Table of contents:



Order







You must be in the ETH network or connected to the VPN, otherwise you cannot access the page.


  • Enter your ETH username and password for whose email address you want to apply for a new mail certificate. In most cases this will be your own ETH account.

  • Click on Login

  • If a window with Save Password pops up, click on Never


After clicking on Login, the data is loaded in the background. This may take a short time. Never update or close the window during this process.


  • Click on Advanced

  • By default, the mail certificate is issued to your main email address (address shown in the window above). You have the possibility to extend the certificate to up to three additional alias addresses. Whether and which ones you use is up to you. For example, take those to which e-mails are normally sent.

    It is recommended to add at least "username@ethz.ch" as additional address.


  • To confirm click on Issue certificate


The creation of the certificate takes a short moment. Click the Issue certificate button only once and wait until the new certificate is displayed.


If your application is successful, Trust Link will then send you several confirmations via e-mail. You can ignore and delete these.


  • You have now successfully created your certificate.

  • Click the Download button to save the certificate onto your device.


  • Select the operating system on which you want to install the certificate.


Copy the password to the clipboard, as this will be needed later for the installation of the certificate.



  • Click on Download


On macOS and iOS in the Safari browser, you may be asked to confirm that you wish to allow downloads on "pki-portal.ethz.ch". Click on Allow to confirm.


  • You have now successfully downloaded the certificate. On Windows the file can be opened directly via File > Open. On Windows, Linux and macOS the file is saved to the "Downloads" folder by default. Now continue with part 2 of the instructions.



If you use a browser other than Microsoft Edge, it will look different from the print screen opposite. Navigate to the location of the pfx (Windows/Linux) or mobileconfig (macOS) file (usually this is the "Downloads" folder) and open the file by double-clicking it. On iOS the profile becomes available in Settings.







e.g. Mozilla Firefox (macOS)









Installation


Windows






    • Open the just downloaded file "PersonalEmail.pfx

    • Leave the "Current User" setting and click Next.

    • Leave the file name and click on Next

    • Insert the password previously displayed in the PKI Portal and leave all other settings.

    • Click on Next

    • Leave the file name and click on Next

    • Click on Finish

    • Confirm the following message by clicking on OK











    • Start Outlook and click top left on File - Options

    • Click on Trust Center on the left and on the button Settings for the Trust Center on the right.

    • Click on E-Mail Security on the left and on the Settings button on the right.

    • Make sure that your e-mail address is displayed in the Security Settings Name field

      If the field is empty, you can enter any text and click "New". (Please note that you will need to select this entered text instead of your email address later in the manual).


    • Click on the Choose button in the Signature Certificate field.

    • If you already have a certificate, several will be displayed. Select the new certificate. You can recognize it by the date. For example, if you ordered it today, you should see today's date and the certificate should be valid for three years from the date of creation.

    • Repeat the procedure for the Encryption Certificate field

    • Set the other settings according to the print screen

    • Click on OK

    • Check that your e-mail address is visible in the Default setting field.

    Check Add digital signature to outgoing messages

    • Click on OK and then on OK again


    You have now successfully installed the new certificate. Check this by sending an e-mail to a colleague or yourself. A seal should now be visible next to the sender.











    • Start Outlook and click top left on File - Options

    • Click on Trust Center on the left and on the button Settings for the Trust Center on the right.

    • Click on E-Mail Security on the left and on the Settings button on the right.

    • Make sure that your e-mail address is displayed in the Security Settings Name field

    • Click on the Choose button in the Signature Certificate field.

    • If you already have a certificate, several will be displayed. Select the new certificate. You can recognize it by the date. For example, if you ordered it today, you should see today's date and the certificate should be valid for three years from the date of creation.

    • Repeat the procedure for the Encryption Certificate field

    • Leave the other settings as they are (see also Printscreen beside)

    • Click on OK










    • Start Outlook and click top left on File - Options


    • Click on Trust Center on the left and on the button Settings for the Trust Center on the right.

    • Click on E-Mail Security on the left and on the Settings button on the right.

    • Unheck "Add digital signature to outgoing messages"

    • Confirm with "OK"









macOS






    • User browses to their Downloads folder or from their toolbar and double-clicks on the “mobileconfig” file. This is a “configuration profile”, used to distribute certificates in a secure manner on macOS.


    • macOS 10.15 or lower:
      When using Safari with default settings, the profile will open automatically.


    • macOS 11 or lower:
      Opening the configuration profile is not automatic. The user must open it from the Downloads folder. A notification will then inform the user that the profile is in System Preferences. The user must navigate to System Preferences > Profiles to review the profile.




    • macOS 10.15 or lower:
      User is requested to install the the profile. User should press Continue.


