Topics Map > Security
Topics Map > How Do I...
Topics Map > Help Desk
InCommon Client Certificates FAQ
How to use InCommon Client Certificates
Missouri S&T and the UM System have partnered with the InCommon Federation to provide affordable, managed and trusted certificates to higher education. The agreements allows all active entities with Missouri S&T to have their own personal, trusted certificates to be used for:
- Signing email
- X.509 client authentication (mobile devices, VPNs, etc.)
- signing documents (document preservation, curation, etc.)
- data encryptionSee “IMPORTANT and Best Practices Below”
InCommon Certificate Support issuesGoogle ChromeWhen requesting a new certificate, make sure you are using Firefox or IE. Long PIN/Passphrases in Chrome make for certificates you can't open. Only remediation is revoke the certificate and issue a new invitation and start over. Note: This is only with OLD versions of Chrome from around 2010/2011.Unable to Publish to GALIf a person cannot publish their certificate to the GAL, it is likely an XPSP3/Outlook2007/Exchange permissions issue. This should go away with the new exchange environment. It's easier to just have the security folks publish the public certificate for them. The other choice is they will have to use the MMC/Certificate snap-in and take them through the publish to GAL process there. Again, ticket to security.
Requirements currently are that Client Certificates will be issued based upon employment/emeritus status:
- Available if the recipient's employment status is Active or is Emeritus faculty. Not available to other retirees or alums at this time.
- Student participation is not available at this time unless the employment status is active and the supervisor requests it.
- Currently not available for classwork type of usage. Email email@example.com for other solution possibilities.
- Certificates are to be revoked as part of account maintenance. Private keys can still be used to decrypt.
Establishing a Client Certificate
NOTE: If you have already received an email invitation from “Certificate Services Manager firstname.lastname@example.org”, please skip to the “Certificate Installation” section.To establish a new certificate, please create a Help Desk ticket requesting a personal certificate. Information inviting you to finish it will be sent to your official email address when ready for you to finish the request.You will receive an email with the following information:
- From: “Certificate Services Manager email@example.com”
- Subject: Invitation Email - You have requested email certification validationFor the instructions immediately following, please use either Internet Explorer or Firefox as we have found a random error when using Google Chrome and long passphrases.
- Click the link in the first bullet in the body of the text. If it doesn't work, follow the manual activation instructions in the email.
- Enter a PIN. Note: This should be a passphrase and not just a string of numbers. Please make it a strong passphrase as your certificate will include your private key and you do NOT want this key compromised. Do NOT lose this PIN as it will be the password to install your certificate later. Secure it in a safe place.
- Enter a password. This is to renew your certificate when the certificate expires in 5 years. Do save this in a safe place too.
- You can remove some of the certificate attributes in the next section, but you cannot change any of the content. This is up to you.
- Click submit and wait for a bit as your certificate is generated.
- Click download and save the certificate in a safe place and proceed to Certificate InstallationCertificate Installation Microsoft Certificate Store. (if you are on Windows, this is mandatory before doing anything else)
- The simplest is to install in the Microsoft personal certificate store. Double click the certificate you saved in the section above.
- Click “Next” until you come upon a dialog box asking for your Password. Enter the “PIN” from step 4 above. The other options are up to you, but do leave “Include all extended properties” checked. Click Next.
- On the “Certificate Store” dialog, leave “Automatically select the certificate store…” item selected and click Next, then click Finish.
- Congratulations. The certificate is installed.Outlook 2013/2016
- Click “File” then Options. Under Outlook Options. Click “Trust Center” then the “Trust Center Settings” button
- Click “Email Security” the click the “Settings” button to the right.
- At the Default Setting entry, click Settings
- Signing Certificates, click Choose and select the certificate with the most recent Valid date (should start one day less than when the certificate was issued). Click OK
- VERY IMPORTANT: Select Hash Algorithm SHA256. Click OK
- Make sure “Add digital signature to outgoing messages” and “Send clear text signed messages…” are selected.
- STRONGLY RECOMMENDED: Click “Publish to GAL”. This will place your certificate with the Public Key in the Active Directory Global Catalog. If you are working with others that are in the UM System, this can be handy for them to send you encrypted mail without you having to make contact and get your public key first.
