How to request a SWITCHpki QuoVadis user certificate (personal certificate)

In general, SWITCHpki user certificates are available to the organizations which belong to the SWITCH Community (as defined in appendix 1 of the Service regulations for services by SWITCH) and have signed up for SWITCHpki. For specific information about the availability at an individual organization, please get in touch with the respective local registration authority (contact information).

Once you have determined that you are eligible for receiving a user certificate from your organization, follow the steps below to submit your request.

1. Fill in and sign the application form, and create a copy of your ID document

Download the SWITCHpki User Certificate Application Form and fill in the Certificate Holder Details and Certificate Properties and Certificate Holder Additional Details sections (the fields can be filled in electronically when using Adobe Reader or another PDF tool with form support).

Sign the form by hand under Signature of applicant. This implies that you agree to be bound by the SWITCHpki QuoVadis certificate holder agreement.

Create a copy of your passport or government ID. In case of an ID card, do not forget to copy the rear side, too.

2. Provide paper copies of the form and the ID document copy to your local RA

The form needs to be signed off by an authorized representative of your organization, so send or hand over paper copies of the form and the ID document copy to your local registration authority (RA). The RA operator then forwards the completed form to the SWITCH registration authority.

3. Wait for the invitation e-mail from the QuoVadis Trust/Link system

After having received the duly completed form and ID document copy, the SWITCH RA will create a so-called invitation on the QuoVadis Trust/Link system. An e-mail with the subject SWITCHpki user certificate request for ...: your confirmation required will be sent to the address provided on the form under Certificate Holder Details.

4. Open the invitation link in the proper Web browser

Depending on your preferred e-mail client, open the invitation link with one of the supported Web browsers (the link is of the form To log in, supply your e-mail address and answer the secret question shown on the login page.

Please note: The invitation link will first check whether you have already installed the DigiCert Desktop Client. This application is necessary to activate your browser in order to create the certificate. QuoVadis provides instructions for this and redirects you to the appropriate website.
The following browsers are supported for requesting and retrieving a SWITCHpki user certificate:

  • Mozilla Firefox
  • Microsoft Internet Explorer
  • Safari
  • Chrome

Using browsers other than above is discouraged and completely unsupported (i.e., use at your own risk).

5. Set a password for the certificate download, and confirm the request

After the login on the QuoVadis Trust/Link system, you are shown the details of the certificate to be issued (users of Microsoft Internet Explorer may have to answer Yes to a dialog which is asking for permission to perform a digital certificate operation on your behalf):

(click to enlarge)

Verify that these data are correct, set a password, and click Confirm. Your browser will then generate a cryptographic key on your local system and submit a request for signing the public portion of this key to QuoVadis (i.e., the private key never leaves your own system).

6. Retrieve the certificate with the browser used for step 5

Within a few seconds the certificate is issued by QuoVadis, and you will receive a SWITCHpki user certificate ... issued message with a download link. Open the link in the same browser and with the same user account (profile) you used for the previous step – otherwise the installation of the certificate will not succeed.

7. Export the certificate to a PKCS#12 file

At this time, the private key of your certificate only exists on your local system. Exporting the private key and the certificate to a file is required/recommended for two reasons: in order to 1) restore the private key in case of a hardware failure and 2) configure the certificate in the e-mail client. The standard format for exporting the certificate together with the private key (in encrypted form) is PKCS#12, on Windows also known as “PFX”. To export the certificate, proceed as follows:

  • Microsoft Internet Explorer: from the menu bar, navigate to Tools → Internet options → Content → Certificates. In the Certificates dialog, go to the Personal tab, select your certificate, and click Export…. In the first step of the export wizard, make sure to choose Yes, export the private key, and in the second step, check the Include all certificates in the certification path if possible option. Choose a strong password and specify the file name for the certificate backup.

Note: while the PKCS#12 (PFX) file is protected by a passphrase you still need to make sure that the backup copy is stored in a secure place only: if an attacker gets hold of this file, he could try to brute force your passphrase.

8. Configure the certificate in your e-mail client

  • Microsoft Outlook 2013: Click the File tab, select Options → Trust Center Settings… → E-Mail Security → Encrypted e-mail → Settings… This will open the Change Security Settings dialog, where the signing certificate and the encryption certificate can be chosen:
    Outlook 2013 S/MIME configuration
    The Signing Certificate and Encryption Certificate options should already be preselected with your certificate, but you can use the Choose… button to verify their details (or explicitly choose a certificate if more than one is available). Message signing can either be turned on by default by checking the Add digital signature to outgoing messages box under Encrypted e-mail or on a per-message basis by activating the Sign button under Options → Permission:
    Outlook 2013 message options
  • Mozilla Thunderbird: First copy the exported PKCS#12 file from step 7 to your system. In the Tools menu, select Account Settings… and click Security under the account for which you want to configure the signing/encryption certificate. Then, click Manage Certificates on the right hand side, switch to the Your Certificates tab, and click the Import… button. Locate the PKCS#12 file you saved in the previous step, and after a successful import your certificate will appear on the Your Certificates tab. Close the dialog by clicking OK, and then use the Select… button under Digital Signing to set your new certificate for S/MIME signing. The settings should then look as follows:
    Thunderbird S/MIME configuration
    When asked Do you want to use the same certificate to encrypt & decrypt messages sent to you?, answer Yes if you intend to use the certificate for message encryption as well (otherwise, you may answer No and leave this option blank). Message signing can be turned on by default by checking the Digitally sign messages (by default) box or on a per-message basis by opening the Security drop-down menu and selecting Digitally Sign This Message:
    Thunderbird message security options
  • Apple Mail: First copy the exported PKCS#12 file from step 7 to your system and import the certificate into the login keychain. Apple Mail will then automatically sign outgoing messages, provided that the e-mail address in the account settings matches the one in the certificate. There is no option in Apple Mail for explicitly selecting the signing certificate, it's only possible to turn message signing on or off on a per-message basis with the icon in the upper right hand corner of the New Message window:
    Apple Mail S/MIME icons