Email Certificates via TCS

General information on the subject of email certificates.

Requirements for a Personal Email Certificate

  • You must be a "designated person" (persons who have been verifiably checked by an official photo ID; you will then see the tile "Email Certificate" in TUGRAZonline).
  • You need an email address assigned by TUGRAZonline (@tugraz.at or @student.tugraz.at) - only for these addresses certificates can be obtained this way!
  • You need a computer with internet access and the possibility to save files.

For non-personal addresses (e.g. office.INSTITUT@tugraz.at) IT officers can use the following instructions. If your IT officers are not available, you can also apply for the certificate at ZID.

Step 1: Apply for Email Certificate

For a certificate for your personal email address open with your preferred browser the page

https://cert-manager.com/customer/ACOnet/idp/clientgeant

There, after SSO login, the easiest way is to select the combination "GÉANT Personal email signing and encryption", "730 days", "Key Generation", "RSA - 4096", and "Compatible TripleDES-SHA1":

using other combinations may cause problems in some email clients.

Choose a secure password to protect your certificate.

Step 2: Save Email Certificate

You will now be offered a file in p12 format for download. Save this file either on your hard disk or (if you want to install the certificate on several computers) e. g. in the TU Graz Cloud. In this file your private and your public key are stored password-protected.
If you are not asked where the certificate should be stored, it will be stored in the default download folder of your browser.

Some email programs (e. g. Apple Mail) access the certificates in the certificate store of the operating system, therefore it is useful to store the certificate also in the certificate store of the operating system (macOS: Keychain or Windows: Certificate Manager) (for Thunderbird this is not necessary).
This is done by double-clicking on the p12 file and entering the password previously selected (possibly the password of your account on the computer must also be entered so that the certificate store can be changed).

If you want to install the certificate on a new computer or in another program, but the certificate file is no longer available, you must export the certificate from the old computer or the other program.

Step 3: Install Email Certificate

For email programs that use the certificate manager of the operating system, only the correct certificate has to be selected in the email program; for other programs, the p12 file has to be imported in each client that you want to use. The following steps are necessary for Outlook for each additional certificate:
  1. After you have imported the certificate, click on "Settings".
  2. A new window "Change security settings" opens.
  3. If your personal security setting is displayed here, click on "New".
  4. Give the setting a name.
  5. With "Select" you can assign the certificate of the avatar address to the new setting ("Select more").

There are also apps for Android that can handle S/MIME, e.g. R2Mail2 from Austria.

Step 4: Use Email Certificate

If you have performed the above steps, from now on your emails will be signed automatically, depending on your settings. A file in PKCS#7 format will be attached to the email for this purpose. If someone writes to you that an attachment in p7 format could not be opened, it means that this recipient is using a very outdated program that cannot handle S/MIME.
Depending on the settings, emails are also encrypted automatically or only if you explicitly request it.

Depending on the client, the emails are then displayed accordingly, in Thunderbird, for example, like this:
  • Signed
  • Encrypted
  • Signed and encrypted