Implementation of a new policy in the protection of the private key in Code Signing certificates

According to CA/B Forum Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates and HARICA’s Certificate Policy and Certification Practices Statement for the Hellenic Academic and Research Institutions Public Key Infrastructure (CP/CPS), starting June 1, 2023, it will be mandatory for Code Signing Certificates to have their private keys stored in hardware devices such as tokens or Hardware Security Modules (HSMs) with at least security standard of FIPS 140-2 level 2 or Common Criteria EAL 4, following the existing requirements for Extended Validation Code Signing Certificates.

This new policy optimizes the protection of private keys and upgrades the security of Code Signing Certificates.

What are the policy changes for Code Signing certificates?

Starting June 1, 2023, HARICA will exclusively issue Code Signing Certificates to hardware devices (tokens).

If subscribers prefer to use their own device, this must meet the minimum security standards of FIPS 140-2 level or Common Criteria EAL 4+.

To request for a new Code Signing Certificate, subscribers can submit their requests through our portal cm.harica.gr. Once the certificate is issued, if needed, we will send a token to the subscriber’s preferred address via courier.

We would like to emphasize that HARICA maintains consistent pricing for Code Signing Certificates. This means that the cost of acquiring a Code Signing Certificate and the hardware device remains unchanged.

What will happen to Code Signing Certificates issued prior to June 1, 2023?

Code Signing Certificates issued prior to June 1, 2023, will remain valid until their expiration date. Subscribers of these certificates do not need to take any action. The changes introduced only to Code Signing Certificates that will be issued on or after June 1, 2023.

How will HARICA’s Code Signing Certificates be renewed after June 1, 2023?

Code Signing Certificates that have been purchased in the years 2022 and 2023 for more than three (3) years and their renewal occurs after June 1, 2023, HARICA will provide the necessary token at no additional cost to the subscribers.

Do you have additional questions or concerns?

If you have questions or need more information, please contact the HARICA support at support@harica.gr.

HARICA achievements

Sky is the limit

All of us involved in HARICA’s activities as a “Qualified Trust Service Provider (QTSP)” share a common philosophy that can be summed up in the words of Henry Ford: “If everyone moves forward in sync, then success comes naturally”.

A few years ago, we decided to expand our activities beyond the Academic and Research boundaries. Since then, our projects have exceeded our initial expectations and we feel deeply honored to be trusted by high-profile leading organizations, institutions, public and private, in Greece, in Europe and in the rest of the world.

The e-platform gov.gr of the Ministry of Digital Governance issues millions of digital documents, including Covid Vaccination Certificates, e-declarations and authorizations with HARICA’s e-Seal as well as the Central Electronic Document Management System (mindigital-shde.gr) issuing Remote Qualified Electronic Signatures for Public Administration to civil servants for signing legally binding documents as defined in the eIDAS regulation. The e-platform diavgeia.gov.gr uses HARICA certificates to formally announce governmental and administrative decisions and resolutions. The e-National Social Security Fund (e-Efka) uses HARICA’s e-Seal and Server Certificates. EYATH, (Thessaloniki Water Supply and Sewerage Company) trusted us for the Qualified eSignatures and the Email Certificates (S/MIME) of its employees.

The Council of State, Administrative Regions of Greece, the Ministry of Labour of Cyprus, Municipalities, Professional Chambers, the Supreme Attorneys Associations, Notary Associations as well as European Organizations such as EU Agency for the Cooperation of Energy Regulators (ACER), CEDEFOP and private companies such as BETA CAE, KLEEMANN and SPACE HELLAS are a few of HARICA’s high-profile Subscribers that have entrusted us for adding security to their digital services.

Big Social and News networks such as Facebook use HARICA’s wildcard certificates, providing encrypted communications and data security to billions of their users.

In the demanding field of electronic payments, we issue PSD2 digital certificates in accordance with the European Payment Services Directive 2 (PSD2) and Regulation 910/2014 (eIDAS), providing the highest level of security. This is why banking institutions such as ALPHA BANK, OPTIMA BANK and Third-party Payment Provider (TPP) companies such as CARDLINK, MIA PAGO Ltd, Perlas Finance, and Money Capp trust HARICA to secure their electronic transactions.

Our accomplishments do not make us complacent, they motivate us to continue our efforts with even more enthusiasm, but also with more knowledge and experience to improve and expand HARICA’s trusted services, because for us “only sky is the limit”.

Thank you!

