Zde můžete vidět rozdíly mezi vybranou verzí a aktuální verzí dané stránky.
| Obě strany předchozí revize Předchozí verze | |||
|
en:tcs-personal-user.html [2021/08/18 12:51] jan.chvojka@cesnet.cz |
en:tcs-personal-user.html [2021/08/18 12:58] jan.chvojka@cesnet.cz |
||
|---|---|---|---|
| Řádek 14: | Řádek 14: | ||
| ===== The process of issuing a new Personal TCS Certificate ===== | ===== The process of issuing a new Personal TCS Certificate ===== | ||
| - | Choose [[https://tcs.cesnet.cz/en/clientrequestform/form|Personal Certificate]] in the Application menu. You will be asked to sign in using your home organization's IdP. After successful login you will be presented with an overview of your certificate's parameters. | + | The keys required for the certificate are securely generated on the user's computer, using custom code created by the CESNET CA development team, which is part of the TCS portal. After the certificate is issued, the private key and the certificate itself are stored on the user's disk as an encrypted PKCS12 file, which can be imported into almost any mail client or web browser. |
| - | <WRAP picture>{{:en:tcsp-cert-release1.png|}}\\ | + | No other initial steps are required for alternative certificate generation, the browser without its own code for generation is automatically recognized. So start on the tcs.cesnet.cz portal by selecting Personal certificate in the left menu. In this case, you must first verify your identity by logging in to start generating. |
| - | Page for requesting new personal TCS certificate</WRAP> | + | |
| - | Double-check email addresses shown in the certificate preview and then continue by clicking on the button "Issue the certificate". | + | <WRAP picture>{{:cs:tcs-p-alt1.png|}}\\ |
| + | //Úvodní stránka generování osobního certifikátu (Chromium)// | ||
| + | </WRAP>\\ | ||
| - | <WRAP info> | + | After the generation starts, the keys are created and sent to the external certification authority that issues the certificate. The user is then prompted to enter a password to encrypt the resulting file. Choose a password ** secure ** (character combination, length) and memorable at the same time. Without his knowledge, the file cannot be decrypted. Conversely, with a simple password or a password already used for other purposes, you can make the certificate available to a potential attacker. |
| - | In case there is an address in the list that is not owned by your organization (the domain name does not belong to your organization, e.g. //gmail.com//, //yahoo.com//), this address is left unchecked by default and relevant warning is shown. You can add the "foreign" address back in the certificate, however you will be asked to prove the ownership of such an address. DigiCert will send a confirmation email to all "foreign" addresses and you will be asked to follow a link in the email to prove the ownership (see the certificate request preview, example of the email from DigiCert and the DigiCert's validation page below). | + | |
| - | </WRAP> | + | |
| - | <WRAP picture>{{:en:vydani-crt2.png|}}\\ | ||
| - | Page for requesting new personal TCS certificate with "foreign" email address | ||
| - | </WRAP> | ||
| - | <WRAP picture>{{:en:autorizace-emailu1.png|}}\\ | + | <WRAP picture>{{:cs:tcs-p-alt2.png|}}\\ |
| - | Information page describing steps needed to validate your "foreign" email addresses | + | //Průběh alternativního generování klíčů a zadání hesla k výslednému šifrovanému souboru (Chromium)// |
| - | </WRAP> | + | </WRAP>\\ |
| - | <WRAP picture>{{:en:tcsp-email-auth2.png|}}\\ | + | After entering the password, the certificate is usually saved in the file ** usercert.p12 ** in the folder for ** downloaded files ** on your computer. The file may exceptionally be named ** otherwise **, depending on the specific browser. |
| - | Example of the email from DigiCert requesting validation of the "foreign" email address | + | |
| - | </WRAP> | + | |
| - | <WRAP picture>{{:en:tcsp-email-auth3.png|}}\\ | + | <WRAP picture>{{:cs:tcs-p-alt3.png|}}\\ |
