabs servers. You can find the current IP addresses on their site.

Yes, HARICA supports ACME EAB. You need to request an account before you can use ACME.

From March 2026 onward, the lifespan will be reduced to 200 days and later to even shorter periods. To minimise administrative overhead, we will require users to utilise ACME to request and install certificates.

More information about ACME can be found on the SURF website.

• Most web server software supports tools to implement ACME.
• IIS on Microsoft Windows does not yet natively support ACME. You can also install PowerShell modules or separate Windows tools.
• Dedicated devices with web capabilities, such as networking equipment and IoT devices, often lack support for ACME. You might be able to use ACME on a separate system and upload the certificates to your device.

See the SURF website for more information.

You have to make sure you have a new certificate installed on your system before the current one expires. The best moment for a new request is about one month in advance. That gives everybody time to handle the request and solve any issue that may arise.

If you use ACME, requesting and installing certificates on most systems will happen automatically.

No, you don't get a reminder from HARICA.

You don't need a reminder when you use ACME. ACME handles certificate renewal in a timely manner before the expiration of the old certificate.

If you want to start using ACME, contact the Service desk ICT.

If your system does not support ACME, you can use the HARICA website. Use Academic Login to authenticate. A few days after you finish the process, you will receive your certificate.

We advise you to make plans to start using ACME for all your certificates, as the lifetime of certificates will get shorter in the next couple of years. Eventually, perhaps, to about one month.

DO NOT request a personal certificate on a computer that is not your own personal or work computer. Even though you will need to provide a password later in the process to secure access to the certificate, if it's on a public computer, people can gain access to it and attempt to break your password.

Refer to the Guidelines on Personal Certificates for information and procedures regarding personal certificates.

Currently, certificates issued by the university have a one-year lifespan.

On 12 March 2026, this will be reduced to 200 days. In the next couple of years, this will further be reduced to 90 days at most.

Personal certificates have a two-year lifespan.

Different systems use different methods to generate a CSR. On most systems you can use a tool like OpenSSL. Some applications allow the generation of a CSR inside the application. Check the manual for your environment.

• The CSR should be generated in PEM format.
• It should have a minimum strength of 2048 bits.
• The hash must comply with at least SHA-256.
• Each CSR should at least contain a CN (Common Name) which has to be the hostname of the system or the application. The C (Country) should be “NL”. L (Locality) should be “Enschede” and O (Organization) is “University of Twente”.
• You can add Subject Alternative Names (SAN’s) to a maximum of 20 entries.

• Wildcards are allowed in CN, but then a SAN is no longer possible.
• Wildcards are only allowed when the scope is sufficiently small, such as a student association. Using a wildcard to cover all systems in a faculty is prohibited.

• If your application offers to generate CSR’s, it probably does too for installing certificates. Use that.
• Installing certificates is dependent on the system you use. Check the manual for your systems and the certificate tool you use.

Yes, but only the GEANT-branded sub-CA certificate (CN = GEANT OC RSA CA 4 of similar)

• Qualys offers an easy online test at https://ssllabs.com/. Make sure you have a score of A or better. This site only tests websites on the standard port, 443.
• If your score is lower because you do not have the right certificate yet, you can still request a certificate.
• If your server is not accessible from outside the university’s network you can (temporarily) give access to the SSLlabs servers. You can find the current IP addresses on their site.