The process of issuing a Personal TCS Certificate is fully self-served. In order to access this service, the following criteria must be met:
Web browsers Internet Explorer, Firefox up to version 68 incl. and Safari are supported. Chrome browser cannot be used to issue your personal certificate due to Google's decision to remove access to the keystore. The same problem is with Firefox version 69 and higher.
Choose Personal Certificate in the Application menu. You will be asked to sign in using your home organization's IdP. After successful login you will be presented with an overview of your certificate's parameters.
Double-check email addresses shown in the certificate preview and then continue by clicking on the button “Issue the certificate”.
In case there is an address in the list that is not owned by your organization (the domain name does not belong to your organization, e.g. gmail.com, yahoo.com), this address is left unchecked by default and relevant warning is shown. You can add the “foreign” address back in the certificate, however you will be asked to prove the ownership of such an address. DigiCert will send a confirmation email to all “foreign” addresses and you will be asked to follow a link in the email to prove the ownership (see the certificate request preview, example of the email from DigiCert and the DigiCert's validation page below).
The Microsoft Edge (Spartan) browser, usually the default browser in Windows 10, does not support the generation of private keys or certificate requests. Fortunately, there is also the old Internet Explorer present in the system in most cases. You can open the More menu (click on the button with three dots in the upper right corner of the window) and select the option Open with Internet Exporer.
After sending the request (and potentially the verification of “foreign” email addresses), your browser will generate your new private key. The behaviour varies for each browser. For instance, Firefox will simply show you a notification window for the period of key generation while Internet Explorer will notify you that the web-page wants to access the keystore and ask you for a confirmation. You need to allow the access, the private key will not be created otherwise.
The Certification Authority will usually sign your request under two minutes after the request has been sent. Do not close the window before the certificate is issued and saved in your keystore. The application will notify you once the process is complete. Again, the installation process varies for each browser. Internet Explorer will not require more actions but Firefox might ask you for confirmation of trust when installing the intermediate TERENA eScience Personal CA 3 Certification Authority certificate (if it is not known already). Choose the option to trust the CA to identify users. In case the Certificate Authority is already known, Firefox will simply display an information message.
You will also receive an information email from
email@example.com with your certificate, DigiCert root certificate and intermediate CA certificate included. This email contains only public information and you can safely delete it.
In some cases, the installation process might fail even if the application displays the final success notification. Please check your keystore to verify that your newly issued certificate is there. If the certificate is missing, please inform your administrator or contact us at firstname.lastname@example.org.
Kindly do a proper backup of your new private certificate from the browser keystore it is saved in. The backup has to be secured so only you can access it. It is not possible to restore the data encrypted with this certificate without the backup if the certificate is lost.