    • macOS 11 or higher:
      The user will see the profile in the Downloaded section of the Profiles pane. User clicks Install...





    macOS 10.15 or lower:

    macOS 11 or higher:

    • macOS 10.15 or lower only:
      User confirms that they are sure they want to install the profile, by pressing “Install”.

    • Enter the password from the PKI-Portal

    macOS 10.15 or lower:

    macOS 11 or higher:

    • User once again confirms that they are sure they want to install the profile, by pressing “Install”.

    • The certificate is then installed.










  • Start Apple Mail and open a "New e-Mail"

    • User chooses to sign an e-mail. This is shown with a blue "signed" button, which can be toggled between enable/disable.

    • If the user has the public key of the recipient's email address, the user can also choose to encrypt the message. This is shown by a blue "encrypted" button, which can be toggled between enable/disable.











    • Start Outlook

    • Click on "Outlook" on the menu bar and then select "Preferences...".

    • Click on "Accounts"

    • Click on "Advanced..."

    • Select the "Security" tab

    • Under "Digital Signing", the "Certificate" item, select the certificate that is on your name in the drop-down menu.

    • Activate the checkbox "Sign outgoing messages"

    • Under "Encryption", the "Certificate" item, select the certificate that is on your name in the drop-down menu.

    • If you now create a new mail, the Sign button should be activated under "Options".










    • Open System Preferences > Profiles

    • Click on the Email Profile that you installed earlier, and click on the "-" button at the bottom of the list.

    • A warning is displayed. Click on Remove to delete the profile and associated certificates.

    • The certificates are now removed.









Linux






    • When prompted on how to open the file choose “Safe File” and click on OK


    Note where you saved the file as you will need it in the next steps.


    • Open Thundebird

    • Click on the 3 horizontal lines on the top right and choose “Preferences”

    • Click on “Privacy & Security” and scroll down to certificates and click on “Manage Certificates”

    • Click on “Authorities” and then click on “Import”

    • Browse  to the QuoVadis Swiss Advanced CA G4 certificate and click on open


    • Select both options for trust and click “OK”

    • Scroll down the certificate list and look for QuoVadis and confirm the certificate is installed.

    • Click on “Your Certificates” and then click on “import” and browse to your certificate

    • Browse to the folder. Make sure all files is selected and then choose your certificate and click on “Open”

    • Put in the password that was provided to you when you downloaded the certificate and click on “OK”.

    • The certificate should be import. Click on OK.

    • Close the preferences menu.

    • Right click on your mailbox and choose “Settings”

    • Click on “End-To-End Encryption” and scroll down to S/MIME

    • For the setting “Personal certificate for digital signing” click on “Select” and click on the certificate you just installed and click on “OK”

    • At the pop windows about encryption, click on “Yes”

    • Scroll down a little make sure “Add my digital signature by default” is checked and that “Do not enable encryption by default” is selected

    • Close the “Account Settings” tab




    • Open Thunderbird

    • Click on the 3 horizontal lines on the top right and choose “Preferences”

    • Click on “Privacy & Security” and scroll down to certificates and click on “Manage Certificates”

    • Click on “Your Certificates” and then click on “import” and browse to your certificate

    • Browse to the location of the new certificate, select it and click on “Open”

    • Put in the password that was provided to you when you downloaded the certificate and click on “OK”.

    • The new certificate should now be added. Please remember the serial number of the new certificate and click on “OK”

    • Close the preferences menu.

    • Right click on your mailbox and choose “Settings”

    • Click on “End-To-End Encryption” and scroll down to S/MIME. For “Personal certificate for digital signing” click “Select”

    • Choose the newly installed certificate from the drop down list and click on “OK”.

    • Once the new certificate is selected, additional information about it will be displayed in the text box underneath.

    • Click “Yes” for the next popup window

    • The new certificate is now configured for signing and encryption. Please close the “Account Settings”




    • Open Thunderbird

    • Right click on your mailbox and choose “Settings”

    • Click on “End-To-End Encryption” and scroll down to S/MIME and click clear for both signing and encryption certificate. Also uncheck “Add my digital certificate by default”.

    • Please close the “Account Settings”







    • Download the root certificate for installation before installing the user certificate:

     

    Go to the site: PKI security certificates and click on “QuoVadis Swiss Advanced CA G4”.

    • When prompted on how to open the file choose “Safe File” and click on OK.


    Note where you saved the file as you will need it in later.


    • Open Thundebird.


    • Click on the 3 horizontal lines on the top right and choose “Preferences” and then click on “Preferences” again.

    • Click on “Advanced” on the left menu and then and click on “Certificates” header on the right and then “Manage Certificates”

    • Click on “Authorities” and then click on “Import”.

    • Browse  to the QuoVadis Swiss Advanced CA G4 certificate you previously downloaded and click on open.

