TCS FAQ - General Questions


What is the TERENA Certificate Service?

The TERENA Certificate Service (TCS) is a bulk purchasing arrangement organised by TERENA on behalf of its membership. Participating National Research and Education Networks (NRENs) pay a fixed fee depending on the certificate services they wish to offer, and this enables them to issue an unlimited number of X.509 certificates to organisations within their own communities. The certificates are provided by Comodo CA Limited, one of the largest worldwide certification authorities, which was chosen after a competitive tender process.


What types of certificates are available through TCS?

Please note that as 1 of February 2013, there four types of server certificates.
The complete list of certificates available via TCS is the following:

  • Organisation Validated (OV) server certificate - also known as a SSL OV certificate, used for authenticating servers and establishing secure sessions. These can be issued to recognised research and education institutions and are valid for up to 3 years.
    As of 1 February 2013, the procedure to issue an OV server certificate requires a telephone callback.
  • e-Science Organisation Validated (OV) server certificate - as above, but accredited by the EUGridPMA for use with Grid hosts and services. These can be issued to research and education institutions, and are valid for 13 months.
    As of 1 February 2013, the procedure to issue an OV e-science server certificate requires a telephone callback.
  • Domain Validated (DV) server certificate - also known as a SSL DV certificate, used for authenticating servers and establishing secure sessions with end clients. These can be issued to a validated domain, but they do not involve any checks on the organisation requesting the certificates and as such offer a lower level of security than OV certificates. They have a validity period of up to 3 years.
  • e-Science Domain Validated (DV) server certificate - as above, but accredited by the EUGridPMA for use with Grid hosts and services. These certificates are compliant with the e-science rules and have a validity period of 13 months.
  • Personal certificate - used for identifying individual users, securing email communications and signing documents. These can be issued to authenticated individuals at recognised research and education institutes, and have a validity period of up to 3 years.
  • e-Science personal certificate - as above, but accredited by the EUGridPMA for identifying individual users accessing Grid services. These can be issued to authenticated individuals at recognised research and education institutes, and have a validity period of up to 3 years.
  • Code-signing certificate - also known as an object-signing certificate, used for authenticating software distributed over the Internet. These can be issued to recognised research and education institutions, and have a validity period of up to 3 years.

Please note these certificates are intended for research and educational use only; they may be used within this context to secure financial transactions.


What is the difference between Domain Validated (DV) server certificates and Organisation Validated (OV) server certificates? (NEW)

In contrast to OV certificates, DV certificates do not contain identifying information in the organisation name field. They do not contain organisational unit or country fields either, but only the domain name of the server for which the certificate is issued.
The benefit of using these certificates is that they do not require a callback and will be issued almost instantly. They are an appealing alternative for uses in which an organisation name is not required.


Why did the validation procedures for server certificates change on 1 Feb 2013? (NEW)

Comodo, the certification authority that issues the TCS certificates, informed TERENA towards the end of 2012 that the Certificate Authority/Browser (CAB) Forum required an additional validation step before the issuing of an Organisation Validated (OV) server certificate - these were the standard server certificates issued by TCS. These additional checks validate the C=country, O=organisation and OU=organisational unit fields in a server certificate.

To meet the new CAB Forum requirements, from 1 February 2013, Comodo uses a telephone callback to check with the person who submitted the OV certificate request. This increases online security for the certificate user, but also increases the time between a request being submitted and the certificate being issued. The delay may take a couple of working days or more.

To mitigate this situation, Domain Validated (DV) server certificates have been added to the list of products offered by TCS, as they are an appealing alternative when an organisation name is not strictly required.


What is the callback procedure for OV server certificates? (NEW)

The verification procedure for issuing OV server certificates requires Comodo to call the person who requested the certificate to verify the request. The steps for the callback are:

  • Authorised users request an OV server certificate via their familiar system, providing:
    a. FIRST NAME
    b. LAST NAME
    c. EMAIL address
  • Comodo sends an email to the requesting person providing them with a web link. Comodo finds the requesting organisation's phone number using public directories and calls the institution, asking for the person who requested the certificate and gives him/her a callback code.
  • The requesting person clicks on the link in the email and gets to a page where he/she enters his/her email address and the callback code.
  • Callback validation is completed.


What are the implications of callback procedures for e-science server certificates? (NEW)

In addition to the pre-existing e-science server certificates, from 1 February 2013 TCS has introduced a new product, the DV e-science server certificate. This product meets the e-science server certificate requirements, but does not require a callback from the CA.

In practice this means that there are two types of e-science server certificates:

  • e-science DV server certificate
  • e-science OV server certificate (with the additional callback procedure)


What are TCS e-science certificates?

TCS e-science certificates are accredited by the EUGridPMA for use with Grid services. The e-science server certificates conform to the IGTF Classic X.509 CA authentication profile, while the e-science personal certificates conform to the IGTF Member Integrated Credential Services (MICS) authentication profile. This specifically means they are restricted to a 13-month validity period, may only use 7-bit ASCII strings within the subject name, and may only be bound to a single end entity.

The root certificates of the TCS e-science server and e-science personal sub-CAs are included in the IGTF Trust Anchor Distribution.


How do I obtain TCS certificates?

TCS certificates are only available through participating NRENs or their authorised agents (e.g. universities). Application procedures and prices are usually outlined on the individual NREN websites.

Please note that personal, e-science personal and/or code-signing certificates may not be available in all countries as this is dependent on which TCS services an NREN has subscribed to.


Can TCS certificates be used to conduct monetary transactions?

In accordance with a revised agreement between TERENA and Comodo, TCS certificates may be used to conduct monetary transactions from 1 July 2012. This includes secure credit and debit card payments.


What are EV certificates and are they offered by TCS?

Extended Validation (EV) certificates are a special type of server certificate that requires a more thorough vetting process than for other types of certificate, and can be used to secure online financial transactions. EV certificates are not available directly through TCS. Currently COMODO is offering them free of charge although they must be ordered directly by TCS customers through the Comodo website and supporting documentation must be submitted. These certificates have a validity period of up to 2 years.


How long is the TCS agreement with Comodo for?

The original TCS agreement with Comodo ran from 1 July 2009 until 30 June 2012. This was extended until 30 June 2013. In December 2012 TERENA and Comodo signed a new agreement for a further renewal, effectively prolonging the TCS contract until July 2014. After 2014, a further and last one year renewal could be possible. The full validity of all certificates issued during the contract period will be honoured by Comodo, even if the TCS agreement is terminated.