Child pages
  • Requesting or updating a TCS personal certificate

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

TCS personal certificates are S/MIME cryptographic certificates, and can be used to sign/encrypt e-mail using Mozilla Thunderbird.

These certificate used to be valid for just 1 year, but from 2014 on they are valid for 3 years (smile).

After it expires, you won't be able to use it to sign/encrypt e-mail any more. Mozilla Thunderbird will give an error.

You can (and must) still use it to decrypt old messages 

Do NOT delete it, because you need it to decrypt old message that were sent to you.

The process consists of 3 steps

1 - Request a certificate using Mozilla Firefox

  1. Using a Mozilla Firefox web browser, go to
  2. Log in using your TERENA credentials
  3. Agree with the fact that SURFnet/TCS needs some information from you (Yes, share this information)
  4. Click My Certificates
  5. Click New Certificate
  6. On page 1, accept the Acceptable Use Policy (AUP), click Next
  7. Page 2 is the e-mail selecting, but this is skipped because TERENA provides only one address
  8. On page 3, select "Browser generation", then click Next
  9. On page 4, make sure it says 2048 bits, and then click Next. Now the key generation takes place, this takes 30-60 seconds usually.
  10. Once done, it will ask to install. Click "Install to keystore". This should give you a message like this:


     Your personal certificate has been installed. You should keep a backup copy of this certificate.


2 - Export the certificate from Firefox to a file

  1. In Firefox, go to Tools -> Advanced -> Encryption -> View Certificates -> Your certificates
    (On Mac it is Firefox -> Preferences -> Advanced -> Certificates -> View Certificates -> Your certificates)
  2. Select the one that has just been created, use the Expire date to locate the right one
  3. Click "Backup..." and save it to a PKCS12 type file, giving it the .P12 extension (for instance: Remember where you saved it.
  4. Create a backup password to protect your certificate backup file, and type it twice, then click OK. You should see a message that it successfully backed up your certificate as a file.


3 - Import the certificate into Thunderbird

  1. Open Mozilla Thunderbird and go to Tools -> Options -> Advanced -> Certificates -> View Certificates -> Your Certificates
    (On Mac it is Thunderbird -> Preferences -> Advanced -> Certificates -> View Certificates -> Your certificates).
  2. Click Import, select the certificate backup file that you created with Mozilla Firefox, and type the certificate backup password that you gave there.
  3. After this has succeeded, go Tools -> Account settings, and navigate to the account that you want to secure, then click Security under that account.
  4. On the right side, select the newly imported certificate. It should come up with a selection window that only lists non-expired keys (so probably only one certificate) - select that.
  5. If asked, use the same certificate for encryption as well.
  6. In the Security windows, select "Digitally sign messages (by default)".


At this point you should be able to send signed and/of encrypted messages again.

If for some reason it fails (for instance because the certificate expired), you should deselect "Digitally sign messages (by default)".