TCS Personal Certificates

For more information on personal certificates and why signing electronic mail, see a brief summary in the article on E-mail and Electronic Signature.

Obtaining a Certificate

Characteristics:

  • Validity period of the certificate: 3 years
  • Type of certificate: RSA 2048
  • Trusted root CA: USERTrust RSA Certification Authority
  • for users of organisation integrated into eduID.cz (Czech Academic Identity Federation)

Request:

  1. Verification of User Identity. Come to the Help desk in room 22 Sb and tell the staff that you want to verify your identity for electronic signature. Bring your student (ISIC) or employee card and one form of ID (ID card, driving licence or passport).
  2. Issuing of Certificate. Submit your application via the CESNET web form (https://tcs.cesnet.cz/clientrequestform/form, Personal Certificate):
    • Login with school account (via Shibboleth),
    • Select the email addresses to be placed in the certificate,
    • enter a secure password (passphrase) and a file with the private key and certificate will be downloaded, the file is usually called usercert.p12
    • We strongly recommend backing up the private key (the file downloaded from the browser with the private key and certificate), including storing the password in a password manager.
  3. Installation of Certificate. It is advisable to install certificates on all devices on which you handle mail.

Detailed instructions with the appearance of the screens when issuing the certificate – the instructions are generic for all schools, so there is no step of visiting the Helpdesk of the Informatics Centre.

Revocation:

When another certificate is issued, the user’s previous personal certificate is automatically revoked.

If your computer has been compromised (stolen laptop, virus attack, cracker attack …) or lost media where you have the private key backup, follow the Certificate Revocation instructions – revoke the old certificate and have a new one issued.

If necessary, you can contact scs@vse.cz with your request.


Import of Personal Certificate into system

Search for certmgr (Certificate Manager) → in the Personal section, right-click choose All Tasks → Import. Another option is to right-click on the certificate file (e.g. from backup medium) and Install PFX. Both options will start installation wizard. Follow the instructions to finish installation.

Microsoft Outlook

Microsoft Outlook – Personal Certificate Settings

Select File → Options → Trust Centre →  Trust Centre Settings →  Email Security, we check  that “Add Digital Signature to Outgoing Messages” is selected and also “Send clear text signed message when sending signed messages” . Then we create a new/adjust current security setting , give it a name and then select it as the default setting.

 

Microsoft Outlook – Sending Signed Message

When sending a message, the colored button informs you that the message will be signed.

Microsoft Outlook – Message with Valid Signature

The icon in the inbox indicates that the message is signed. The right icon in the Inbox detail indicates that the signature is valid. After clicking this right icon a window with more information about the signature validity  with a button for displaying the signature validity evaluation details will pop up.

Microsoft Outlook – Message with Invalid Signature

The icon in the inbox indicates that the message is signed. After clicking on the icon or message in the details of the delivered message, a window with more information about signature verification problems  and a button for displaying the signature validity evaluation will pop up. After selecting “Signed” , it shows that the message has been changed – the signature is then invalid.

Microsoft Outlook – Unknown Signature and Granting Trust

The icon in the inbox indicates that the message is signed. After clicking on the icon or message  in the details of the delivered message, a window with more information about signature verification problems and a button for displaying the signature validity evaluation will pop up. After selecting “Signed”  it shows that the root certificate is not trusted – the signature cannot be then validated. By click the button it is possible to display the root certificate details. After examining it, the certificate can be awarded “Trusted” by clicking the button.

Mozilla Thunderbird
Mozilla Thunderbird – Import of Personal Certificate

To import a personal certificate in the application, select Main menu: Preferences → Account Settings → Security (1) → View Certificates (2) → Personal (3) → Import (4) and enter the path to the backup of the personal certificate.

Mozilla Thunderbird – Personal Certificate Association

To associate a personal certificate with a mail account in the application, select Main menu: Preferences → Account settings → Security → Select Signature Certificate (1). In the drop-down menu (2) select the imported certificate and check the option to Sign Messages Electronically (3).

Mozilla Thunderbird – Sending Signed Message

When sending a message, the icon (1) indicates that the message will be signed. Click on it (1) or on the Security button (2) to display a detailed summary (3).

Mozilla Thunderbird – Message with Valid Signature

An inbox message with a valid signature is indicated by an icon (1), and after clicking on it, signature verification details will be shown (2). By clicking the View Certificate button (3), it is possible to display the signer’s certificate (4), including its trustworthiness.

Mozilla Thunderbird – Message with Invalid Signature

An inbox message with an invalid signature is indicated by icon (1), and by clicking on it, signature verification details (2), in this case reporting a message integrity violation, will be shown. By clicking the View Certificate button (3), it is possible to display the signer’s certificate (4), including its trustworthiness.

Mozilla Thunderbird – Message with Unknown Signature

An inbox message with unknown signature validity is indicated by an icon (1), and by clicking on it, signature verification details (2), in this case indicating that the root certificate has not yet been trusted, will be shown.
By clicking the View Certificate button (3), it is possible to display the signer’s certificate (4). The certificate issuer description (5) reveals which root certificate is needed.

Mozilla Thunderbird – Granting Trust to Root Certificate

The root certificate can be obtained from the website of the certification authority. To grant trust to the root certificate in the application, select Main Menu: Preferences → Advanced (1) → Certificates (2) → Certificates (3) → Authorities (4) → Import (5) and enter the path to the downloaded certificate.