

Zde můžete vidět rozdíly mezi vybranou verzí a aktuální verzí dané stránky.

Odkaz na výstup diff

Obě strany předchozí revize Předchozí verze
Následující verze
Předchozí verze
en:tcs-personal-user.html [2018/10/30 12:43]
en:tcs-personal-user.html [2021/08/18 12:58] (aktuální)
Řádek 8: Řádek 8:
 ===== Supported web browsers ===== ===== Supported web browsers =====
-Web browsers ​**Internet Explorer**, **Firefox** ​and **Safari** ​are supported. ​Chrome browser cannot be used to issue your personal ​certificate ​due to Google'​s ​decision ​to remove access ​to the keystore.+All web browsers ​with a functional JavaScript interpreter ​and the W3C DOM standard ​are supported. ​Since the code for native certificate generation has disappeared from most browsers and it is difficult ​to maintain support for the remaining ones, we have prepared an alternative method in which the request is also generated by the browser, but unlike native generation, the certificate ​and its private key are stored as encrypted file to the user'​s ​computer disk. 
 +In some cases, it may happen that the certificate cannot be issued due to its settings due to its settings. If this happens, use a different browser or consult computer support in your workplace.
 ===== The process of issuing a new Personal TCS Certificate ===== ===== The process of issuing a new Personal TCS Certificate =====
-Choose [[https://​tcs.cesnet.cz/​en/​clientrequestform/​form|Personal Certificate]] in the Application menu. You will be asked to sign in using your home organization'​s IdP. After successful login you will be presented with an overview of your certificate'​s parameters. +The keys required ​for the certificate ​are securely generated ​on the user's computer, using custom code created ​by the CESNET CA development teamwhich is part of the TCS portalAfter the certificate ​is issued, the private key and the certificate ​itself are stored on the user'​s ​disk as an encrypted PKCS12 file, which can be imported into almost any mail client or web browser.
- +
-<WRAP picture>​{{:​en:​tcsp-cert-release1.png|}}\\ +
-Page for requesting new personal TCS certificate</​WRAP>​ +
- +
-Double-check email addresses shown in the certificate ​preview and then continue by clicking ​on the button "Issue the certificate"​. +
- +
-<WRAP info> +
-In case there is an address in the list that is not owned by your organization (the domain name does not belong to your organizatione.g. //​gmail.com//,​ //​yahoo.com//​),​ this address ​is left unchecked by default and relevant warning is shownYou can add the "​foreign"​ address back in the certificate, ​however you will be asked to prove the ownership of such an address. DigiCert will send a confirmation email to all "​foreign"​ addresses ​and you will be asked to follow a link in the email to prove the ownership (see the certificate ​request preview, example of the email from DigiCert and the DigiCert'​s ​validation page below). +
-</​WRAP>​ +
- +
-<WRAP picture>​{{:​en:​vydani-crt2.png|}}\\ +
-Page for requesting new personal TCS certificate with "​foreign"​ email address +
-</​WRAP>​ +
- +
-<WRAP picture>​{{:​en:​autorizace-emailu1.png|}}\\ +
-Information page describing steps needed to validate your "​foreign"​ email addresses +
-</​WRAP>​ +
- +
-<WRAP picture>​{{:​en:​tcsp-email-auth2.png|}}\\ +
-Example of the email from DigiCert requesting validation of the "​foreign"​ email address +
-</​WRAP>​ +
- +
-<WRAP picture>​{{:​en:​tcsp-email-auth3.png|}}\\ +
-DigiCert ​web-page confirming successful validation of all the email addresses +
-</​WRAP>​ +
- +
-<WRAP picture>​{{:​en:​tcsp-priv-keygen.png|}}\\ +
-Private key generation process in Firefox +
-</​WRAP>​ +
- +
-<WRAP info> +
-The Microsoft Edge (Spartan) ​browser, usually the default browser in Windows 10, does not support the generation of private keys or certificate requestsFortunately,​ there is also the old Internet Explorer present in the system in most cases. You can open the More menu (click on the button with three dots in the upper right corner of the window) and select the option **Open with Internet Exporer**. +
-</​WRAP>​ +
- +
-<WRAP picture>​{{:​en:​tcsp-edge1.png|}}\\ +
-Transfer to the Internet Explorer from the menu in Microsoft Edge +
