Interim workflow for personal certificates
This page describes the current (interim) process to get a personal certificate to sign documents and sign/decrypt emails.
This service uses the GÉANT TCS project which itself uses the services of Sectigo.
Request a new certificate
No certificate issuance possible
Sectigo, the operator of the certification authority that issues our certificates, removed access for us on January 10, 2025. No certificates can be requested at the moment as integration of the new operator takes longer than expected. If you are here because you received a certificate expiration notification, please make sure that you do not have another certificate that has a longer validity. Otherwise, please check back a few days before your certificate expires. We ask for your understanding and are sorry for any inconvenience caused.
Log in to the CA-Portal with the account owning the email addresses you want a certificate for. Use the private mode of your browser if you are already logged in with another account.
Choose Certificate Type
Personal certificates are bound to an individual person and are only issued for the email addresses of the corresponding KIT account. Before applying, according to policy, you must identify yourself in person. An identification is currently valid for ten years. Personal certificates can be recognized by the fact that the “Certificate Name” (correctly: Common Name) includes the natural name of the owner.
Functional/group certificates are functionally equivalent to personal certificates. They are not bound to an individual person, but may be shared with all users of the associated email mailboxes. Functional certificates contain only the associated email addresses and no “Certificate Name” (Common Name). You can also use a functional certificate for personal email addresses instead of personal certificates. In this case, identification is not necessary.
Mailing lists
Functional certificates cannot be issued for mailing lists (@lists.kit.edu and @listserv.dfn.de) with the current process from Sectigo, as the challenge for this would be sent directly to the list members. If you need such a certificate please email us at ca@kit.edu to coordinate the process.
Choose Request for the desired certificate type:
Personal Certificate
If you do not have a valid identification, you cannot apply for a personal certificate:
Choose one of the described options.
If you have valid identification, you can select which email addresses should be added to the certificate:
Now, all data added to the certificate is displayed for proofreading. Choose Submit if everything
is correct:
Follow the instructions in the browser.
Functional Certificate
Enter all email addresses that should be added to the certificate. Pay attention to the hints given in the portal!
Now, all data that will be added to the certificate is displayed for proofreading. Choose Submit if everything
is correct:
Create a Backup
Backup your certificate/key file and the corresponding password. We strongly urge you to do it now, postponing usually results in never making backups at all.
You will need every key/certificate pair (usually the .p12 file) for which you have ever received encrypted emails until
you quit working at KIT.
Secure both the certificate file and the password in a way that you can still safely find and read them in the far future. For security reasons, it is advisable to store both separately from each other.
Work in Progress
Unfortunately, this section is still somewhat rudimentary & incomplete.
Install the issued certificate
The PKCS12 file you just downloaded can usually be imported by double-clicking (Windows, macOS) or simply importing it in the application’s settings dialog (Thunderbird).
Note to Windows user: During import, set the option Mark key as exportable. This allows you to copy the certificate and private key from this computer to the new device when switching computers:
