- Created by Kisic Mirel (4ea), last modified by Greuter Joel (ID) on Feb 26, 2024
Support
Please contact us via SmartDesk, Email servicedesk@id.ethz.ch or by phone +41 44 632 77 77
Service Information and Update
Blog eintrag
FAQ
The certificates are free of charge for ETH employees. The IT services at ETH Zurich bear these costs centrally.
This is managed by the IT support group of your organizational unit. If you log in to the PKI portal and see no function for applying for a certificate, you are not activated. In this case, contact your IT support group.
If you log in to the PKI portal and see no function for applying for a certificate, you are not activated. In this case, contact your IT support group.
Signing meeting invitations is not supported by the mail clients.
Yes, there are also certificates for group mailboxes available. The order is placed via a ticket to the Service Desk with information about account, email address and send-as authorization group. All members of the send-as authorization group can then see this certificate in their personal PKI portal and can download and install it. The installation works the same way as the personal certificate
To encrypt mail, everyone involved, the sender and all recipients, need a valid certificate. The public keys of all recipients must be known to the sender's mail client. This is the case if the recipients have sent a signed mail to the sender in advance. The sender's mail client then encrypts the mail using the recipient's public keys.
This is a bug in the macOS mail client. There is already a ticket open at Apple for this. There is no info when this will be resolved.
The certificate was valid at the time the mail was sent. But if it has expired or has been revoked in the meantime, then Outlook shows this irritatingly as a problem.
It is not advisable to do so. For this, the client would have to give his certificate to the sender, which is not allowed according to the BOT. The options of a group mailbox should be used here.
To encrypt mail, everyone involved, the sender and all recipients, need a valid certificate. The public keys of all recipients must be known to the sender's mail client. This is the case if the recipients have sent a signed mail to the sender in advance. The sender's mail client then encrypts the mail using the recipient's public keys.
No. Unfortunately, there is no possibility to use the mail certificates in webmail
Order
Attention You must be in the ETH network or connected to the VPN, otherwise you cannot access the page. | |
Attention After clicking on Login, the data is loaded in the background. This may take a short time. Never update or close the window during this process. | |
Attention The creation of the certificate takes a short moment. Click the Issue certificate button only once and wait until the new certificate is displayed. | |
| |
Warning! Copy the password to the clipboard, as this will be needed later for the installation of the certificate.
On macOS and iOS in the Safari browser, you may be asked to confirm that you wish to allow downloads on "pki-portal.ethz.ch". Click on Allow to confirm. | |
Attention If you use a browser other than Microsoft Edge, it will look different from the print screen opposite. Navigate to the location of the pfx (Windows/Linux) or mobileconfig (macOS) file (usually this is the "Downloads" folder) and open the file by double-clicking it. On iOS the profile becomes available in Settings. |
|
Installation
Windows
- Open the just downloaded file "PersonalEmail.pfx
- Leave the "Current User" setting and click Next.
- Leave the file name and click on Next
- Insert the password previously displayed in the PKI Portal and leave all other settings.
- Click on Next
- Leave the file name and click on Next
- Click on Finish
- Confirm the following message by clicking on OK
- Open the just downloaded file "PersonalEmail.pfx
- Start Outlook and click top left on File - Options
- Click on Trust Center on the left and on the button Settings for the Trust Center on the right.
- Click on E-Mail Security on the left and on the Settings button on the right.
Make sure that your e-mail address is displayed in the Security Settings Name field
- Click on the Choose button in the Signature Certificate field.
Attention
If the field "Security Settings Name" is empty, you can enter any text and click "New", after you choose the certificate. (Please note that you will need to select this entered text instead of your email address later in the manual).
- If you already have a certificate, several will be displayed. Select the new certificate. You can recognize it by the date. For example, if you ordered it today, you should see today's date and the certificate should be valid for three years from the date of creation.
- in the field Hash Algorithm select SHA256
- Repeat the procedure for the Encryption Certificate field
- Set the other settings according to the print screen
- Click on OK
- Check that your e-mail address is visible in the Default setting field.
