FAQ - Certificates

Translated with DeepL.com

FAQ - Certificates - General questions

How do I get and use a certificate?

Which certification authority do I have to use?

Basically, the environment of use can determine which certification authorities are to be used: For employees working in the Grid environment, the use of the GridKA-CA is required in addition to the KIT-CA. For all other employees, applying for certificates via the KIT-CA is sufficient.

Where can I find the registration authorities (RAs)?

On the CA pages you will find a list of the registration authorities for the KIT-CA.

What do I have to do when my certificate expires?

You have to apply for a new certificate. Important: Do not delete old certificates, otherwise you will not be able to read encrypted e-mails received in the past. Instructions on how to apply for a certificate.

I received an email with an expiration warning for my certificate. What should I do?

If you received an email with an expiration warning for your certificate, you can simply reapply for a new certificate. Please do not delete your old certificate, otherwise you will not be able to read your old encrypted emails.

I received an email with an expiration warning for my certificate. However, the certificate itself says that it is still valid for longer, what should I do?

If you have received an e-mail with an expiration warning for your certificate, but it is still valid for a longer period of time, it is possible that several certificates have been issued to you. Please check carefully if it is the same certificate.

Why do I need a backup? How do I create it?

A backup of your certificate is necessary for three reasons: Protection against loss (reinstallation, hardware damage), for transfer to other computers and for import into your e-mail program. For instructions on how to create a backup, see Create a backup of the certificate.

My certificate has disappeared (computer was formatted, hard disk broke, new workstation computer received) What should I do?

If you made a backup after applying for your certificate, you can import it now. Instructions for importing a backup can be found under Importinga certificate into the e-mail client.
If no backup exists, you must apply for a new certificate. Instructions for applying personal and group certificates. Under these circumstances, you will not be able to read your old encrypted emails.

Do I need a user certificate or a group certificate?

If you answer "Yes" to at least one of the following questions, you are applying for a group certificate:
  • Is the e-mail address for the certificate used by more than one person?
  • Is the e-mail address for which you are requesting the certificate a functional e-mail address? (this includes e-mail addresses such as Sekretariat@, Info@, Poststelle@, Prüfungsamt@, etc.)

What do I have to consider when applying for a group certificate?

The principle of application is very similar. The differences are as follows:
  • Certificates for groups of persons must begin with the indicator "GRP:" or "GRP - ". For example, in the application form, enter [function]@[oe].kit.edu in the email address field and "GRP:Beate Example" or "GRP - Beate Example" in the name field.
  • When assigning names for groups of people, confusion with existing names, such as natural persons or organizations, must be avoided. Likewise, no DNS names, IP addresses or other syntax elements used within the DFN-PKI may be used.

Should I publish my certificate or public key?

If you want to receive encrypted e-mails with this certificate, you should agree to the publication of the certificate. Please note: It is not possible to publish your public key afterwards, but it is possible to undo the publication at any time.

What does the selected PIN do when I apply for the certificate?

Firstly, you need the PIN to import your certificate if you did not agree to the publication of your public key when applying for the certificate.
And on the other hand, the PIN is used to revoke your certificate. If you are no longer in possession of your private key or if you suspect that someone other than you is in possession of your private key, you can have your certificate revoked.

Do I really have to submit the application in person?

Yes, because your identity will be checked and confirmed using your passport, ID card or residence permit (no, powers of attorney and driver's licenses do not count).

Why should I sign my e-mails? What are the implications?

Signing your emails lets the recipient know that the email really is from you and has not been altered in transit.

Why do I want to encrypt my emails? What are the implications?

Encrypting a message ensures that only you and the intended recipient can read the email.

FAQ - Certificates - Questions about certificates for certain operating systems or e-mail programs

OS X with Safari: I received an email from the RA after submitting the application, but the link does not open. What should I do?

Please note that when you pick up your certificate with OS X and Safari, you must select the attachment, not the link in the email. Also note that this must be done on the same computer under the same profile that you used to request the certificate.

FF and IE: Retrieving the certificate does not work. What do I have to do?

Please note that when picking up your certificate after requesting it with Firefox or IE, you must open the link with the browser you used to request the certificate (with the same profile, on the same computer) - this may differ from your default browser, which may require you to copy and paste the link into the browser.

How do I find another person's certificate in my client, GAL or DFN?

If you don't know the certificate of a person yet (e.g. by signing a previous e-mail traffic), you can find it out as explained here.

I cannot find a published certificate in GAL or in my e-mail client. What can I do?

You can do the explanation to find a certificate in this guide.

I received a signed email on my smartphone and I can't read it. How can I change this?

Probably the sender of the signed e-mail has not activated the option "Send plain text only" in his e-mail program (Outlook). So in order for you to be able to read the e-mail, the sender must activate this option and send the e-mail to you again.