Workflow for Requesting a Certificate
This page describes the current process to request a personal or functional certificate usable signing and encrypting emails.
This service uses the GÉANT TCS project which itself uses the services of HARICA.
Request a new certificate
Log in to the CA-Portal with the account owning the email addresses you want a certificate for. Use the private mode of your browser if you are already logged in with another account.
Choose Certificate Type
Personal certificates are bound to an individual person and are only issued for the email addresses of the corresponding KIT account. Before applying, according to policy, you must identify yourself in person. An identification is currently valid for ten years. Personal certificates can be recognized by the fact that the “Certificate Name” (correctly: Common Name) includes the natural name of the owner. If personal identification is not possible for you, a personal certificates without identification can be issued. A personal certificate without identification does not contain the personal name of the owner.
Functional certificates are functionally equivalent to personal certificates without identification. They are not bound to an individual person, but may be shared with all users of the associated email mailboxes.
Choose Request
for the desired certificate type:
Select either “Personal Certificate with Identification” or “Personal Certificate without Identification”. The differences are explained directly in the description text and in this documentation under Choose Certificate Type. If you choose the former and do not have a valid identification, an error will appear - in this case you must first identify yourself at the SCC Service Desk (at KIT Campus South or North, Karlsruhe) or with the person responsible for identifications (if you are at a branch office of KIT). If you have a valid identification or selected “Personal certificate without identification”, you can now choose which email addresses should be included in the certificate:
Now, all data added to the certificate is displayed for proofreading. Choose Submit
if everything
is correct:
Wait until you are redirected to the next step and then follow Download.
Functional Certificate
To request a new certificate, select “Request” and follow the Request section. If you would like to collect a certificate that we have already issued, select “Collect” and follow the Collect section.
Request
Enter all email addresses that should be added to the certificate. Pay attention to the hints given in the portal!
Now, all data that will be added to the certificate is displayed for proofreading. Choose Submit
if everything
is correct:
Now you’ll have to download the private key, confirm that you will be able to retrieve the private key later and that you have memorized the password.
After clicking on Submit
again, you’ll have to wait until we have issued the certificate.
Collect
Once we have issued the certificate, you will receive an email.
You can collect the certificate using the .pem
file attached to the email and the key saved during the request process (functional_mailbox_name_kit_edu.key
).
Upload each file to the designated area either by drag-and-drop or by clicking on the area.
If the files match, you will be automatically redirected to the next step.
Download
First enter a password for your certificate file. If the password is valid, several file formats for download will appear. Each format describes it’s appropriate use case. Click on “Download” for the format that fits your use case and save the file in a suitable location.
Create a Backup
Backup your certificate/key file and the corresponding password. We strongly urge you to do it now, postponing usually results in never making backups at all.
You will need every key/certificate pair (usually the .p12
file) for which you have ever received encrypted emails until
you quit working at KIT.
Secure both the certificate file and the password in a way that you can still safely find and read them in the far future. For security reasons, it is advisable to store both separately from each other.
Work in Progress
Unfortunately, this section is still somewhat rudimentary & incomplete.
Install the issued certificate
The PKCS12 file you just downloaded can usually be imported by double-clicking (Windows, macOS) or simply importing it in the application’s settings dialog (Thunderbird).
Note to Windows user: During import, set the option Mark key as exportable. This allows you to copy the certificate and private key from this computer to the new device when switching computers: