User Certificates

Everything you need to know about user certificates

FH Erfurt issues personal digital certificates for its employees and public servants. They are primarily used for signing digital requests and applications.

Please note: This is not a universally valid certificate. It is legally valid for signatures within the University of Applied Sciences Erfurt. However, a document with your digital signature may not be accepted/recognised outside our university.

In the following steps, we explain how to obtain a personal user certificate, how to use it, how to verify it and other certificates and how to block it if you lose it.

• General information

  Digital certificates are used to secure the confidentiality, integrity and identification of electronic communication, e.g. by email or with web services.

  For this reason, user certificates must be protected by a password that is as complex as possible and may under no circumstances be passed on to third parties.

  A user certificate consists of a public and a private encryption key.
  
  The private encryption key belongs exclusively to the owner of the user certificate and is secret.
  The public key should be known to everyone, as other people can use this key to send you encrypted emails, for example. The public key infrastructure (PKI) of the German Research Network (DFN) ensures that your public key actually originates from you as it has to be signed.

  Digital certificates are issued by a Certificate Authority (CA). By issuing the digital certificate, the CA confirms the identity of the owner.

  Currently, the service for issuing certificates is provided by GÉANT and managed by Sectigo.

  Further information and FAQs can be found on the  DFN website.

• How to request a user certificate

  To request a user certificate, please use the workflow in PIP

  If you do not have access to PIP, please send an email with the subject "Beantragung Nutzerzertifikat" and the type of work you perform to:

  333@fh-erfurt.de

• Obtaining your certificate

  Obtaining your user certificate

  • You will receive an email from the provider that your certificate is ready.
  • You will receive instructions in the PIP workflow or by email from the Computer Centre when you submit your request.The instructions explain all further steps.
  • Once you have completed the steps in the instructions, you will have the user certificate in *.p12 format for further use.
  • You will be asked to set a password for the certificate.
    You cannot change this password and it is always required if you want to use the certificate as a signature. Choose it wisely and do not use the password from your university account!
  • Save your certificate (*.p12) in a secure location (e.g. home drive) and not just locally on your PC.

• Digital signature for PDFs

  To use your certificate (*.p12), you will need to add/import it into the certificate repository of the device you are using.

  • In Windows, double-click on your certificate file (*.p12) and follow the instructions
  • It is recommended to select a high security level and make it accessible only to this user (their access).
  • You do not need to re-export, as you have already backed up the original file outside the device you are using (e.g. home drive)

  Once this has been done, your certificate can be used by the software installed on the device.

  Configuration for use in Adobe Acrobat:

  • Open Adobe Acrobat.
  • Select "Settings" in the "Edit" menu.
  • Select the "Signatures" category.
  • Select "Identities and trusted certificates" and click on "More".
  • Your user certificate should appear. Select your certificate.
  • In the menu, select "Pen" and then "Use to sign".

  You can now sign signature boxes in PDF forms with your user certificate.

  The first time you use it, you will have to confirm that you wish to allow the connection to a time server at DFN. This is necessary and will be saved in the document, providing additional security during verification.

• Verifying digital signatures

  You are advised to check all signed documents.

  Acrobat checks signed documents every time they are opened.
  You can tell by the green tick (under the menu bar) whether a document has been successfully verified.

  Please note: To verify the digital signature, Adobe must also be allowed to use the Windows certificate store for verification. Unfortunately, this is not a standard setting during basic installation.
  Your departmental admin will be able to help.

  To check individual signatures in Acrobat, right-click on the signature and select the "Check signature" menu item. You will see a brief summary of the verification process.

  The "Show signature properties" menu item will take you to a more comprehensive overview where you can also check the verification paths.

• Revoking your certificate

  If your certificate is lost or stolen, please contact 333@fh-erfurt.de.

  When your employment contract ends (e.g. due to the end of a fixed-term contract, annulment, dismissal, retirement, etc.), your digital certificate will automatically be revoked.

• Other uses

  Your user certificate can be used in a variety of ways. You can also use it to sign and encrypt emails, for example.

  If you need to integrate the user certificate into your mail client, you can contact your departmental admin for assistance.

  Please note:

  1. If you intend to work with signed emails, you should integrate the user certificate into your email client on all the devices you use.
  2. It is not possible to integrate/use it in OWA (Outlook WebAccess).
  3. If you have proxy access to functional mailboxes, you may receive unwanted messages when sending emails, as the user certificate can only be used for your personal email address.
  4. If you lose your certificate and password, all emails encrypted with them will be unreadable.