Interim workflow for personal certificates

This page describes the current (interim) process to get a personal certificate to sign documents and sign/decrypt emails.

This service uses the GÉANT TCS project which itself uses the services of Sectigo.

Don’t skip this!

Even if you decide to complete this task without reading through these instructions, make sure to follow this particular advice.

Request a new certificate

The SCC ticket system offers a ticket template (“Musterticket”) named Zertifikat: Neues Personenzertifikat erstellen / Request new personal certificate to request a new personal certificate. Please fill all requested fields.

Navigate the certificate generation process by Sectigo

Please wait until you get an email from Sectigo (the current sender is Sectigo Certificate Manager <support@cert-manager.com>).

It looks like this:

Validate yourself (sometimes necessary)

System Requirements

To work reliably, this process requires a desktop operating system with a modern web browser that can execute Javascript without restrictions.

Warning

The link from sectigo may only be used once. Make sure to only open it on the device where you actually plan to create and save your new certificate.

The link in this mail may lead to a page that ask you to verify and enter your email address. Skip this paragraph it this does not apply to you:

If this happens make sure to enter the exact email address that the initial email was sent to:

Entering the correct address will generate a second email like the first one:

Open the certificate request form

Open the link in the latest email from Sectigo. You will land on a webpage similar to this:

Request a certificate

Please keep all settings as shown on the screenshot above (most settings are readonly or have no effect on the final certificate). Accept the EULA (only available in English) and press Submit.

Your new certificate will now be generated.

Do not interrupt!

Please wait patiently for the next page to load. This may take up to ten minutes. Unfortunately there is no progress indicator or other “signs of life”. Please do not close or reload the page. Both will abort the application process force you to start all over from the beginning.

You have to start over if you encounter any errors in this step. If the issue persists, please contact us via e-mail.

Download the issued certificate

You will be redirected to this page after your certificate was successfully created:

Extremely important

The default setting of Secure AES256-SHA256 creates lots of problems on most platforms including Windows, macOS and iOS. Make sure to change it to Compatible TripleDES-SHA1.

Click here for a guide to repair an unusable certificate (currently only available in German).

Change Secure AES256-SHA256:

to Compatible TripleDES-SHA1:

Choose a secure password (use may use this tool to generate a proper password) to encrypt your new key and certificate. Press Download. This starts a download with your new certificate.

You may close this page after verifying that your new certificate has been downloaded successfully.

Install the issued certificate

The resulting PKCS12 can usually be imported by double-clicking (Windows, macOS) or simply importing it in the application’s settings dialog (Thunderbird).

Create a Backup

Backup your certificate/key file and the corresponding password. We strongly urge you to do it now, postponing usually results in never making backups at all.

You will need every key/certificate pair (usually the .p12 file) for which you have ever received encrypted emails until you quit working at KIT.

Secure both the certificate file and the password in a way that you can still safely find and read them in the far future. For security reasons, it is advisable to store both separately from each other.

Work in Progress

Unfortunately, this section is still somewhat rudimentary & incomplete.

E-Mail Client Configuration

• Outlook in Windows
• macOS & Apple Mail