Interim workflow for personal certificates

This page describes the current (interim) process to get a personal certificate to sign documents and sign/decrypt emails.

This service uses the GÉANT TCS project which itself uses the services of Sectigo.

Request a new certificate

No certificate issuance possible

Sectigo, the operator of the certification authority that issues our certificates, removed access for us on January 10, 2025. Therefore, no certificates can be requested at the moment until the new operator is properly integrated. This may take a few weeks, we ask for your understanding and are sorry for any inconvenience caused.

Log in to the CA-Portal with the account owning the email addresses you want a certificate for. Use the private mode of your browser if you are already logged in with another account.

Choose Certificate Type

Personal certificates are bound to an individual person and are only issued for the email addresses of the corresponding KIT account. Before applying, according to policy, you must identify yourself in person. An identification is currently valid for ten years. Personal certificates can be recognized by the fact that the “Certificate Name” (correctly: Common Name) includes the natural name of the owner.

Functional/group certificates are functionally equivalent to personal certificates. They are not bound to an individual person, but may be shared with all users of the associated email mailboxes. Functional certificates contain only the associated email addresses and no “Certificate Name” (Common Name). You can also use a functional certificate for personal email addresses instead of personal certificates. In this case, identification is not necessary.

Mailing lists

Functional certificates cannot be issued for mailing lists (@lists.kit.edu and @listserv.dfn.de) with the current process from Sectigo, as the challenge for this would be sent directly to the list members. If you need such a certificate please email us at ca@kit.edu to coordinate the process.

Choose Request for the desired certificate type:

Personal Certificate

If you do not have a valid identification, you cannot apply for a personal certificate:

Choose one of the described options.

If you have valid identification, you can select which email addresses should be added to the certificate:

Now, all data added to the certificate is displayed for proofreading. Choose Submit if everything is correct:

Follow the instructions in the browser.

Functional Certificate

Enter all email addresses that should be added to the certificate. Pay attention to the hints given in the portal!

Now, all data that will be added to the certificate is displayed for proofreading. Choose Submit if everything is correct:

Create a Backup

Backup your certificate/key file and the corresponding password. We strongly urge you to do it now, postponing usually results in never making backups at all.

You will need every key/certificate pair (usually the .p12 file) for which you have ever received encrypted emails until you quit working at KIT.

Secure both the certificate file and the password in a way that you can still safely find and read them in the far future. For security reasons, it is advisable to store both separately from each other.

Work in Progress

Unfortunately, this section is still somewhat rudimentary & incomplete.

Install the issued certificate

The PKCS12 file you just downloaded can usually be imported by double-clicking (Windows, macOS) or simply importing it in the application’s settings dialog (Thunderbird).

Note to Windows user: During import, set the option Mark key as exportable. This allows you to copy the certificate and private key from this computer to the new device when switching computers:

E-Mail Client Configuration

• Outlook in Windows
• macOS & Apple Mail
• Thunderbird (links to guide from Univcersity of Heidelberg, german only)