How to request a SWITCHpki QuoVadis user certificate (personal certificate)
In general, SWITCHpki user certificates are available to the organizations which belong to the SWITCH Community (as defined in appendix 1 of the Service regulations for services by SWITCH) and have signed up for SWITCHpki. For specific information about the availability at an individual organization, please get in touch with the respective local registration authority (contact information).
Once you have determined that you are eligible for receiving a user certificate from your organization, follow the steps below to submit your request.
1. Fill in and sign the application form, and create a copy of your ID document
Download the SWITCHpki User Certificate Application Form and fill in the Certificate Holder Details and Certificate Properties and Certificate Holder Additional Details sections (the fields can be filled in electronically when using Adobe Reader or another PDF tool with form support).
Sign the form by hand under Signature of applicant. This implies that you agree to be bound by the SWITCHpki QuoVadis certificate holder agreement.
Create a copy of your passport or government ID. In case of an ID card, do not forget to copy the rear side, too.
2. Provide paper copies of the form and the ID document copy to your local RA
The form needs to be signed off by an authorized representative of your organization, so send or hand over paper copies of the form and the ID document copy to your local registration authority (RA). The RA operator then forwards the completed form to the SWITCH registration authority.
3. Wait for the invitation e-mail from the QuoVadis Trust/Link system
After having received the duly completed form and ID document copy, the
SWITCH RA will create a so-called invitation on the QuoVadis Trust/Link
system. An e-mail with the subject
SWITCHpki user certificate request for ...: your confirmation required
will be sent to the address provided on the form under Certificate Holder Details.
4. Open the invitation link in the proper Web browser
Depending on your preferred e-mail client, open the invitation link
with one of the supported Web browsers (the link is of the form
To log in, supply your e-mail address and answer the secret question
shown on the login page. The following two browsers are supported for
requesting and retrieving a SWITCHpki user certificate:
- Microsoft Internet Explorer: recommended for Windows users with Outlook as their e-mail client.
- Mozilla Firefox: for users of operating systems other than Windows, and recommended for Windows users with Thunderbird as their e-mail client.
Note: Using browsers other than Internet Explorer or Firefox is strongly discouraged and completely unsupported (i.e., use at your own risk).
5. Set a password for the certificate download, and confirm the request
After the login on the QuoVadis Trust/Link system, you are shown the details of the certificate to be issued (users of Microsoft Internet Explorer may have to answer Yes to a dialog which is asking for permission to perform a digital certificate operation on your behalf):
Verify that these data are correct, set a password, and click Confirm. Your browser will then generate a cryptographic key on your local system and submit a request for signing the public portion of this key to QuoVadis (i.e., the private key never leaves your own system).
6. Retrieve the certificate with the browser used for step 5
Within a few seconds the certificate is issued by QuoVadis, and you
will receive a
SWITCHpki user certificate ... issued message
with a download link. Open the link in the same browser and with the same
user account (profile) you used for the previous step –
otherwise the installation of the certificate will not succeed.
7. Export the certificate to a PKCS#12 file
At this time, the private key of your certificate only exists on your local system. Exporting the private key and the certificate to a file is required/recommended for two reasons: in order to 1) restore the private key in case of a hardware failure and 2) configure the certificate in the e-mail client. The standard format for exporting the certificate together with the private key (in encrypted form) is PKCS#12, on Windows also known as “PFX”. To export the certificate, proceed as follows:
- Microsoft Internet Explorer: from the menu bar, navigate to Tools → Internet options → Content → Certificates. In the Certificates dialog, go to the Personal tab, select your certificate, and click Export…. In the first step of the export wizard, make sure to choose Yes, export the private key, and in the second step, check the Include all certificates in the certification path if possible option. Choose a strong password and specify the file name for the certificate backup.
- Mozilla Firefox: from the menu bar, navigate to
Tools → Options → Advanced → Certificates → View Certificates
(on Mac OS X, start with Firefox → Preferences…).
In the Certificate Manager dialog, go to the Your Certificates tab,
select your certificate, click Backup…, specify a file name (with
.p12as suffix), and set a strong backup password.
Note: while the PKCS#12 (PFX) file is protected by a passphrase you still need to make sure that the backup copy is stored in a secure place only: if an attacker gets hold of this file, he could try to brute force your passphrase.
8. Configure the certificate in your e-mail client
- Microsoft Outlook 2013: Click the File tab, select
Options → Trust Center Settings… → E-Mail Security → Encrypted e-mail → Settings…
This will open the Change Security Settings dialog, where the signing certificate and
the encryption certificate can be chosen:
The Signing Certificate and Encryption Certificate options should already be preselected with your certificate, but you can use the Choose… button to verify their details (or explicitly choose a certificate if more than one is available). Message signing can either be turned on by default by checking the Add digital signature to outgoing messages box under Encrypted e-mail or on a per-message basis by activating the Sign button under Options → Permission:
- Mozilla Thunderbird: In the Tools menu, select
Account Settings… and click Security under the
account for which you want to configure the signing/encryption certificate.
Then, click View Certificates on the right hand side, switch to the
Your Certificates tab, and click the Import… button.
Locate the PKCS#12 file you saved in the previous step, and after a successful
import your certificate will appear on the Your Certificates tab.
Close the dialog by clicking OK, and then use the Select…
button under Digital Signing to set your new certificate for
S/MIME signing. The settings should then look as follows:
When asked Do you want to use the same certificate to encrypt & decrypt messages sent to you?, answer Yes if you intend to use the certificate for message encryption as well (otherwise, you may answer No and leave this option blank). Message signing can be turned on by default by checking the Digitally sign messages (by default) box or on a per-message basis by opening the Security drop-down menu and selecting Digitally Sign This Message:
- Apple Mail: Double click the PKCS#12 file in the Finder,
and import the certificate into the login keychain. Apple Mail
will then automatically sign outgoing messages, provided that the e-mail
address in the account settings matches the one in the certificate.
There is no option in Apple Mail for explicitly selecting the signing
certificate, it's only possible to turn message signing on or off
on a per-message basis with the icon in the upper right hand corner
of the New Message window: