Interim workflow for personal certificates

This page describes the current (interim) process to get a personal certificate to sign documents and sign/decrypt emails.

This service uses the GÉANT TCS project which itself uses the services of Sectigo.

Request a new certificate

Log in to the CA-Portal with the account owning the email addresses you want a certificate for. Use the private mode of your browser if you are already logged in with another account.

Choose Certificate Type

Personal certificates are bound to an individual person and are only issued for the email addresses of the corresponding KIT account. Before applying, according to policy, you must identify yourself in person. An identification is currently valid for ten years. Personal certificates can be recognized by the fact that the “Certificate Name” (correctly: Common Name) includes the natural name of the owner.

Functional/group certificates are functionally equivalent to personal certificates. They are not bound to an individual person, but may be shared with all users of the associated email mailboxes. Functional certificates contain only the associated email addresses and no “Certificate Name” (Common Name). You can also use a functional certificate for personal email addresses instead of personal certificates. In this case, identification is not necessary.

Mailing lists

Functional certificates cannot be issued for mailing lists (@lists.kit.edu and @listserv.dfn.de) with the current process from Sectigo, as the challenge for this would be sent directly to the list members. If you need such a certificate please email us at ca@kit.edu to coordinate the process.

Choose Request for the desired certificate type:

Personal Certificate

If you do not have a valid identification, you cannot apply for a personal certificate:

Choose one of the described options.

If you have valid identification, you can select which email addresses should be added to the certificate:

Now, all data added to the certificate is displayed for proofreading. Choose Submit if everything is correct:

Follow the instructions in the browser.

Functional Certificate

Enter all email addresses that should be added to the certificate. Pay attention to the hints given in the portal!

Now, all data that will be added to the certificate is displayed for proofreading. Choose Submit if everything is correct:

Navigate the certificate generation process by Sectigo

Please wait until you get an email from Sectigo (the current sender is Sectigo Certificate Manager <support@cert-manager.com>).

Note for applicants who do not have access to the function mailboxes

This email is only sent to the email addresses from the application. If you - for example as an IT officer - apply for a functional certificate and don’t have access to the relevant mailboxes, you will no longer be able to manage the process from this point on. You can either leave the rest of the process to the users of the functional mailbox or ask them to forward the e-mail from Sectigo to you and not to click on any links.

It looks like this:

Validate yourself (sometimes necessary)

System Requirements

To work reliably, this process requires a desktop operating system with a modern web browser that can execute Javascript without restrictions.

Warning

The link from sectigo may only be used once. Make sure to only open it on the device where you actually plan to create and save your new certificate.

The link in this mail may lead to a page that ask you to verify and enter your email address. Skip this paragraph it this does not apply to you:

If this happens make sure to enter the exact email address that the initial email was sent to:

Entering the correct address will generate a second email like the first one:

Open the certificate request form

Open the link in the latest email from Sectigo. You will land on a webpage similar to this:

Request a certificate

Please keep all settings as shown on the screenshot above (most settings are readonly or have no effect on the final certificate). Accept the EULA (only available in English) and press Submit.

Your web browser will now generate a new private key and ask Sectigo to generate a new matching certificate. Both will be downloaded in the next step.

Do not interrupt!

Please wait patiently for the next page to load. This may take up to ten minutes. Unfortunately there is no progress indicator or other “signs of life”. Please do not close or reload the page. Both will abort the application process force you to start all over from the beginning.

Encountering any problems in this step usually results in a loss of the private key for your new certificate, which renders it unusable. You must then start the process from the beginning. If the issue persists, please email us at ca@kit.edu.

Download the issued certificate

You will be redirected to this page after your certificate was successfully created:

do not change key protection algorithm (as before Sep 2024)

Prior to 14. September 2024, this document instructed its readers to change the key protection algorithm setting during export. After the changes made by Sectigo on 14. September 2024, almost all operating systems and mail user agents work with the Secure AES256-SHA256. iOS < 18 cannot import Secure AES256-SHA256, please use Compatible TripleDES-SHA1 or upgrade to iOS 18. macOS versions < 15 lead to the error message “Password incorrect” with both key variants available during download, even if the password was entered correctly. In this case, please upgrade to macOS 15 or follow these instructions.

The old repair guide can still be found here if needed.

Choose a secure password (use may use this tool to generate a proper password) to encrypt your new key and certificate. Press Download. This starts a download with your new certificate and private key (PKCS12 format, usually ends in .p12 or .pfx).

Warning

You may close this page after verifying that your new certificate has been downloaded successfully. The certificate’s private key exists only in the PKCS12 file that you just downloaded. If you can not locate the file, the private key is lost forever and you can not use the certificate. In that case, you have to start again from the beginning.

Create a Backup

Backup your certificate/key file and the corresponding password. We strongly urge you to do it now, postponing usually results in never making backups at all.

You will need every key/certificate pair (usually the .p12 file) for which you have ever received encrypted emails until you quit working at KIT.

Secure both the certificate file and the password in a way that you can still safely find and read them in the far future. For security reasons, it is advisable to store both separately from each other.

Work in Progress

Unfortunately, this section is still somewhat rudimentary & incomplete.

Install the issued certificate

The PKCS12 file you just downloaded can usually be imported by double-clicking (Windows, macOS) or simply importing it in the application’s settings dialog (Thunderbird).

Note to Windows user: During import, set the option Mark key as exportable. This allows you to copy the certificate and private key from this computer to the new device when switching computers:

E-Mail Client Configuration

• Outlook in Windows
• macOS & Apple Mail
• Thunderbird (links to guide from Univcersity of Heidelberg, german only)