VERY IMPORTANT
Check Add digital signature to outgoing messages- Click on OK and then on OK again
Congratulations!
You have now successfully installed the new certificate. Check this by sending an e-mail to a colleague or yourself. A seal should now be visible next to the sender.
- Start Outlook and click top left on File - Options
- Click on Trust Center on the left and on the button Settings for the Trust Center on the right.
- Click on E-Mail Security on the left and on the Settings button on the right.
- Make sure that your e-mail address is displayed in the Security Settings Name field
- Click on the Choose button in the Signature Certificate field.
- If you already have a certificate, several will be displayed. Select the new certificate. You can recognize it by the date. For example, if you ordered it today, you should see today's date and the certificate should be valid for three years from the date of creation.
- Select SHA256 in the field Hash Algorithm
- Repeat the selection of the new certificate for the Encryption Certificate field
- Leave the other settings as they are (see also Printscreen beside)
- Click on OK
- Start Outlook and click top left on File - Options
- Click on Trust Center on the left and on the button Settings for the Trust Center on the right.
- Click on E-Mail Security on the left and on the Settings button on the right.
- Unheck "Add digital signature to outgoing messages"
- Confirm with "OK"
macOS
- User browses to their Downloads folder or from their toolbar and double-clicks on the “mobileconfig” file. This is a “configuration profile”, used to distribute certificates in a secure manner on macOS.
macOS 10.15 or older:
When using Safari with default settings, the profile will open automatically.- macOS 11 or newer:
Opening the configuration profile is not automatic. The user must open it from the Downloads folder. A notification will then inform the user that the profile is in System Preferences. The user must navigate to System Preferences > Profiles to review the profile.
- macOS 10.15 or older:
User is requested to install the the profile. User should press Continue.
- macOS 11 or 12:
The user will see the profile in the Downloaded section of the Profiles pane. User clicks Install...
- macOS 13 or newer:
The user opens the System Settings application and navigates to Privacy & Security → Profiles. The user double-clicks the item named "Email_[username]_[date]" in the "Downloaded" section.
macOS 10.15 or older:
macOS 11 or 12:
macOS 13 or newer:
- User confirms that they are sure they want to install the profile, by pressing “Install”.
macOS 10.15 or older:
macOS 13 or newer:
- Enter the password from the PKI-Portal
macOS 10.15 or older:
macOS 11 or 12:
macOS 13 or newer:
- User once again confirms that they are sure they want to install the profile, by pressing “Install”.
macOS 12 or older:
macOS 13 or newer:
- The certificate is then installed.
macOS 12 or older:
macOS 13 or newer (certificate can be double-clicked to show details):
Start Apple Mail and open a "New e-Mail"
- User chooses to sign an e-mail. This is shown with a blue "signed" button, which can be toggled between enable/disable.
- If the user has the public key of the recipient's email address, the user can also choose to encrypt the message. This is shown by a blue "encrypted" button, which can be toggled between enable/disable.
- User chooses to sign an e-mail. This is shown with a blue "signed" button, which can be toggled between enable/disable.
- Start Outlook
- Click on "Outlook" on the menu bar and then select "Preferences..." (on macOS this is named "Settings").
- Click on "Accounts"
- Click on "Advanced..."
- Select the "Security" tab
- Under "Digital Signing", the "Certificate" item, select the certificate that is on your name in the drop-down menu.
- Activate the checkbox "Sign outgoing messages"
- Under "Encryption", the "Certificate" item, select the certificate that is on your name in the drop-down menu.
- If you now create a new mail, the Sign button should be activated under "Options".
- Start Outlook
- macOS 12 or older:
- Open System Preferences → Profiles
- Open System Preferences → Profiles
- macOS 13 or newer:
- Open System Settings → Privacy and Security → Profiles
- Click on the Email Profile that you installed earlier, and click on the "-" button at the bottom of the list.
macOS 12 or older:
macOS 13 or newer:
- A warning is displayed. Click on Remove to delete the profile and associated certificates.
macOS 12 or older:
macOS 13 or newer:
- The certificates are now removed.
