TCS FAQ - Member Questions

How can NRENs join TCS?

NRENs must be National Members of TERENA, and represent one of the following countries:

Albania, Algeria, Andorra, Armenia, Austria, Azerbaijan, Bahrain, Belarus, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, Iran, Iraq, Ireland, Israel, Italy, Jordan, Kazakhstan, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Liechtenstein, Lithuania, Luxembourg, Macedonia (Former Yugoslav Republic of), Malta, Moldova, Monaco, Montenegro, Morocco, Netherlands, Norway, Oman, Palestine, Poland, Portugal, Qatar, Romania, Russia, San Marino, Saudi Arabia, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Syria, Tajikistan, Tunisia, Turkey, Turkmenistan, Ukraine, United Arab Emirates, United Kingdom, Uzbekistan, Vatican City, Yemen.

The annual fees to be paid by an NREN for each of these service components depend on the TERENA membership category of the NREN, which is broadly based on the Gross National Income of the country.
The full fee structure is available upon application.

TCS members must sign a contract with TERENA for the certificate services they require, and pay the applicable fee(s). They will then be sent their TCS account login details by encrypted e-mail, which will allow them to delegate administrators, and start processing certificates.

More information is available from Licia Florio.

Who may be issued with TCS certificates?

The general requirement is that TCS certificates are only issued to organisations that are part of the research and education community of a country served by a participating NREN. These organisations are known as 'Subscribers'.

What actually constitutes the research and education community differs from country-to-country though. Participating NRENs are responsible for defining the eligible organisations, and establishing an appropriate Subscriber Agreement with them. There is a template Subscriber Agreement in the TCS Repository that may be translated and modified to suit local requirements.

TCS Personal and e-Science Personal certificates may only be issued to staff and students associated with a Subscriber organisation. It is expected that registration and verification functions will normally be delegated to the Subscriber organisation.

NRENs remain responsible at all times for ensuring proper verification procedures are in place for Subscriber organisations and their users. Audits may be undertaken to ensure compliance with the general TCS requirements.

How can NRENs manage their certificate services?

Comodo offer a web-based management interface that NRENs can use to issue TCS certificates (except eScience Personal). This can also be used to allocate administrative rights to members of staff, check the status of issued certificates, and revoke certificates if necessary. It is however, primarily targeted at NRENs handling small numbers of certificates that do not want the overhead of running their own management systems.

Comodo also offer an Application Programming Interface (API) that is accessed via HTTPS, and which allows certificates to be issued, listed and revoked from remote applications. Specific requests are sent as POST parameters, and responses are returned as URL-encoded plain text, thus allowing NRENs to build their own TCS management systems.

Two different management applications have been developed within the TERENA community - Djangora for server and code-signing certificates, and Confusa for personal certificates. These have been designed with TCS requirements in mind, but are open source and may be customised as necessary.

It is also possible for NRENs to share management systems, as with the TCS Web Portal.

What is Djangora?

Djangora is an open source application developed by SUNET and Linköping University for handling for handling TCS Server, TCS e-Science Server and TCS Code-signing certificates. It is a Python-based application with a MySQL database backend and customisable web interface that runs under Linux (Ubuntu and Fedora have been tested). It is currently used by a number of NRENs to provision their services, as it is designed to handle large numbers of certificates and can be localised as required.

The name Djangora is a portmanteau of 'Django', the web application framework used by the application, and 'Registration Authority'.

More information is available from Kent Engström. There is also a mailing list '' for support issues.

What is Confusa?

Confusa is an open source application developed by UNINETT and the Nordic DataGrid Federation for handling personal certificates. This is a PHP-based application with a customisable web interface that runs under Linux. It utilises identity provider (IdP) services which publish electronic identity information about users, in order to undertake verification before issuing certificates. As IdP services are commonly hosted by organisations participating in established identity federations, this means that NRENs can delegate verification to these organisations which significantly reduces the amount of effort needed to manage the demand of thousands of users. This application supports both TCS Personal and TCS e-Science Personal certificates.

The name Confusa comes from a flowering plant (luzula confusa) that grows in Arctic regions.

More information is available from Henrik Austad. There is also a mailing list '' for support issues.

What is the TCS Web Portal?

The TCS Web Portal handles the personal certificate services of several NRENs. It is based on Confusa and hosted on resilient servers, thus allowing the NRENs to share running costs.

It is run on behalf of TERENA by Tilburg University and currently serves ACONET, BELNET, CSC, GARR, HEAnet, IUCC, Renater, SURFnet, SUNET, UNI-C and UNINETT (although not all of them offer both regular and e-Science personal certificates).

Other NRENs that are subscribed to the TCS Personal certificate service may join the portal; they will need to operate at least one IdP for user verification. The annual fee to be paid by an NREN for being served by the portal depends on the TERENA membership category of the NREN, which is broadly based on the Gross National Income of the country.

The portal itself can be found at:

What happened to SCS?

The former TERENA Server Certificate Service (SCS) that provided SSL server certificates through an agreement with GlobalSign NV, stopped issuing certificates on 9 January 2010.