User certificates

On 10 January 2025, the service provider Sectigo is expected to stop issuing certificates for all GÉANT TCS customers. This affects a large number of (research) institutions in Europe, including many in Germany, as well as the University of Hohenheim. The background to the situation is differences between Sectigo and GÉANT regarding key contractual issues. As things currently stand, it can be assumed that Sectigo will no longer provide its services from the above-mentioned date. GÉANT is already working intensively to find a new provider, but it is expected that the service will be interrupted for several months until the new provider starts regular operations. 

We therefore strongly recommend renewing certificates that expire within the second quarter of 2025 before the end of the year. This will allow sufficient time to bridge the transition period until the new service provider is fully integrated and the work processes have been adapted to the new regular operation.

Which certificate types are affected?

  • Server certificates (SSL) - for securing web and server services
  • Personal certificates (S/MIME) - for signing and encrypting emails

What options are there for obtaining a new certificate for servers after 10 January 2025?

  • Early application for a new certificate:
    If you already know that a certificate will be required after this date, you should apply for a new certificate before the end of 2024. This will allow you to bridge the transition period until a new service provider is introduced.
  • Automation via ACME (Automatic Certificate Management Environment) for web servers:
    The implementation of an automation solution via the ACME protocol is ideal for self-administered web servers. As an interim solution, from 10 January 2025 until the new certificate service provider is fully integrated, it is possible to obtain certificates via the provider 'Let's Encrypt'.

What options are there for obtaining a new personal (S/MIME) certificate after 10 January 2025?
Personal (S/MIME) certificates are valid for two years (from the date of issue). If your personal (S/MIME) certificate has an expiry date before the end of the second quarter of 2025, your only option is to renew your (S/MIME) certificate before the end of 2024.

What are user certificates used for?

Emails are sent in plain text by default by email programs such as MS Outlook, Thunderbird, or even Webmail. On the way from the sender to the recipient, the email could be modified and read. Therefore, email certificates (user certificate in this case) are used for this purpose. These provide protection to ensure authentication of the sender and optionally encrypt emails.

In addition, PDF files can be signed with a user certificate. This serves to guarantee that the document is an unaltered version of the signer(s). You can find in the instructions on how to prepare this on the right.

Prerequisites and procedure

Campus

Campus

Requirements / Preparation

Procedure

Please be sure to note:
You can only carry out the following steps if you fulfil or have carried out the above-mentioned "prerequisites / preparations"! Otherwise this will result in an error message!

  • After successful verification you will receive an email from the "Sectigo Certificate Manager" in your e-mail box.
  • Now click the button "Verify Email Address" in the received email.
  • Now fill in all the required fields in the browser window that opens:
    1. Certificate Profile is not changeable!
    2. Certificate Term is not changeable! The term/validity of the certificate is 730 days.
    3. Key Type is not changeable! RSA - 4096 is preset by default.
    4. Do not change the "First Name", "Middle Name" and "Last Name" field under any circumstances! Otherwise this will lead to the revocation of your certificate!
    5. Now confirm the license agreement by checking the box and select "Accept". This will finally set the checkmark.
    6. By clicking on "Submit" the certificate will be prepared. Do not close the browser window under any circumstances! The preparation of the certificate can take up to 4 minutes!
    7. PLEASE NOTE: Under the drop-down menu "Choose key protection algorithm", select "Secure AES256-SHA256".
    8. Now set a password for the protection of the private key. Be sure to make a note of this password! If the password is lost, the certificate becomes unusable! The password will be needed again later, when integrating the certificate in the e-mail program!
    9. By clicking on "Download" the certificate will be created and downloaded immediately. In most cases, you will now find the certificate in the "Downloads" and can now use the certificate. The file is saved as a .p12 file (example: smime_eyJpZCI6Mjg1NDIyMCwidsfsdfsdSI6IlNNSU1FIn0_.p12).
    10. The tab in the browser can now simply be closed after logging out.
    11. At the top right you will find the instructions for integrating the certificate into your e-mail programme.

University Administration

University Administration

Requirements / preparation

 What to do

Please note:
You can only carry out the following steps if you fulfill or have carried out the above-mentioned “requirements / preparation”! Otherwise this will lead to an error message!

  • After successful verification you will receive an email from the "Sectigo Certificate Manager" in your administration mailbox.
  • Now click the "Verify Email Address" button in the email.
  • Now fill in all the required fields in the browser window that opens:
    1. Certificate Profile cannot be changed!
    2. Certificate Term cannot be changed! The term/validity of the certificate is 730 days.
    3. Key type cannot be changed! RSA - 4096 is preset by default.
    4. Do not change the "First Name," "Middle Name," or "Last Name" fields under any circumstances! Otherwise your certificate will be revoked!
    5. Now confirm the license agreement by checking the box and select “Accept.” This will set the checkmark.
    6. By clicking on "Submit" the certificate will be prepared. Do not close the browser window under any circumstances! The preparation of the certificate can take up to 4 minutes!
    7. PLEASE NOTE: Under the "Choose key protection algorithm" drop-down menu, you must select "Secure AES256-SHA256".
    8. Now set a password to protect the private key. Be sure to make a note of this password! If the password is lost, the certificate becomes unusable!
      The password is required again later when the certificate is integrated in the email program!
    9. Click on "Download" to create and download the certificate immediately. In most cases you will now find the certificate in "Downloads" and can now use the certificate. The file is saved as a .p12 file (example: smime_eyJpZCI6Mjg1NDIyMCwidsfsdfsdSI6IlNNSU1FIn0_.p12).
    10. The tab in the browser can now simply be closed after logging out.
    11. In the upper right corner you will find the instructions for integrating the certificate into your email program.

FAQ

General

The on-site identification is valid for 825 days from the time of identification by the IT Service Desk.

The user certificate has a validity/period of 730 days (2 years).

Probably no on-site identification of your person has taken place yet or it is no longer valid (validity period 825 days). Therefore, you are not (anymore) authorized to apply for a certificate. Please fill out the form and come to our IT service desk (Biogebäude 1, Garbenstraße 30, 1.UG) for (re-)identification.

Outlook

No FAQ's found.

Thunderbird

Error message in Thunderbird: "Certificate management cannot find a valid certificate that can be used to digitally sign your messages with the address <vorname.nachname@uni-hohenheim.de>."

  • Navigate to the "Account Settings" under the "Extras" menu.
  • Select "End-to-end encryption" on the left.
  • Click on the "Select" button under "Personal certificate for digital signature" and under "Personal certificate for encryption" and select the new valid certificate.

 

 

Error message in Thunderbird: "Sending the message failed: You have chosen to digitally sign this message, but the application could not find the signing certificate you specified in your account settings or the certificate has expired."

  • Navigate to the "Account Settings" under the "Extras" menu.
  • Select the "End-to-end encryption" on the left.
  • Click on the button "Manage S/MIME certificates".
  • Click on "Import" and select the new certificate.
  • Click on "Empty" for "Personal certificate for digital signature" and for "Personal certificate for encryption".
  • Click on the "Select" button under "Personal certificate for digital signature" and under "Personal certificate for encryption" and select the new valid certificate.

Do you have questions or comments about this site? contact form

Instructions Campus

Integration and use of a user certificate in

Instructions university administration

Integration and use of a user certificate in

PDF signing guide

Integration and configuration of a user certificate for PDF signing in

Do you have any questions?

Send us an email to

kim-pki@uni-hohenheim.de