- Click “OK” twice.
- Send a test message to someone (even yourself) to verify your digital signature.Firefox (IE uses your systems certificate store. Nothing to do for it).
- Click the “Firefox” in the title bar and then select Options/Options.
- Click the Advanced Tab and then the Encryption Tab
- Click “View Certificates” button and then the “Import” button.
- Select the certificate you downloaded in step 8 above. Enter your password (the PIN in InCommon terms) and click “OK” on all dialog windows.iPhone/iPad The simplest way to ensure all will work is to use Outlook to export the personal certificate (after it has been installed). It will include all other certificates in the chain to make it a one-step install.
- In Outlook, click File/Options/Trust Center
- Then click the “Trust Center Settings” button
- Select “E-Mail Security” and the “Import/Export” button
- Click the “Export your Digital ID to a file” radio button
- Select your certificate to export
- Click Browse and choose a location to save the certificate chain to. Enter a file name with a .p12 extension (important you don't skip this)
- Click Save.
- More than likely the Radio button on “Export your Digital ID to a file” will need to be clicked again, and then enter a strong passphrase to protect your certificate information
- Click OK
- Mail this certificate to yourself.
- On your iDevice, open the email containing the certificate.
- Touch the certificate attachment. This will launch the install profile.
- Touch Install and then “Install Now”
- Enter your iDevice pass-code (if you have enabled security on your phone. I sure hope you have! It is important to protect the certificate)
- Enter your passphrase you used to export the certificate chain.
- Touch Next. Do not worry that is says “Not Trusted”. During this phase you don't have an intermediate certificate yet. The install process will take care of it.
- Touch Done
- Go to Settings/Mail
- Touch Exchange
- Touch Account
- Scroll down and turn S/MIME on
- Touch Sign
- Touch On
- Ensure your named certificate is selected.
- Touch “Account” to go back and touch DoneYou are now sending signed mail from the iDevice.Full guide available at: incommon_client_end_user_guide.pdf
IMPORTANT and Best Practices
What are Client CertificatesClient Certificates allow you to sign documents or email to ensure that you actually were there. With proper Private Key management (see Private Key topic), it is effectively the same as you signing a paper document that it was actually you. They also allow you to encrypt a document or email such that only the designated recipient can read the document. Both of these functions are extremely important in today's world of electronic communications.Certificate BackupIt is up to you to back up your certificate in a secure manner. This is critical if you are upgrading, rebuilding or replacing your campus provided system. If you only have the certificate on your current workstation/laptop, it will be lost when you get the rebuilt or new system. We cannot recover a lost certificate should you fail to back up the certificate properly. We can only replace a lost certificate, although we do have key escrow to recover the private key and decrypt necessary documents (see below). To back up the certificate there are a few methods.
- Store a copy the original downloaded certificate in a safe place that is not your main computer. Your S: Drive will work as well as a USB thumb drive, provided you keep the USB thumb drive in a safe place. You must be sure to have originally used a strong passphrase as the PIN and to keep the passphrase in a separate but secure location.
- If you installed the certificate and marked the private key as exportable, save the certificate with the private key using a strong passphrase and follow the instructions above.
- Contact firstname.lastname@example.org to store a copy of the certificate. You must keep the passphrase separate and secure so only you will be able to re-install the certificate at a later time. As no one else will have the passphrase, no one will be able to use the certificate.Private KeyPlease remember that your Private Key must be protected at all times. This is the heart of the trust established by certificates. The way that certificates work is that you you have two keys. One you keep private and protect at all times. The other key, the public key, is freely shared with the world. Anything encrypted with one key can only be decoded by the partner key. If someone gets your private key, they can read encrypted documents as well as create fake signed and or encrypted documents that would appear to come from you.Protecting Your Private Key
- When you follow the link in the invitation email, select a strong passphrase for your pin. It's ok to write this passphrase down and secure it in a very safe place. You can contact email@example.com and we will provide a secure storage for this passphrase where it will require two people to retrieve it: you and one of the security staff.
- If you install the certificate in Windows and set mark the private key as exportable, please do not share your SSO (your login) ID password with anyone as they will be able to access they certificate store.
