The process of issuing a Personal TCS Certificate is fully self-served. In order to access this service, the following criteria must be met:

• your home organization must be a member of eduID.cz, acknowledged as an Identity Provider
• your home organization must grant you the permission to request a Personal TCS Certificate

All web browsers with a functional JavaScript interpreter and the W3C DOM standard are supported. Since the code for native certificate generation has disappeared from most browsers and it is difficult to maintain support for the remaining ones, we have prepared an alternative method in which the request is also generated by the browser, but unlike native generation, the certificate and its private key are stored as encrypted file to the user's computer disk.

In some cases, it may happen that the certificate cannot be issued due to its settings due to its settings. If this happens, use a different browser or consult computer support in your workplace.

The keys required for the certificate are securely generated on the user's computer, using custom code created by the CESNET CA development team, which is part of the TCS portal. After the certificate is issued, the private key and the certificate itself are stored on the user's disk as an encrypted PKCS12 file, which can be imported into almost any mail client or web browser.

No other initial steps are required for alternative certificate generation, the browser without its own code for generation is automatically recognized. So start on the tcs.cesnet.cz portal by selecting Personal certificate in the left menu. In this case, you must first verify your identity by logging in to start generating.

After the generation starts, the keys are created and sent to the external certification authority that issues the certificate. The user is then prompted to enter a password to encrypt the resulting file. Choose a password secure (character combination, length) and memorable at the same time. Without his knowledge, the file cannot be decrypted. Conversely, with a simple password or a password already used for other purposes, you can make the certificate available to a potential attacker.

After entering the password, the certificate is usually saved in the file usercert.p12 in the folder for downloaded files on your computer. The file may exceptionally be named otherwise , depending on the specific browser.

In case of problems, please do not contact the CESNET TCS-RA team, but computer support at your workplace , who will be happy to advise you on their removal.