HARICA introduces new 2021 hierarchy for SSL/TLS Certificates

We are pleased to announce that on the 1st of June 2022, HARICA will switch the issuance of SSL/TLS certificates to its 2021 Root TLS Certification Authorities.

Both HARICA TLS RSA Root CA 2021 and HARICA TLS ECC Root CA 2021 are already pre-installed on Windows operating systems as well on macOS 12 providing the necessary trust anchor for Google Chrome, Microsoft Edge and other popular Internet Browsers. In addition, Mozilla Firefox has updated its Certificate Store with HARICA’s new RootsCAs.

For older operating systems and browsers, HARICA issued two additional cross-certificates to chain the 2021 hierarchy with the older 2015 one for increased ubiquity.

Both HARICA TLS Root 2021 ECC and RSA cross-certificates can be used by our subscribers in their certificate chain files to cover the majority of browsers regardless of their version.

Remote Qualified Electronic Signature with 50% discount

UPDATE

Following the high demand for eSignatures, HARICA decided to extend the discount period till the end of February 2022.

Why use a Qualified Electronic Signature?

Use the electronic signature to digitally sign documents (PDF) and ensure the authenticity and integrity of their content. Since legally binding (cross-border in the European Union) you can use the electronic signature in:

• Contracts (sales, employment, lease, insurance, etc.)
• Transactions (e-commerce, online banking, tenders, etc.)
• Administrative procedures (requests to public sectors, etc.)

Offer information

The offer is valid from 1/12/2021 until 31/01/2022 and is addressed to professionals, e.g. engineers, lawyers, notaries, etc. The offer is about the purchase of a Remote Qualified Electronic Signature with 1-4 years validity period.

Get the offer

The interested party must contact support@harica.gr stating his/her business details. Then, he/she will receive a 50% discount coupon, which he/she can use when completing the order.

PSD2 Certificates for the FinTech industry

A solution for Financial Institutions and Payment Service Providers

Are you a Financial Institution? Is your business dealing with electronic payment and open banking? Are you looking for security, privacy, and reliability for your electronic services across EU borders?

According to the EU directive 2015/2366 (PSD2), you need a Qualified Web Authentication Certificate (QWAC) and/or Qualified Electronic Seal Certificate (QSealC).

PSD2 at a glance

Payment Service Directive 2 (PSD2) is the second revised directive of an existing Payment Service Directive from 2007. The Regulatory Technical Standards (RTS) of PSD2 requires strong customer authentication using common and secure open standards of communication between all parties involved, to support Open Banking.

As from September of 2019 all EU financial institutions ensure that Payment Service Providers (PSPs) or Third-Party Providers (TPPs) can access their customer account data by using secure website certificates (QWAC).

All regulated entities that use APIs in order to provide account information services and/or to initiate payments, must be registered to a National Competent Authority (NCA) and need a Qualified Website (QWAC) and/or Qualified Seal (QSeal) Certificate to access the financial institution’s account data.

HARICA’s PSD2 Qualified Certificates

HARICA is a public Qualified Trust Service Provider (QTSP) per Regulation (EU) 910/2014 (eIDAS) and issues Qualified Certificates (QWACs and QSealCs) as specified in the PSD2 Regulatory Technical Standards (RTS):

• SSL QWAC-PSD2 (Qualified Web Authentication Certificate - PSD2):
  • SSL/TLS Server Certificate that includes one or more FQDNs,
  • official identity information of the Legal Entity that owns/controls the domain(s)
• eSeal - PSD2 (Qualified Certificate for Electronic Seals – PSD2):
  • Electronic Seal Certificate that includes information of the associated organization
  • official identity information for the Legal Entity

Get your QWAC-PSD2 starting at 400€ per year

and/or QSealC-PSD2 starting at 450€ per year

Need more information about our services?

Send us your request at support@harica.gr or use our contact form at https://www.harica.gr/en/Contact/GetHarica !

DV certificates for Onion websites

UPDATE

Following the high demand for onion certificates, HARICA decided to extend the discount period till the end of August 2021.

Great news for Onion fans!

We are excited to announce that HARICA has started issuing Domain Validated (DV) certificates for v3 Onion websites.

HARICA is a Publicly Trusted Certification Authority (CA) that participates in all major Global “ROOT CA” Trust Programs (360, Adobe, Apple, Microsoft, Mozilla, Oracle), and operates as a “Trust Anchor” in widely used Application Software and Operating Systems (Adobe, Apple, Google, Microsoft, Mozilla, Linux).

