User Certificates for Signing and Encrypting e-Mails

The Department of Mechanical Engineering now runs its own Registration Office (RA) which provides not only personal certificates that may be used, among others, for signing and encrypting e-mails, but also server certificates for encrypted connections. These certificates are issued in the context of DFN-PKI which in turn use the root certificate of Deutsche Telekom. This ensures that the above certificates are accepted worldwide.

Procedure from Certificate Request to Certificate Installation

  1. Using the Firefox browser (a must), open the www page of DFN-PKI created for our registration authority. You will need the same browser profile once more later in order to import the generated certificate.
  2. Click on 'Nutzerzertifikat'
  3. Complete the form and note the following:
    • Select 'E-Mail' and enter the envisaged e-mail address of the certificate
    • Recommendation: leave blank the field 'Department' or enter the full text name of your Chair (the Department will be added automatically)
    • Write down the PIN which is indispensable for subsequent use of the certificate
    • We suggest agreeing to publication of the certificate (see below)
  4. Print the form and complete the data
  5. Go to the registration office MW and present the form along with your valid identity card or passport for verification and release of the certificate. You will immediately receive an e-mail with a link to the issued certificate.
  6. Please store your certificate in a secure location.

Certificate Request

Go to the MW-CA page and click 'Nutzerzertifikat' to complete the form, but leave 'Abteilung' blank. You will need an identical browser (the same browser profile) to import your certificate later.

Click NEXT to bring up a window and confirm the data.

Selecting 'Zertifikatantrag anzeigen' will produce a PDF file. Please print the file and submit it to the registration office MW together with your identity card. After verification and release of the request, you will receive links to the certificates per e-mail a few minutes later.

Installation in Firefox

Step 1:
To install the certificates in the browser, go to the first URL in the certification mail.

Click once each on 'Wurzelzertifikat', 'DFN-PCA Zertifikat' and 'TUM CA Zertifikat'.

Step 2:
In all windows appearing thereafter, enable all available options and confirm.

Step 3:
If you use Thunderbird as a mail program, be sure to save the certificates on your harddisk in order to be able to install them.

To do so, right-click the above three certificate links once more and select 'Save Target As'.

Now the following three files should be available on your harddisk:

  • rootcert.crt
  • intermediatecacert.crt
  • cacert.crt

Then click the second link in the confirmation mail which directly leads you to your personal certificate and click 'Zertifikat importieren' to enable.

Step 4:
Now make the recommended backup of the key which is also required for Thunderbird: go to (Windows)Firefox and click 'Extras – Settings – Advanced'. Then switch to the tab 'Certificates'. Clicking on 'Show Certificates – Your Certificates' should bring up your imported certificate. Please click on the certificate and select 'Backup'. You can now save your certificate on your harddisk (*.p12). Please store the certificate in a safe location and create a backup copy.

 

Installation in Thunderbird

Step 1:
To import the certificates, click 'Extras' and then 'Settings'

Go to 'Advanced' and select the tab 'Certificates'. Pressing the button 'Certificates …' brings up the certificate manager. Please import the three certificates which you stored in Firefox (see above, blue box) into the tab 'Authorities' and import your personal key (*.p12) - which you exported from Firefox (see above, backup copy of the key) - into the tab 'Your Certificates'.

Step 2:

If you wish to sign all mails by default, proceed as follows:

Click 'Extras' and then 'Accounts'.

In the TUM account, select 'S\MIME Security' on the left in the menu and press buttons 'Digital Signature' and 'Encryption' to select your certificate. Finally check the 'Add digital signature' box.

 

Step 3:
In case individual e-mails are to be encrypted or left unsigned, click 'S\MIME' in the menu bar when composing the message and select or turn off the options as required.

Installation in Outlook 2007 and 2010

Start with importing and saving the certificates as outlined for Firefox.

Then import your personal key:

  • Outlook 2010:
    File – Options – Trust Center – Trust Center Settings – E-mail Security
  • Outlook 2007:
    Click 'Extras' and 'Trust Center' and go on to 'Email Security'.

(Top:) Tick 'Add digital signature to outgoing messages' and 'Send clear text signed messages'.

Under 'Digital IDs (Certificates)' click the button 'Import/Export...'

Import file: Select 'Search' and the *.p12 file and enter the associated password.

The digital ID is: Technische Universitaet Muenchen. Select and confirm by OK. You are done!

Installation in Outlook 2003

Step 1:
Import and save the certificates as outlined for Firefox.

Then import the personal key.

Click 'Extras' and 'Options' and select 'Security'.

(Top:) Select 'Add digital signature to outgoing messages'.

(Bottom:) Click 'Import/Export'.

Step 2:
Import file: Press 'Search' and select *.p12 file.

Enter associated password.

Name of digital ID: Technische Universitaet Muenchen

Step 3:
Press OK to confirm the options – you're done!

Publication of the Certificate

If you agree to publication of your user certificate, it will be included in the directory service of DFN-PKI which is freely available on the internet. Publication offers the advantage of providing all interested parties with the option of sending you an encrypted message, because the public key may be accessed in the internet.

Hints of DFN (German Research Network) regarding publication of the user certificate.

Server Certificates

If you are running a server that provides encrypted connections with SSL/TLS – for instance a web server enabling HTTPS access – you will require a server certificate.

Regarding the certificates issued by DFN, please mind the following:

  • Certificates may only be used for servers that are run on behalf of the Department of Mechanical Engineering or for subunits of the Department. Commercial use is not allowed.
  • The unique name of the certificate shall have the following ending: OU=Fakultaet fuer Maschinenwesen,O=Technische Universitaet Muenchen,L=Muenchen,ST=Bayern,C=DE
  • Only specific domains are permissible as domain names of the certificates. If your domain name does not end in tum.de and if you have not yet received a certificate from us, your domain is very probably not included in the existing list. Should you receive a relevant error message when requesting a certificate, please contact Mr Grimm. Additional domains may be included, but the procedure may take several days.
  • It will be possible for you to obtain a joint certificate for several server names. However, wildcards such as '*.mw.tum.de' are not accepted. Please create your Certificate Request as a PEM file. With Linux systems, this is usually effected via the Open SSL suite whereas other operating systems or equipment often have their own administrative interfaces.

Please create your Certificate Request as a PEM file. With Linux systems, this is usually effected via the Open SSL suite whereas other operating systems or equipment often have their own administrative interfaces.

The PKI interface provided by DFN enables you to upload the certificate request under the tab 'Server Certificates'. All further steps – completion, printing and presentation to Mr Grimm - of the form are identical to those of the user certificates.