Important notice
Until the end of August 2023, user certificates could be applied for via the DFN portal. From September 2023, user certificates can only be obtained via Sectigo. Personal identification is required.
Scope of functions
Employees of the University of Stuttgart can apply for a personal user certificate.
User certificates (S/MIME) make it possible to sign e-mails or to communicate in encrypted form by e-mail.
- Signing e-mails: An electronic signature is used in e-mail correspondence to ensure that an e-mail originates from the specified sender (proof of authenticity) and that the e-mail has not been subsequently changed (proof of integrity). This increases the confidence of communication partners that an e-mail is not a forgery.
- Encrypting e-mails: Encryption can improve confidential communication between two partners, but should only be used if there is an increased need for confidentiality and if both sender and recipient are aware of the risks.
Limitations and risks
- If the certificate information is lost, encrypted e-mails can no longer be decrypted and read; this is particularly important when archiving e-mails.
- If encrypted e-mails are forwarded (forwarding, moving to another mailbox) to a holiday replacement or a successor, it may not be possible for this person to decrypt them.
- A digital signature increases the confidence that an e-mail was sent from the specified sender's user account. However, this does not ensure that the e-mail originates from the specified person if, for example, the computer is infected by a virus or other people have access to the e-mail account.
Accordingly, encryption protects an e-mail in transit from the sender's computer to the recipient's computer against "interception" by third parties. If one of these two computers is infected by a virus or the passwords are known to other people, unauthorised third parties can still gain knowledge of the message. - Encrypted e-mails cannot be checked for spam and viruses by the IZUS/TIK.
Handling certificates
- Secure storage: In principle, the certificate information (.p12 file and password) must be stored securely and protected against unauthorised use. If a compromise is detected, the certificate must be revoked in any case.
- No passing on: Certificate information may only be used by the certificate holder personally; passing it on, e.g. to a holiday replacement, is not permitted.
- External storage: The certificate information should be stored in a password-protected location that you can access even if the computer you are using is damaged, lost or replaced, e.g. on a USB memory stick.
- Permanent storage: User certificates are currently valid for 3 years. After this time, a new certificate must be created and the expired certificate loses its validity. In order to continue to access encrypted e-mails that were encrypted with the expired certificate, the expired certificate must be available and used. Please also bear in mind that if you change computers, you will have to reinstall the expired certificate on the new computer.
- Use on different clients: If you use several clients (PC, notebook, tablet), the certificate must be installed on all clients if you want to create or read encrypted e-mails there.
Certificate creation procedure
- The application / purchase of user certificates takes place via an online form. The process is described on the instruction pages.
- You must be identified before the user certificate can be issued. This is done at IZUS/TIK. Please make an appointment for this by e-mail (pki-support@tik.uni-stuttgart.de). Bring a valid identification document with you.
Instructions