| - | DigiCert web-page confirming successful validation of all the email addresses | + | //Dokončení generování certifikátu a jeho uložení do souboru na disk (Chromium)// |
| - | </WRAP> | + | </WRAP>\\ |
| - | <WRAP picture>{{:en:tcsp-priv-keygen.png|}}\\ | + | In case of problems, please do not contact the CESNET TCS-RA team, but ** computer support at your workplace **, who will be happy to advise you on their removal. |
| - | Private key generation process in Firefox | + | |
| - | </WRAP> | + | |
| - | <WRAP info> | ||
| - | The Microsoft Edge (Spartan) browser, usually the default browser in Windows 10, does not support the generation of private keys or certificate requests. Fortunately, there is also the old Internet Explorer present in the system in most cases. You can open the More menu (click on the button with three dots in the upper right corner of the window) and select the option **Open with Internet Exporer**. | ||
| - | </WRAP> | ||
| - | |||
| - | <WRAP picture>{{:en:tcsp-edge1.png|}}\\ | ||
| - | Transfer to the Internet Explorer from the menu in Microsoft Edge | ||
| - | </WRAP> | ||
| - | |||
| - | After sending the request (and potentially the verification of "foreign" email addresses), your browser will generate your new private key. The behaviour varies for each browser. For instance, Firefox will simply show you a notification window for the period of key generation while Internet Explorer will notify you that the web-page wants to access the keystore and ask you for a confirmation. You need to allow the access, the private key will not be created otherwise. | ||
| - | |||
| - | <WRAP picture>{{:cs:tcsp-povoleni-pristupu-do-uloziste-mswin.png|}}\\ | ||
| - | Allowing the access to keystore in Windows 10 | ||
| - | </WRAP> | ||
| - | |||
| - | The Certification Authority will usually sign your request under two minutes after the request has been sent. **Do not close the window** before the certificate is issued and saved in your keystore. The application will notify you once the process is complete. Again, the installation process varies for each browser. Internet Explorer will not require more actions but Firefox might ask you for confirmation of trust when installing the intermediate [[https://pki.cesnet.cz/en/ch-tcs-p-digicert-crt-crl.html#terena_escience_personal_ca_3|TERENA eScience Personal CA 3]] Certification Authority certificate (if it is not known already). Choose the option to trust the CA to identify users. In case the Certificate Authority is already known, Firefox will simply display an information message. | ||
| - | |||
| - | <WRAP picture>{{:en:crt2.png|}}\\ | ||
| - | The option to choose which purposes are trusted in Firefox | ||
| - | </WRAP> | ||
| - | |||
| - | <WRAP picture>{{:en:crt3.png|}}\\ | ||
| - | The notification displayed in Firefox when the installation process is completed successfully | ||
| - | </WRAP> | ||
| - | |||
| - | You will also receive an information email from ''admin@digicert.com'' with your certificate, DigiCert root certificate and intermediate CA certificate included. This email contains only public information and you can safely delete it. | ||
| - | |||
| - | <WRAP picture>{{:en:tcsp-confirm.png|}}\\ | ||
| - | DigiCert email informing you that your certificate has been issued | ||
| - | </WRAP> | ||
| - | |||
| - | <WRAP important> | ||
| - | In some cases, the installation process might fail even if the application displays the final success notification. Please check your keystore to verify that your newly issued certificate is there. If the certificate is missing, please inform your administrator or contact us at tcs-ra@cesnet.cz. | ||
| - | |||
| - | Kindly do a proper backup of your new private certificate from the browser keystore it is saved in. The backup has to be secured so only you can access it. It is not possible to restore the data encrypted with this certificate without the backup if the certificate is lost. | ||
| - | </WRAP> | ||
CESNET, z. s. p. o.
Generála Píky 26
16000 Praha 6
info@cesnet.cz
Tel: +420 234 680 222
GSM: +420 602 252 531
support@cesnet.cz