- Do not install or give your client certificate to ANYONE else. It is critical that only you ever access your private key. Sharing your client certificate and private key with an administrative assistant violates the trust that only you have the private key. If you do this, we will need to revoke your client certificate as it has effectively been compromised.Compromised/Revoked CertificateA compromised certificate occurs when someone gains access to your private key. When this occurs, your private key is no longer private and all the trust associated with certificates is lost. We have only one recourse in this situation and that is to revoke the compromised certificate and issue a new certificate following the steps outlined above. The revoked certificate can still be used to read older encrypted documents, but should never be used again for new documents as it can no longer be trusted.
Certificate Installation on More Than One SystemWe understand there are times that you would want to install your client certificate on more than one system. Especially if you receive encrypted mail and you read mail from a system at home. You will not be able to read any encrypted mail without the certificate installed. Please make sure that you are the only one to be using that system, or that particular login session before installing your certificate on a non-IT managed system. Your office machine is managed and the certificate is protected by your login, but if you place the certificate on a system that others can use without some sort of authentication, they will be able to access your certificate and private key. This would then be a compromised certificate.Encrypt Only When NeededOne major problem with encryption is knowing when to encrypt mail or documents. If it is very confidential that you only want to share with another person, or it contains highly sensitive information, that is when you need to enable encryption. Do not encrypt everything as 1) it isn't necessary and 2) not everyone can process encrypted documents or email. If you have questions, email firstname.lastname@example.org.Also remember that for proper mail encryption, the receiving party should also have a personal certificate published to the Active Directory Global Address List (GAL) or you have a copy of their public key. The reason is that Outlook will use a combination of your private key and the recipients public key to ensure that only the sending and receiving party will be able to read the email.Certificate RenewalAll of the InCommon client certificates are valid for 5 years. Approximately 30 days before the certificate expires, you will receive an email with instructions on how to renew your certificate. You will then be issued a new certificate using the previous keys that will be valid for another 5 years. If you change your name, or you suspect that you have a compromised private key, you should request a new certificate through the help desk ticket system rather than renew your current client certificate.Leaving the UniversityWhen you leave the University due to retirement or other reasons, unless you are emeritus faculty, your client certificate will be revoked as part of the account maintenance process. The certificate can still be used to decrypt any existing documents, but will no longer be trusted for new items.Signed/Encrypted Mail to Groups/Lists/Multiple RecipientsThere are some usage issues to be aware of when emailing either signed or encrypted mail to groups, lists, or multiple recipients. By “lists” we are referring to external list on list servers, not a distribution list within your mail client.
Starting off with “signed” email:
- Groups or Lists: It's best to turn off signatures when sending to groups or mailing lists. Remember that when you “sign” an email with your certificate, it generates a checksum of the entire message and that any modification of the email will indicate an error to the recipient(s). When you send a signed email to a list, it is usually resent by a server which will modify the original message, thus invalidating the signed message. In some cases, the server will remove your certificate. Note: Google groups does not modify the mail message and you can sign mail going to Google groups.
- Signed mail to multiple recipients works just fine. There is nothing to worry about there as each person will receive a properly signed and validated email.
- Groups or Lists: Turn off encryption before sending to groups or list servers. You will not be send encrypted email to these groups or lists. Both parties must have certificates for proper encryption and at this time group and list servers do not have the functionality to provide the encryption. If they did, the recipients from the list won't be able to read these as it is not encrypted for them.
- Multiple Recipients, internal or distribution lists within your mail client: As long as you have access to the public portion of the certificate for every email address in the mail client's list, this should work. We have tested this that works just fine. But the requirement is that you have their certificate available to your mail client. Outlook will look up in the Global Address List as well as your personal contact list so this is a feature that you can use.
Due to when we signed up, we have to have key escrow enabled. This means that your private key is stored on the InCommon Certificate Management server. It is encrypted with a private key which is secured by S&T Information Security staff. If anyone were to access your private key, thereby destroying the trust of the private key, your certificate is instantly revoked. You and the certificate managers will receive an email stating that your certificate was revoked. This will serve as an audit trail and control should anyone ever gain access to your private key.