Certificates

TLS certificates

We have two options:

1. LetsEncrypt certificates

For services exposing the http port to the internet, certificates can be automated:

The kubernetes clusters uses automatic LetsEncrypt certificates.
VMs can receive certificates by utilizing the letsencrypt module in puppet.

2. Trusted Certificate Service by GÉANT

The Trusted Certificate Service (TCS) is delivered by the Hellenic Academic & Research Institutions Certification Authority (HARICA).
(For more information about the TCS, see the FAQ in the GÉANT wiki).

Order certificate manually:

To order a certificate, log in using Academic Login on the Certificate Manager.
Follow the instructions in the guide to submit your CSR and order a DV (Domain Validated) certificate.
After ordering a certificate, you have to wait a bit for the approvers to approve it. They automatically receive an email about it, but if nothing happens in a couple of days, poke them by sending another email.

Automated certificates (ACME)

It is possible to automate certificate issuance by using ACME.
To receive credentials and configuration details (for example, to be used by certbot), send an email to the approvers. Please supply the following information:

the name of the application or system that needs certificate(s)
the name of your team and product area
the hostname(s) you need to issue certificate for (you can add more hostnames later)

S/MIME certificate

The TCS also supports certificates for email purposes (S/MIME).
You can order one in the Certificate Manager.
Log in using Academic Login.
Follow the instructions in the guide.

TLS certificates​

1. LetsEncrypt certificates​

2. Trusted Certificate Service by GÉANT​

Order certificate manually:​

Automated certificates (ACME)​

S/MIME certificate​