Certificates

Certificate lifetimes and Domain Control Validation will be severely reduced until 2029. This was unanimously agreed in ballot SC-081v3 April 2025 by the Certification Authority Browser Forum and will apply to all PKI TLS certificates.

• Maximum certificate lifetime will be 47 days and only 10 days DCV reuse from 15/3 2029

This means institutions should ask the question now: "Do we have an automation strategy for all PKI TLS certificates throughout our organization?"

The answer will often involve ACME - which makes it easy to request TLS certificates.

Requesting star certificates or certificates for internal servers requires DNS validation via the ACME protocol. This is more complex. To make it easier and more secure, DeiC has developed an ACME DNS service, which is made available free of charge to institutions on the Research Network.

Through GÉANT / Trusted Certificate Service (TCS), DeiC offers certificates for the research and education sector, issued by a commercial provider. GÉANT has signed an agreement with HARICA, as Certificate Authority (CA). HARICA provides certificates via their self-service portal. Here you can order certificates of the following types:

• Domain Validated (DV) and Organization Validated (OV) server certificates
• Code signing certificates
• Email certificates
• Personal certificates

The agreement does not cover Extended Validation (EV) certificates. However, these can be ordered directly from HARICA outside of GÉANT/TCS.

Rules for TCS certificates

1. The certificates may only be used by research and educational institutions and not for commercial purposes.
2. The institution must sign a Trusted Certificate Service (TCS) Subscriber Agreement that reflects the conditions set by HARICA.
3. The institution must appoint one or more responsible persons who can order certificates on behalf of the institution.
4. DeiC verifies the institution and assigns rights to administrators/users who can then directly order server certificates themselves.

Let's Encrypt is a free, open CA run by the non-profit organization Internet Security Research Group (ISRG). The service's certificates are accepted by every browser on the market; it has quickly become very popular and a number of useful tools have emerged that make it easy to automate the request and renewal of standard server certificates for individual public web servers.

For those institutions that use, or want to use, free certificates from Let's Encrypt, DeiC offers consulting help to get started and with automating renewals.

DeiC provides a proprietary service that makes it easy and secure to create DNS 01 Challenge via the Automatic Certificate Management Environment (ACME) protocol. The service can use any CA that supports ACME, such as Let's Encrypt, and is intended for institutions that want to automate certificate issuance and renewals for their entire organization, including star certificates and certificates for internal networks.

GÉANT TCS certificates

HARICA has become a supplier as of January 1, 2025. The pricing model is under negotiation, but the cost is estimated to be comparable to previously.

Current prices:

• OV Single certificate: DKK 410
• OV Star certificate: DKK 500
• OV Multi-domain certificate: DKK 1,060
• Code signing certificate:
  • 1 year DKK 420
  • 2 years DKK 520
  • 3 years DKK 620

• Personal certificate: Free under 10 pcs, We are also working on an "Ad libitum" model, which will be finalized in Q2 2026, where prices will probably be:

  • 0-30: Same prices as today
  • 31-60: 10.000 kr/year
  • 61-150: 20.000 kr/year
  • 151-300: 50.000 kr/year
  • 301-:100.000/year

  DeiC's ACME-DNS service

  The ACME-DNS service with DNS-01 challenge validation is free to use for everyone on the Research Network.

  You can freely choose a CA that supports the ACME protocol and the ACME-DNS service for DNS validation. If you use a free CA, such as Let's Encrypt, the certificates are also free.

  DeiC offers consulting help with implementation of the solution for DKK 950 per hour.

Certificates via HARICA

Log in to the self-service portal HARICA Cert Manager via your institution by selecting `Academic Login`. Locate your institution and log in with WAYF.

You can download PDFs describing the workflow for the different roles in the onboarding process here:

• Enterprise Manager Guide
• Enterprise Admin Guide
• Enterprise Approver Guide

HARICA support and guides are here on their website, while documentation of their API can be found here.

GÉANT maintains a FAQ, which describes how the ACME protocol can be supported with HARICA.

If you would like to test the service without having to pay, you can use: HARICA staging service.

Certificates via ACME and DeiC's ACME-DNS service

Technical documentation can be found at Codeberg.

DeiC offers support and help getting started.