Operating Rules – Issuing of Personal Certificates TCS
What is it for?
The electronic signature guarantees the identity of the sender. A personal certificate from the Trusted Certificate Service (CA) mediated through the CESNET academic network can be used for electronic signature. CESNET CA facilitates the issuance of personal eScience (grid) and server TCS certificates. These certificates are issued by a DigiCert certification authority whose root certificates are trusted by most Internet browsers and mail clients in the default configuration.
Certificates issued by CESNET CA cannot be used to secure communication with the state administration. They are intended for use in national and international scientific research projects and for applications operated by CESNET, z.s.p.o. members, to increase the trustworthiness and security of electronic mail also at VŠE.
This personal certificate is free of charge and is available to all employees and students of the University of Economics, Prague (VŠE).
- User Identity Verification
The applicant will come in person to the User Support Centre (CPU) in room 22 SB, where they will notify the authorized employee of their electronic signature verification request. To verify their identity, their will need a student or employee identification card and one identity document (identity card, driving license or passport). The identity cannot be verified by an authorized employee without the required documents.
- Issuing of Certificate
After verifying the identity on the CPU, the applicant can apply for a personal certificate as described on the CESNET PKI website. The private key and request (CSR) is automatically generated by the www browser.
- Installation of Certificate
Once issued, the certificate is stored in a browser and from there, the user and the private key export it to a file – then import the file into an email client.
More detailed instructions are available on the CI website.
The file containing the applicant’s private key (or possibly the private key together with the certificate) must be secured so that no one can access it (they could then read encrypted emails or sign with the name of the compromised applicant). At the same time, these files must be safely backed up – if they are lost, it is not possible to read any encrypted emails that have been received in the past, and it is not possible to sign emails.
If the computer is compromised (stolen laptop, virus scanner, cracker attack …) or if the medium with private key backup is lost, you must revoke the original (compromised) certificate and have a new one issued according to the Certificate Revocation instructions. In case the computer was infected or otherwise attacked, it is necessary to remove the cause first (e.g. by re-installing the operating system, using antivirus, firewall, safer Internet behavior …) and then requesting a new certificate.
Prior to termination of study or employment, the user is obliged to revoke their certificate according to the Certificate Revocation instructions. If they do not do so, the certificate administration staff at VŠE will do that for them.