- macOS 12 or older:
Linux
- Go to the site: PKI security certificates and click on “QuoVadis Swiss Advanced CA G4”
- When prompted on how to open the file choose “Safe File” and click on OK
Note where you saved the file as you will need it in the next steps.
- Open Thundebird
- Click on the 3 horizontal lines on the top right and choose “Preferences”
- Click on “Privacy & Security” and scroll down to certificates and click on “Manage Certificates”
- Click on “Authorities” and then click on “Import”
Browse to the QuoVadis Swiss Advanced CA G4 certificate and click on open
Select both options for trust and click “OK”
Scroll down the certificate list and look for QuoVadis and confirm the certificate is installed.
Click on “Your Certificates” and then click on “import” and browse to your certificate
Browse to the folder. Make sure all files is selected and then choose your certificate and click on “Open”
Put in the password that was provided to you when you downloaded the certificate and click on “OK”.
The certificate should be import. Click on OK.
Close the preferences menu.
Right click on your mailbox and choose “Settings”
Click on “End-To-End Encryption” and scroll down to S/MIME
For the setting “Personal certificate for digital signing” click on “Select” and click on the certificate you just installed and click on “OK”
At the pop windows about encryption, click on “Yes”
Scroll down a little make sure “Add my digital signature by default” is checked and that “Do not enable encryption by default” is selected
Close the “Account Settings” tab
- Open Thunderbird
- Click on the 3 horizontal lines on the top right and choose “Preferences”
- Click on “Privacy & Security” and scroll down to certificates and click on “Manage Certificates”
- Click on “Your Certificates” and then click on “import” and browse to your certificate
- Browse to the location of the new certificate, select it and click on “Open”
- Put in the password that was provided to you when you downloaded the certificate and click on “OK”.
- The new certificate should now be added. Please remember the serial number of the new certificate and click on “OK”
- Close the preferences menu.
- Right click on your mailbox and choose “Settings”
- Click on “End-To-End Encryption” and scroll down to S/MIME. For “Personal certificate for digital signing” click “Select”
- Choose the newly installed certificate from the drop down list and click on “OK”.
- Once the new certificate is selected, additional information about it will be displayed in the text box underneath.
- Click “Yes” for the next popup window
- The new certificate is now configured for signing and encryption. Please close the “Account Settings”
- Open Thunderbird
- Right click on your mailbox and choose “Settings”
- Click on “End-To-End Encryption” and scroll down to S/MIME and click clear for both signing and encryption certificate. Also uncheck “Add my digital certificate by default”.
Please close the “Account Settings”
- Download the root certificate for installation before installing the user certificate:
Go to the site: PKI security certificates and click on “QuoVadis Swiss Advanced CA G4”.
- When prompted on how to open the file choose “Safe File” and click on OK.
Note where you saved the file as you will need it in later.
- Open Thundebird.
- Click on the 3 horizontal lines on the top right and choose “Preferences” and then click on “Preferences” again.
- Click on “Advanced” on the left menu and then and click on “Certificates” header on the right and then “Manage Certificates”
- Click on “Authorities” and then click on “Import”.
- Browse to the QuoVadis Swiss Advanced CA G4 certificate you previously downloaded and click on open.
- Select both options for trust and click “OK”.
- Scroll down the certificate list and look for QuoVadis and confirm the certificate is installed.
- Click on “Your Certificates” and then click on “import” and browse to your certificate.
- Browse to the folder. Make sure all files is selected and then choose your certificate and click on “Open”.
- Put in the password that was provided to you when you downloaded the certificate and click on “OK”.
- The certificate should be import. Click on OK.
- Close the preferences menu.
- Right click on your mailbox and choose “Settings”.
- Click on “Security”.
- For the setting “Digital Signing” click on “Select” and click on the certificate you just installed and click on “OK”.
- At the pop windows about encryption, click on “Yes”.
- Scroll down a little make sure “Digitally sign messages (by default)” is checked and that “Never (do not use encryption)” is selected.