-After sending ​the request (and potentially the verification of "​foreign"​ email addresses), your browser ​will generate your new private key. The behaviour varies ​for each browserFor instance, Firefox will simply show you a notification window for the period of key generation while Internet Explorer will notify you that the web-page wants to access the keystore and ask you for a confirmation. You need to allow the access, the private key will not be created otherwise.+No other initial steps are required for alternative certificate generation, ​the browser ​without its own code for generation is automatically recognizedSo start on the tcs.cesnet.cz portal by selecting Personal certificate in the left menu. In this case, you must first verify your identity by logging in to start generating.
-<WRAP picture>​{{:​cs:​tcsp-povoleni-pristupu-do-uloziste-mswin.png|}}\\ +<WRAP picture>​{{:​cs:​tcs-p-alt1.png|}}\\ 
-Allowing the access to keystore in Windows 10 +//Úvodní stránka generování osobního certifikátu (Chromium)//​ 
-The Certification Authority will usually sign your request under two minutes after the request has been sent. **Do not close the window** before ​the certificate is issued and saved in your keystoreThe application will notify you once the process is completeAgainthe installation process varies ​for each browser. Internet Explorer will not require more actions but Firefox might ask you for confirmation of trust when installing ​the intermediate [[https://​pki.cesnet.cz/​en/​ch-tcs-p-digicert-crt-crl.html#​terena_escience_personal_ca_3|TERENA eScience Personal CA 3]] Certification Authority ​certificate ​(if it is not known already). Choose the option ​to trust the CA to identify users. In case the Certificate Authority is already known, Firefox will simply display an information message.+After the generation starts, the keys are created and sent to the external certification authority that issues the certificateThe user is then prompted to enter a password to encrypt the resulting file. Choose a password ​** secure ​** (character combination,​ length) and memorable at the same timeWithout his knowledge, ​the file cannot be decryptedConverselywith a simple password or a password already used for other purposes, ​you can make the certificate ​available ​to a potential attacker.
-<WRAP picture>​{{:​cs:​crt2.png|}}\\ 
-The option to choose which purposes are trusted in Firefox 
-<WRAP picture>​{{:​en:tcsp-cert-confirm.png|}}\\ +<WRAP picture>​{{:​cs:tcs-p-alt2.png|}}\\ 
-The notification displayed in Firefox when the installation process is completed successfully +//Průběh alternativního generování klíčů a zadání hesla k výslednému šifrovanému souboru (Chromium)//​ 
-You will also receive an information email from ''​admin@digicert.com''​ with your certificateDigiCert root certificate and intermediate CA certificate included. This email contains only public information and you can safely delete it.+After entering the password, the certificate is usually saved in the file ** usercert.p12 ** in the folder for ** downloaded files ** on your computer. The file may exceptionally be named ** otherwise **depending on the specific browser.
-<WRAP picture>​{{:​en:tcsp-confirm.png|}}\\ +<WRAP picture>​{{:​cs:tcs-p-alt3.png|}}\\ 
-DigiCert email informing you that your certificate has been issued +//​Dokončení generování certifikátu a jeho uložení do souboru na disk (Chromium)//​ 
-<WRAP important>​ +In case of problemsplease do not contact ​the CESNET TCS-RA team, but ** computer support at your workplace **, who will be happy to advise you on their removal.
-In some cases, the installation process might fail even if the application displays the final success notification. Please check your keystore ​to verify that your newly issued certificate is there. If the certificate is missing, please inform your administrator or contact us at tcs-ra@cesnet.cz.+
-Kindly do a proper backup of your new private certificate from the browser keystore it is saved in. The backup has to be secured so only you can access it. It is not possible to restore the data encrypted with this certificate without the backup if the certificate is lost. 
Poslední úprava:: 2018/10/30 12:43