Issuing a Personal TCS Certificate

The process of issuing a Personal TCS Certificate is fully self-served. In order to access this service, the following criteria must be met:

  • your home organization must be a member of eduID.cz, acknowledged as an Identity Provider
  • your home organization must grant you the permission to request a Personal TCS Certificate

Supported web browsers

Web browsers Internet Explorer, Firefox up to version 68 incl. and Safari are supported. Chrome browser cannot be used to issue your personal certificate due to Google's decision to remove access to the keystore. The same problem is with Firefox version 69 and higher.

The process of issuing a new Personal TCS Certificate

Choose Personal Certificate in the Application menu. You will be asked to sign in using your home organization's IdP. After successful login you will be presented with an overview of your certificate's parameters.

Page for requesting new personal TCS certificate

Double-check email addresses shown in the certificate preview and then continue by clicking on the button “Issue the certificate”.

In case there is an address in the list that is not owned by your organization (the domain name does not belong to your organization, e.g. gmail.com, yahoo.com), this address is left unchecked by default and relevant warning is shown. You can add the “foreign” address back in the certificate, however you will be asked to prove the ownership of such an address. DigiCert will send a confirmation email to all “foreign” addresses and you will be asked to follow a link in the email to prove the ownership (see the certificate request preview, example of the email from DigiCert and the DigiCert's validation page below).

Page for requesting new personal TCS certificate with “foreign” email address

Information page describing steps needed to validate your “foreign” email addresses

Example of the email from DigiCert requesting validation of the “foreign” email address

DigiCert web-page confirming successful validation of all the email addresses

Private key generation process in Firefox

The Microsoft Edge (Spartan) browser, usually the default browser in Windows 10, does not support the generation of private keys or certificate requests. Fortunately, there is also the old Internet Explorer present in the system in most cases. You can open the More menu (click on the button with three dots in the upper right corner of the window) and select the option Open with Internet Exporer.

Transfer to the Internet Explorer from the menu in Microsoft Edge

After sending the request (and potentially the verification of “foreign” email addresses), your browser will generate your new private key. The behaviour varies for each browser. For instance, Firefox will simply show you a notification window for the period of key generation while Internet Explorer will notify you that the web-page wants to access the keystore and ask you for a confirmation. You need to allow the access, the private key will not be created otherwise.

Allowing the access to keystore in Windows 10

The Certification Authority will usually sign your request under two minutes after the request has been sent. Do not close the window before the certificate is issued and saved in your keystore. The application will notify you once the process is complete. Again, the installation process varies for each browser. Internet Explorer will not require more actions but Firefox might ask you for confirmation of trust when installing the intermediate TERENA eScience Personal CA 3 Certification Authority certificate (if it is not known already). Choose the option to trust the CA to identify users. In case the Certificate Authority is already known, Firefox will simply display an information message.

The option to choose which purposes are trusted in Firefox

The notification displayed in Firefox when the installation process is completed successfully

You will also receive an information email from admin@digicert.com with your certificate, DigiCert root certificate and intermediate CA certificate included. This email contains only public information and you can safely delete it.

DigiCert email informing you that your certificate has been issued

In some cases, the installation process might fail even if the application displays the final success notification. Please check your keystore to verify that your newly issued certificate is there. If the certificate is missing, please inform your administrator or contact us at tcs-ra@cesnet.cz.

Kindly do a proper backup of your new private certificate from the browser keystore it is saved in. The backup has to be secured so only you can access it. It is not possible to restore the data encrypted with this certificate without the backup if the certificate is lost.

Last modified:: 2019/09/24 13:33