- Close the “Account Settings” tab.
- Open Thunderbird
- Click on the 3 horizontal lines on the top right and choose “Preferences” and then click on “Preferences” again.
- Click on “Advanced” on the left menu and then and click on “Certificates” header on the right and then “Manage Certificates”.
- Click on “Your Certificates” and then click on “import” and browse to the new certificat.
- Browse to the folder. Make sure all files is selected and then choose your certificate and click on “Open”.
- Put in the password that was provided to you when you downloaded the certificate and click on “OK”.
- The certificate should be import. Please note the different serial number and the updated expiry date. Click on OK.
- Close the preferences menu.
- Right click on your mailbox and choose “Settings”.
- Click on “Security“.
- For the setting “Digital Signing” click on “Select” and click on the newer certificate you just installed.
- After you selected it, you should be able to see the newer expiry date. Please also verify the “Serial Number”.
- Click on OK.
- At the pop windows about using the same certificate, click on “Yes”.
- Scroll down a little make sure “Digitally sign messages (by default)” is checked and that “Never (do not use encryption)” is selected.
- Close the “Account Settings” tab.
- Open Thunderbird
Right click on your mailbox and choose “Settings”
- Click on “Security”
Make sure “Digitally sign messages (by default) is unchecked and that “Never (do not use encryption) is selected and then click on “OK”.
Please close the “Account Settings”
Mobile devices
- To install the mail certificate on the iPhone or iPad, it must be present on the corresponding device.
Attention
You need for the installation, the password, which is specified in the step certificate order!
- If you ordered the certificate via a PC or Mac client, you can send it via e-mail to your own business address on your mobile device to install it there afterwards.
- Open the sent email on your mobile device and open the attached email certificate.
- If you ordered the e-mail certificate directly on your mobile device via a web browser and downloaded it this way, you will be asked whether you want to load the configuration profile. Select Allow here.
Attention
To download and install the e-mail certificate directly on the mobile device via the PKI portal, it must be connected either directly to the ETH WLAN or via VPN. The PKI portal is only accessible within the ETH network.
- The message appears that your profile has been loaded. Confirm the message with Close.
- Open the iOS settings.
- You should now see the "Profile loaded" section. Click on it to display the loaded profile.
- Now click Install in the profile to install the email certificate on your mobile device.
- Enter the certificate password that you received in the PKI portal. Confirm the entry with Next.
- Confirm with your mobile device unlock code and agree to the installation.
- In the iOS settings on your mobile device, click Mail, and then click Accounts.
- Select your ETH mail account from the list of existing accounts.
Attention
The displayed name of the account can be different (e.g. Exchange, ETH, etc.). The email address itself is not visible here. Click on the respective account to check whether it is your ETH account and your ETH mail address is displayed.
- Click on the ETH account where your ETH e-mail address is displayed.
Attention
The rest of the settings may look different from the screenshot. This has no relevance to the setup of the e-mail certificate.
- Click on Advanced Settings and then on Sign.
Enable the signing of e-mails here by activating the Sign option.
If the e-mail certificate is configured and selected correctly, this is indicated by a blue check mark next to your name.
- Now click 2x on Back and save the settings made by selecting Done. Only then all settings will be saved in the ETH email account.
- You can now go back to the iOS settings via the menu.
CONGRATULATION!
You have successfully installed and configured your email certificate on your mobile device.
If you want to check whether your emails are now sent signed via the cell phone, send an email to a work colleague or to yourself. If you can see a seal next to your sender in the email in Microsoft Outlook, the email has been correctly signed with your email certificate. On the mobile device, this is noted with a check mark next to your sender name.- To remove your mail certificate, click General in the iOS settings on your mobile device, and then click Profiles.
- Select the ETH mail certificate you want to remove.
- Select Remove Profile.
CONGRATULATION!
You have successfully removed your email
certificate from your mobile device successfully.- To install the mail certificate on the iPhone or iPad, it must be present on the corresponding device.
- No labels