Following this announcement, we offer a discount to all HARICA’s DV Certificates, which includes “onion”, “wildcard onion”, and other types of publicly trusted DV TLS Certificates, starting at 4.5€ per year till the end of June 2021 [EXTENDED to August 2021].

Get yours now at HARICA’s CertManager!

How to purchase your own DV certificate?

• Create a HARICA account at HARICA’s CertManager.
• Under the Certificates section on the left, choose Server Certificates and make a new request for your domain.
• You have the Option to auto-generate your TLS CSR locally or manually submit one you have already prepared. Both RSA and ECDSA keys are supported.
• To validate your Domain Name you have three (3) “general purpose” validation options:
  1. Select a pre-defined email address of your domain to receive a confirmation email.
  2. Upload a text file, provided by HARICA, to a specific location on your web server.
     • For v3 Onion domains only this “general purpose” validation option is allowed. There is also a special option available which uses the Tor hidden service ed25519 key to generate a special “Onion CSR” to prove you control the v3 Onion domain namespace, which allows you to obtain a wildcard Onion certificate *.<hidden service>.onion. This is currently the only secure option allowed to obtain a wildcard Onion certificate and HARICA has built and publicly disclosed the necessary code to support this method!
  3. Add a DNS TXT record, provided by HARICA, to the selected authorization domain.
• After the successful payment of your order, you can retrieve your certificate.

What is an “Onion Service”?

Onion services are anonymous network services that are accessed via the Tor Browser and the underlying Tor (a.k.a. “Onion”) network. Clients use Onion services via Onion domains that are only resolvable inside the Tor network. In contrast to conventional Internet services, Onion services are private and end-to-end encrypted, generally not indexed by search engines, and use self-certifying domain names that are long and difficult for humans to read. That is, you can offer a web server, SSH server, etc., without revealing the real IP address to its users.

Why would an Onion website need a TLS certificate?

There is a list of reasons as to why an Onion website would need a TLS certificate:

• Mixing HTTP and HTTPS creates complex setups for websites.
• To help the user verify that the Onion domain is indeed the site you are hosting (manual check at the certificate registration information).
• Some services work with protocols, frameworks, and other infrastructure that have HTTPS connection as a requirement.
• In case your web server and your Tor process are in different machines.

Our Success Story

Several years ago, an idea was born for an innovative (at the time) project based on the need for increased protection/security measures to encrypt communications over insecure networks, such as the Internet.

A team of Information and Communication Engineers from various Greek Universities and Research Centers collaborated and created a Public Key Infrastructure (PKI) that served and covered the security needs of the Academic and Research Institutions of Greece for SSL/TLS server and S/MIME certificates.

The project was successful and in the process our services were enriched, covering the growing needs of the Academic and Research Institutions. But we did not stop there. We wanted to offer our services outside the Academic/Research community.

Thus, we created the Certification Authority of the Hellenic Academic and Research Institutions (HARICA), which was initially supported by the National Research and Technology Network (GRnet) and then funded by the non-profit, civil company, Greek Universities Network (GUnet).

We started off by joining the Mozilla Root CA Program, which, even today, is the most strict and best supervised Global Certification Authority trust program, and gradually joined other major public trust programs.

After almost 15 years, HARICA is a Globally “Trusted Third Party” entity that simultaneously participates in all major Global “ROOT CA” Trust Programs (360, Adobe, Apple, Microsoft, Mozilla, Oracle) and operates as a “Trust Anchor” in International Software Companies and Operating Systems (Adobe, Apple, Google, Microsoft, Mozilla, Linux, Oracle Java).

Today HARICA’s services cover the full range of digital certificate needs and timestamps:

• from the basic security level on SSL / TLS servers for individuals, businesses, and organizations
• to the maximum level of security indication of large organizations (SSL EV, SSL QWAC, SSL QWAC-PSD2) fully meeting the requirements of Regulation (EU) 910/2014 (eIDAS) and Directive (EU) 2015/2366 on Payment Services (PSD2).

We provide products and services to individuals, companies and organizations:

• S/MIME, certificates for digital signing and encrypting emails,
• Code Signing, certificates used for digital software signing,
• E-Signature, “Qualified” Electronic Signatures which replace the handwritten signatures, as well as “Advanced” Electronic Signatures and
• E-Seal, electronic seals for Legal Entities, which, like its handwritten counterpart in the offline world, an electronic seal is a legal concept capturing the signatory’s intent to be bound by the terms of the signed document.

And we continue with the same enthusiasm, more structured and more experienced, improving and enriching our services offering the maximum security to our digital world.