TCS Personal Certificates

For more information on personal certificates and why signing electronic mail, see a brief summary in the article on E-mail and Electronic Signature or information in J.Peterka’s book: Báječný svět elektronického podpisu (Wonderful World of Electronic Signature: http://bajecnysvet.cz/).

Characteristics:

  • Validity of 1 year
  • root certificate: DigiCert – implicitly trusted in many mail clients,
  • for users of organizations integrated into eduID.cz (Czech Academic Identity Federation)

Instructions:

Due to an application error, only administrators can cancel/revoke certificates at this time. If necessary, you can contact scs@vse.cz.

Electronic Signature
Obtaining a Certificate

The certificate can be obtained by students and employees of VŠE. Here is how to do it:

1. Verification of User Identity

Come to the helpdesk in room 22 SB and tell the operator that you want to verify your identity for the electronic signature. Bring your student (ISIC) or employee card and one identity document (identity card, driver’s license or passport) with you.

2. Issuing of Certificate

Follow the instructions on the CESNET PKI website. Private Key and request (CSR) can be automatically generated by a www browser (Request Type: in browser) or created manually using for example OpenSSL (Request type: from a file or Request type: from clipboard).

3. Installation of Certificate

If you chose Request type: in browser, install the issued certificate into your browser and then export it together with the private key to a file – then import the file into your email client.

In the case of a manually generated key/request (e.g. in OpenSSL) do not install the certificate in the browser – just download the certificate to disk and import it together with the private key that you initially generated into the email client.

Security

You must guard the file containing your private key (or private key together with the certificate) so that no one can access it (they could then read encrypted emails for you or sign on your behalf). At the same time, back up these files safely – if you lose them, you wouldn’t be able to read any encrypted emails you received in the past, and you wouldn’t be able to sign your emails.

If your computer has been compromised (stolen laptop, virus attack, cracker attack …) or lost media where you have the private key backup, follow the Certificate Revocation instructions – revoke the old certificate and have a new one issued.

In the event that your computer was infected or otherwise attacked, resolve the cause (reinstall your operating system, use antivirus, firewall, safer Internet behavior…) before requesting a new certificate. In this case, change the password for InSIS and possibly for other services.

More Information

More about the electronic signature can be found in Jiří Peterka’s book of Báječný svět elektronického podpisu (Wonderful World of Electronic Signature). PDF, EPUB and MOBI are available for download at knihy.nic.cz.

Request:

  1. Authentication of user identity at the Help Desk of VŠE
  2. Submitting the request via CESNET web form (signpost, help, https://tcs.cesnet.cz/clientrequestform/form, request):
    • login with the VŠE account (via Shibboleth),
    • certificate parameters (type: normal, request: in browser, key: 2048bit, expiration, addresses),
    • installation of the certificate (trust of the root CA, saving to the browser).
  3.  Backup of a certificate with a strong password (in PKCS\#12 format).

InSIS Compatibility Recommendations:

  • When sending messages, prefer ISO 8859-2 encoding. For listed clients, this is the default character encoding. Unless you have changed this setting, it should be used.

TCS Personal Certificate Request – Issued Certificates

The issued personal certificate on the right, the parent CA certificate on the left.

Request for TCS Personal Certificate – Certificate Backup.
The issued certificate is stored in the browser. It is also necessary to securely back up the certificate.

Firefox

In Firefox, we select:

  1. Main menu: Tools → Options → Advanced → Certificates → Certificates → Personal (1),
  2. Select the certificate (2)
  3. Then select Backup (3).

The certificate backup contains a secret key, so you must use a strong password to protect it and store the backup securely.

Microsoft Outlook
Microsoft Outlook – Import of Personal Certificate 1

In the application, select Settings – Options – Security Centre (1) – Security Centre Settings (2) – Import/Export (3). Use the Browse (4) button to select the certificate file, enter its password in the Password (5) field and confirm with the OK button (6).

Microsoft Outlook – Import of Personal Certificate 2

In the Security Centre, we check (1) that “Add Digital Signature to Outgoing Messages” is selected and, for greater compatibility with web clients, also “Send Signed Message without Verification” when sending a signed message (in 2013 version referred to as “Send this message as signed without verification “). Then we create a new security setting (2), give it a name (3) and then select it as the default setting (4).

Microsoft Outlook – Sending Signed Message

When sending a message, the colored button (1) informs you that the message will be signed.

Microsoft Outlook – Message with Valid Signature

The icon (1) in the inbox indicates that the message is signed. The icon (2) in the Inbox detail indicates that the signature is valid. After clicking this icon (2) a window with more information about the signature validity (3) with a button for displaying the signature validity evaluation details will pop up (4).

Microsoft Outlook – Message with Invalid Signature

The icon (1) in the inbox indicates that the message is signed. After clicking on the icon or message (2) in the details of the delivered message, a window with more information about signature verification problems (3) and a button for displaying the signature validity evaluation (4) will pop up. After selecting “Signed” (5), it shows that the message has been changed – the signature is then invalid (6).

Microsoft Outlook – Unknown Signature and Granting Trust

The icon (1) in the inbox indicates that the message is signed. After clicking on the icon or message (2) in the details of the delivered message, a window with more information about signature verification problems and a button for displaying the signature validity evaluation (3) will pop up. After selecting “Signed” (4) it shows that the root certificate is not trusted – the signature cannot be then validated (5). By click the button (6) it is possible to display the root certificate details (7). After examining it, the certificate can be awarded “Trusted” by clicking the button (8).

Mozilla Thunderbird
Mozilla Thunderbird – Import of Personal Certificate

To import a personal certificate in the application, select Main menu: Preferences → Account Settings → Security (1) → View Certificates (2) → Personal (3) → Import (4) and enter the path to the backup of the personal certificate.

Mozilla Thunderbird – Personal Certificate Association

To associate a personal certificate with a mail account in the application, select Main menu: Preferences → Account settings → Security → Select Signature Certificate (1). In the drop-down menu (2) select the imported certificate and check the option to Sign Messages Electronically (3).

Mozilla Thunderbird – Sending Signed Message

When sending a message, the icon (1) indicates that the message will be signed. Click on it (1) or on the Security button (2) to display a detailed summary (3).

Mozilla Thunderbird – Message with Valid Signature

An inbox message with a valid signature is indicated by an icon (1), and after clicking on it, signature verification details will be shown (2). By clicking the View Certificate button (3), it is possible to display the signer’s certificate (4), including its trustworthiness.

Mozilla Thunderbird – Message with Invalid Signature

An inbox message with an invalid signature is indicated by icon (1), and by clicking on it, signature verification details (2), in this case reporting a message integrity violation, will be shown. By clicking the View Certificate button (3), it is possible to display the signer’s certificate (4), including its trustworthiness.

Mozilla Thunderbird – Message with Unknown Signature

An inbox message with unknown signature validity is indicated by an icon (1), and by clicking on it, signature verification details (2), in this case indicating that the root certificate has not yet been trusted, will be shown.
By clicking the View Certificate button (3), it is possible to display the signer’s certificate (4). The certificate issuer description (5) reveals which root certificate is needed.

Mozilla Thunderbird – Granting Trust to Root Certificate

The root certificate can be obtained from the website of the certification authority. To grant trust to the root certificate in the application, select Main Menu: Preferences → Advanced (1) → Certificates (2) → Certificates (3) → Authorities (4) → Import (5) and enter the path to the downloaded certificate.