Rozdíly

Zde můžete vidět rozdíly mezi vybranou verzí a aktuální verzí dané stránky.

--- en:tcs-personal-user.html [2018/10/30 13:47]
dans@cesnet.cz
+++ en:tcs-personal-user.html [2021/08/18 12:58] (aktuální)
jan.chvojka@cesnet.cz
@@ Řádek 8: / Řádek 8: @@
 ===== Supported web browsers =====
-Web browsers **Internet Explorer**, **Firefox** and **Safari** are supported. Chrome browser cannot be used to issue your personal certificate due to Google's decision to remove access to the keystore.
+All web browsers with a functional JavaScript interpreter and the W3C DOM standard are supported. Since the code for native certificate generation has disappeared from most browsers and it is difficult to maintain support for the remaining ones, we have prepared an alternative method in which the request is also generated by the browser, but unlike native generation, the certificate and its private key are stored as encrypted file to the user's computer disk.
+In some cases, it may happen that the certificate cannot be issued due to its settings due to its settings. If this happens, use a different browser or consult computer support in your workplace.
 ===== The process of issuing a new Personal TCS Certificate =====
-Choose [[https://tcs.cesnet.cz/en/clientrequestform/form|Personal Certificate]] in the Application menu. You will be asked to sign in using your home organization's IdP. After successful login you will be presented with an overview of your certificate's parameters.
+The keys required for the certificate are securely generated on the user's computer, using custom code created by the CESNET CA development team, which is part of the TCS portal. After the certificate is issued, the private key and the certificate itself are stored on the user's disk as an encrypted PKCS12 file, which can be imported into almost any mail client or web browser.
-<WRAP picture>{{:en:tcsp-cert-release1.png|}}\\
-Page for requesting new personal TCS certificate</WRAP>
-Double-check email addresses shown in the certificate preview and then continue by clicking on the button "Issue the certificate".
-<WRAP info>
-In case there is an address in the list that is not owned by your organization (the domain name does not belong to your organization, e.g. //gmail.com//, //yahoo.com//), this address is left unchecked by default and relevant warning is shown. You can add the "foreign" address back in the certificate, however you will be asked to prove the ownership of such an address. DigiCert will send a confirmation email to all "foreign" addresses and you will be asked to follow a link in the email to prove the ownership (see the certificate request preview, example of the email from DigiCert and the DigiCert's validation page below).
-</WRAP>
-<WRAP picture>{{:en:vydani-crt2.png|}}\\
-Page for requesting new personal TCS certificate with "foreign" email address
-</WRAP>
-<WRAP picture>{{:en:autorizace-emailu1.png|}}\\
-Information page describing steps needed to validate your "foreign" email addresses
-</WRAP>
-<WRAP picture>{{:en:tcsp-email-auth2.png|}}\\
-Example of the email from DigiCert requesting validation of the "foreign" email address
-</WRAP>
-<WRAP picture>{{:en:tcsp-email-auth3.png|}}\\
-DigiCert web-page confirming successful validation of all the email addresses
-</WRAP>
-<WRAP picture>{{:en:tcsp-priv-keygen.png|}}\\
-Private key generation process in Firefox
-</WRAP>
-<WRAP info>
-The Microsoft Edge (Spartan) browser, usually the default browser in Windows 10, does not support the generation of private keys or certificate requests. Fortunately, there is also the old Internet Explorer present in the system in most cases. You can open the More menu (click on the button with three dots in the upper right corner of the window) and select the option **Open with Internet Exporer**.
-</WRAP>
-<WRAP picture>{{:en:tcsp-edge1.png|}}\\
-Transfer to the Internet Explorer from the menu in Microsoft Edge
-</WRAP>
-After sending the request (and potentially the verification of "foreign" email addresses), your browser will generate your new private key. The behaviour varies for each browser. For instance, Firefox will simply show you a notification window for the period of key generation while Internet Explorer will notify you that the web-page wants to access the keystore and ask you for a confirmation. You need to allow the access, the private key will not be created otherwise.
+No other initial steps are required for alternative certificate generation, the browser without its own code for generation is automatically recognized. So start on the tcs.cesnet.cz portal by selecting Personal certificate in the left menu. In this case, you must first verify your identity by logging in to start generating.
-<WRAP picture>{{:cs:tcsp-povoleni-pristupu-do-uloziste-mswin.png|}}\\
+<WRAP picture>{{:cs:tcs-p-alt1.png|}}\\
-Allowing the access to keystore in Windows 10
+//Úvodní stránka generování osobního certifikátu (Chromium)//
-</WRAP>
+</WRAP>\\
-The Certification Authority will usually sign your request under two minutes after the request has been sent. **Do not close the window** before the certificate is issued and saved in your keystore. The application will notify you once the process is complete. Again, the installation process varies for each browser. Internet Explorer will not require more actions but Firefox might ask you for confirmation of trust when installing the intermediate [[https://pki.cesnet.cz/en/ch-tcs-p-digicert-crt-crl.html#terena_escience_personal_ca_3|TERENA eScience Personal CA 3]] Certification Authority certificate (if it is not known already). Choose the option to trust the CA to identify users. In case the Certificate Authority is already known, Firefox will simply display an information message.
+After the generation starts, the keys are created and sent to the external certification authority that issues the certificate. The user is then prompted to enter a password to encrypt the resulting file. Choose a password ** secure ** (character combination, length) and memorable at the same time. Without his knowledge, the file cannot be decrypted. Conversely, with a simple password or a password already used for other purposes, you can make the certificate available to a potential attacker.
-<WRAP picture>{{:en:crt2.png|}}\\
-The option to choose which purposes are trusted in Firefox
-</WRAP>
-<WRAP picture>{{:en:tcsp-cert-confirm.png|}}\\
+<WRAP picture>{{:cs:tcs-p-alt2.png|}}\\
-The notification displayed in Firefox when the installation process is completed successfully
+//Průběh alternativního generování klíčů a zadání hesla k výslednému šifrovanému souboru (Chromium)//
-</WRAP>
+</WRAP>\\
-You will also receive an information email from ''admin@digicert.com'' with your certificate, DigiCert root certificate and intermediate CA certificate included. This email contains only public information and you can safely delete it.
+After entering the password, the certificate is usually saved in the file ** usercert.p12 ** in the folder for ** downloaded files ** on your computer. The file may exceptionally be named ** otherwise **, depending on the specific browser.
-<WRAP picture>{{:en:tcsp-confirm.png|}}\\
+<WRAP picture>{{:cs:tcs-p-alt3.png|}}\\
-DigiCert email informing you that your certificate has been issued
+//Dokončení generování certifikátu a jeho uložení do souboru na disk (Chromium)//
-</WRAP>
+</WRAP>\\
-<WRAP important>
+In case of problems, please do not contact the CESNET TCS-RA team, but ** computer support at your workplace **, who will be happy to advise you on their removal.
-In some cases, the installation process might fail even if the application displays the final success notification. Please check your keystore to verify that your newly issued certificate is there. If the certificate is missing, please inform your administrator or contact us at tcs-ra@cesnet.cz.
-Kindly do a proper backup of your new private certificate from the browser keystore it is saved in. The backup has to be secured so only you can access it. It is not possible to restore the data encrypted with this certificate without the backup if the certificate is lost.
-</WRAP>

Rozdíly

Links

Contact

Service desk