# Emergency/transition process for generating e-mail certificates
!!! warning
This text was automatically translated using DeepL. We will check and amend this text in the near future.
# Emergency/transition process for generating email certificates
!!! warning
The process described here does __not__ meet the security standards that the KIT normally strives for.
We therefore generally advise against following the procedure described here. Exception: a certificate is
__now__ mandatory for business purposes.
This process does __not__ meet the usual security standards that KIT-CA normally strives for.
We therefore generally advise against following the procedure described here. Exception: a certificate is
__now__ mandatory for business purposes.
The process described here has the following problems:
1.the private key is generated by the CA service provider and not by the user. This breaks an important basic assumption of end-to-end encryption.
2.you can have exactly one e-mail address in the certificate, this corresponds to the username at HARICA.
3.certificates are only e-mail-validated (and not organization-validated), so there is only the e-mail address in the certificate. Both the real name and a reference to the KIT are missing.
4.there is no automatic mechanism for publishing in the KIT global address book, this must be initiated <ahref="#publish-to-ad">manually by the user</a>.
1.The private key is generated by the CA service provider (HARICA) and not by the user. This breaks an important basic assumption of end-to-end encryption.
2.The certificate can contain exactly one email address which corresponds to your username at HARICA.
3.Certificates are only email-validated (and not organization-validated), it only contains the email address. Both the real name and a reference to KIT are missing.
4.There is no automatic mechanism for publishing into the KIT global address book; this must be <ahref="#publish-to-ad">manually initiated by the user</a>.
For example, if you want to have a certificate for `beate.beispiel@kit.edu`, `b.beispiel@kit.edu` and `bb4711@sysmail.kit.edu`
you have to go through the following instructions completely for each of these addresses.
For example: if you wish to obtain a certificate for `beate.beispiel@kit.edu`, `b.beispiel@kit.edu` and `bb4711@sysmail.kit.edu`,
you have to repeat the following instructions for each of these addresses.
The process is roughly based on [these instructions from HARICA](https://guides.harica.gr/docs/Guides/Email-Certificate/Email-only-request/),
This process is roughly based on [these instructions from HARICA](https://guides.harica.gr/docs/Guides/Email-Certificate/Email-only-request/),
but differs in a few details. If you have any questions or uncertainties, please also refer to this guide.
## Step 1: Create an account with HARICA
[Create a new account at HARICA](https://cm.harica.gr/Register) with the exact e-mail address that is to be included in the certificate.
certificate. If necessary, follow the instructions in the e-mails and the
[HARICA instructions](https://guides.harica.gr/docs/Guides/Email-Certificate/Email-only-request/). Then log in
then log in to [HARICA in CertManager](https://cm.harica.gr/Login) with this account.
[Create a new account at HARICA](https://cm.harica.gr/Register) with the exact email address that is to be included in the certificate.
If necessary, follow the instructions in the emails and the [HARICA instructions](https://guides.harica.gr/docs/Guides/Email-Certificate/Email-only-request/). Then log in in to
[HARICA in CertManager](https://cm.harica.gr/Login) with this account.
## Step 2: Apply for a certificate
Select `eMail` in the left menu, then __Email-only__ under _Select the type of your certificate_ and at the bottom _Next_.
at the bottom _Next_.
Select `eMail` in the left menu, then __Email-only__ under _Select the type of your certificate_ and then _Next_at the bottom.
_Select a method to validate your email address(es)_ should already be prefilled with __Validate via email to selected email address__
in advance, continue here with _Next_.
in advance, continue with _Next_.
In the _Review the application before submitting_ view, check the box and submit with __Submit__.
Thunderbird under Linux must import the certificate directly in the application: _Settings_ → _Privacy & Security_ → _Manage Certificates..._.
Select the _Your certificates_ tab there, then _Import..._. Then select the certificate for encryption and signature in the settings of the appropriate email account.
Thunderbird under Linux must import the certificate directly in the application: _Settings_ → _Privacy & Security_ → _Manage Certificates…_.
Select the _Your certificates_ tab there, then _Import…_. Then select the certificate for encryption and signature in the settings of the appropriate email account.
## Step 4: Set up e-mail client
## Step 4: Set up email client
* Instructions for [Outlook in Windows](/guides/en/configure_outlook/)
* Instructions for [Outlook on Windows](/guides/en/configure_outlook/)
* Instructions for [macOS & Apple Mail](/guides/en/install_p12_macos/)
* Instructions for [Thunderbird (external link to Heidelberg University)](https://www.urz.uni-heidelberg.de/de/support/anleitungen/import-der-smime-zertifikate-in-thunderbird){:target="_blank"}
...
...
@@ -85,5 +85,5 @@ Download the certificate as __PEM__ (_not_ __PEM bundle__).