    • Select both options for trust and click “OK”.

    • Scroll down the certificate list and look for QuoVadis and confirm the certificate is installed.

    • Click on “Your Certificates” and then click on “import” and browse to your certificate.

    • Browse to the folder. Make sure all files is selected and then choose your certificate and click on “Open”.

    • Put in the password that was provided to you when you downloaded the certificate and click on “OK”.

    • The certificate should be import. Click on OK.


    • Close the preferences menu.

    • Right click on your mailbox and choose “Settings”.

    • Click on “Security”.

    • For the setting “Digital Signing” click on “Select” and click on the certificate you just installed and click on “OK”.

    • At the pop windows about encryption, click on “Yes”.

    • Scroll down a little make sure “Digitally sign messages (by default)” is checked and that “Never (do not use encryption)” is selected.


    • Close the “Account Settings” tab.




    • Open Thunderbird

    • Click on the 3 horizontal lines on the top right and choose “Preferences” and then click on “Preferences” again.

    • Click on “Advanced” on the left menu and then and click on “Certificates” header on the right and then “Manage Certificates”.

    • Click on “Your Certificates” and then click on “import” and browse to the new certificat.

    • Browse to the folder. Make sure all files is selected and then choose your certificate and click on “Open”.

    • Put in the password that was provided to you when you downloaded the certificate and click on “OK”.

    • The certificate should be import. Please note the different serial number and the updated expiry date. Click on OK.


    • Close the preferences menu.

    • Right click on your mailbox and choose “Settings”.

    • Click on “Security“.

    • For the setting “Digital Signing” click on “Select” and click on the newer certificate you just installed.

    • After you selected it, you should be able to see the newer expiry date. Please also verify the “Serial Number”.


    • Click on OK.


    • At the pop windows about using the same certificate, click on “Yes”.

    • Scroll down a little make sure “Digitally sign messages (by default)” is checked and that “Never (do not use encryption)” is selected.


    • Close the “Account Settings” tab.




    • Open Thunderbird


    • Right click on your mailbox and choose “Settings”

    • Click on “Security”


    • Make sure “Digitally sign messages (by default) is unchecked and that “Never (do not use encryption) is selected and then click on “OK”.


    • Please close the “Account Settings”










Mobile devices







    • To install the mail certificate on the iPhone or iPad, it must be present on the corresponding device.

    You need for the installation, the password, which is specified in the step certificate order!


    • If you ordered the certificate via a PC or Mac client, you can send it via e-mail to your own business address on your mobile device to install it there afterwards.

    • Open the sent email on your mobile device and open the attached email certificate.

    • If you ordered the e-mail certificate directly on your mobile device via a web browser and downloaded it this way, you will be asked whether you want to load the configuration profile. Select Allow here.

    To download and install the e-mail certificate directly on the mobile device via the PKI portal, it must be connected either directly to the ETH WLAN or via VPN. The PKI portal is only accessible within the ETH network.


    • The message appears that your profile has been loaded. Confirm the message with Close.

    • Open the iOS settings.

    • You should now see the "Profile loaded" section. Click on it to display the loaded profile.

    • Now click Install in the profile to install the email certificate on your mobile device.

    • Enter the certificate password that you received in the PKI portal. Confirm the entry with Next.

    • Confirm with your mobile device unlock code and agree to the installation.

    • In the iOS settings on your mobile device, click Mail, and then click Accounts.


    • Select your ETH mail account from the list of existing accounts.


    The displayed name of the account can be different (e.g. Exchange, ETH, etc.). The email address itself is not visible here. Click on the respective account to check whether it is your ETH account and your ETH mail address is displayed.


    • Click on the ETH account where your ETH e-mail address is displayed.


    The rest of the settings may look different from the screenshot. This has no relevance to the setup of the e-mail certificate.


    • Click on Advanced Settings and then on Sign.


    • Enable the signing of e-mails here by activating the Sign option.

    • If the e-mail certificate is configured and selected correctly, this is indicated by a blue check mark next to your name.

    • Now click 2x on Back and save the settings made by selecting Done. Only then all settings will be saved in the ETH email account.


    • You can now go back to the iOS settings via the menu.

    CONGRATULATION!

    You have successfully installed and configured your email certificate on your mobile device.


    If you want to check whether your emails are now sent signed via the cell phone, send an email to a work colleague or to yourself. If you can see a seal next to your sender in the email in Microsoft Outlook, the email has been correctly signed with your email certificate. On the mobile device, this is noted with a check mark next to your sender name.




    • To remove your mail certificate, click General in the iOS settings on your mobile device, and then click Profiles.

    • Select the ETH mail certificate you want to remove.

    • Select Remove Profile.

    CONGRATULATION!
    You have successfully removed your email
    certificate from your mobile device successfully.