Skip to content

Interim workflow for personal certificates

This page describes the current (interim) process to get a personal certificate to sign documents and sign/decrypt emails.

This service uses the GÉANT TCS project which itself uses the services of Sectigo.

Don’t skip this!

Even if you decide to complete this task without reading through these instructions, make sure to follow this particular advice.

Request a new certificate

Log in to the CA-Portal with the account owning the email addresses you want a certificate for. Use the private mode of your browser if you are already logged in with another account.

Choose Certificate Type

Personal certificates are bound to an individual person and are only issued for the email addresses of the corresponding KIT account. Before applying, according to policy, you must identify yourself in person. An identification is currently valid for ten years. Personal certificates can be recognized by the fact that the “Certificate Name” (correctly: Common Name) includes the natural name of the owner.

Functional/group certificates are functionally equivalent to personal certificates. They are not bound to an individual person, but may be shared with all users of the associated email mailboxes. Functional certificates contain only the associated email addresses and no “Certificate Name” (Common Name). You can also use a functional certificate for personal email addresses instead of personal certificates. In this case, identification is not necessary.

Mailing lists

Functional certificates cannot be issued for mailing lists ( and with the current process from Sectigo, as the challenge for this would be sent directly to the list members. If you need such a certificate please send us an email to coordinate the process.

Choose Request for the desired certificate type:

Personal Certificate

If you do not have a valid identification, you cannot apply for a personal certificate:

Choose one of the described options.

If you have valid identification, you can select which email addresses should be added to the certificate:

Now, all data added to the certificate is displayed for proofreading. Choose Submit if everything is correct:

Follow the instructions in the browser.

Functional Certificate

Enter all email addresses that should be added to the certificate. Pay attention to the hints given in the portal!

Now, all data that will be added to the certificate is displayed for proofreading. Choose Submit if everything is correct:

Please wait until you get an email from Sectigo (the current sender is Sectigo Certificate Manager <>).

It looks like this:

Validate yourself (sometimes necessary)

System Requirements

To work reliably, this process requires a desktop operating system with a modern web browser that can execute Javascript without restrictions.


The link from sectigo may only be used once. Make sure to only open it on the device where you actually plan to create and save your new certificate.

The link in this mail may lead to a page that ask you to verify and enter your email address. Skip this paragraph it this does not apply to you:

If this happens make sure to enter the exact email address that the initial email was sent to:

Entering the correct address will generate a second email like the first one:

Open the certificate request form

Open the link in the latest email from Sectigo. You will land on a webpage similar to this:

Request a certificate

Please keep all settings as shown on the screenshot above (most settings are readonly or have no effect on the final certificate). Accept the EULA (only available in English) and press Submit.

Your new certificate will now be generated.

Do not interrupt!

Please wait patiently for the next page to load. This may take up to ten minutes. Unfortunately there is no progress indicator or other “signs of life”. Please do not close or reload the page. Both will abort the application process force you to start all over from the beginning.

You have to start over if you encounter any errors in this step. If the issue persists, please contact us via e-mail.

Download the issued certificate

You will be redirected to this page after your certificate was successfully created:

Extremely important

The default setting of Secure AES256-SHA256 creates lots of problems on most platforms including Windows, macOS and iOS. Make sure to change it to Compatible TripleDES-SHA1.

Click here for a guide to repair an unusable certificate (currently only available in German).

Change Secure AES256-SHA256:

to Compatible TripleDES-SHA1:

Choose a secure password (use may use this tool to generate a proper password) to encrypt your new key and certificate. Press Download. This starts a download with your new certificate.

You may close this page after verifying that your new certificate has been downloaded successfully.

Install the issued certificate

The resulting PKCS12 can usually be imported by double-clicking (Windows, macOS) or simply importing it in the application’s settings dialog (Thunderbird).

Create a Backup

Backup your certificate/key file and the corresponding password. We strongly urge you to do it now, postponing usually results in never making backups at all.

You will need every key/certificate pair (usually the .p12 file) for which you have ever received encrypted emails until you quit working at KIT.

Secure both the certificate file and the password in a way that you can still safely find and read them in the far future. For security reasons, it is advisable to store both separately from each other.

🚧 Work in Progress

Unfortunately, this section is still somewhat rudimentary & incomplete.

E-Mail Client Configuration