!!! Translated by Google Translate !!!
policy of signature identities (from 9.10.2020)
1. Login to the user portal
Every employee has access to the User Portal. The CTU Shibboleth SSO (Single-Sign-On) system takes care of logging in, which you also know from other CTU systems, eg KOS, AEDO… You can log in from your user profile on USERMAP – https://usermap.cvut.cz -> User profile -> “Settings” tab -> “Personal certificate management” link.
Or a direct link https://obelisk.cvut.cz/userportal Attention, because the OBELISK system is used to create the entire digital trust platform, it is not enough to enter only https://obelisk.cvut.cz this would take you to a section that you do not have access to, but you must enter the entire address.
Picture 1) Incorrect and correct user portal login screen
If your login is not successful and ends with, for example, the error “Redirect error (access_denied) description: UnknownSubjectException”, there is usually a problem in the data entered in the USERMAP system, especially an empty e-mail address, which is a necessary condition for working in the User Portal.
Check whether you have filled in the e-mail by logging in to https://usermap.cvut.cz after clicking on “User profile” à in the section “contact details”.
Picture 2) Data control in the USERMAP system, important items: E-mail, Quality of identity
2. Issuance of a new certificate
2.1. Necessary conditions for issuing a certificate.
For the ownership of the certificate, a verified identity of the so-called quality A “Identity fully identified, data verified” is required. This verification of data, the so-called identification of the user, is performed by authorized people at the CTU components, usually the personnel department, or the CTU Card Publishing House. You can check the quality of the identity by logging in to https://usermap.cvut.cz after clicking on “User profile” à in the section “identity data”, see Fig. 2.
Every employee with a valid employment relationship with CTU is entitled to a signature certificate of the certification authority CESNET CA for remote signing for internal circulation of CTU. In the future, the right to sign certificates from other CAs depends on the specific business role of the employee.
2.2. Certificate issuance process
2.2.1. CESNET CA
After logging in, the “Certificates for signing” page opens first with a list of certificates, if you are entitled to issue a certificate, you will see the available button “+ New certificate (CESNET CA)”. Click this button to start the publishing process. If you do not have an A quality identity, the certificate cannot be issued, the button will not be available, or the process will fail.
Picture 3) New certificate – first step
If you are also entitled to another certificate, eg qualified, you will also see a button for another certification authority (eg PostSignum CA).
This operation is verified using a code that is sent by the system to the user’s primary address.
Picture 4) New certificate – verification of the operation with a verification code
After verifying with this code, you will be prompted to enter a new PIN to use this certificate. This PIN is firmly tied to the issued certificate, if you forget the PIN in the future or re-enter the PIN incorrectly and the certificate is locked, you must revoke the certificate and issue a new certificate.
Picture 5) New certificate – Enter the PIN for the new certificate and authorize the certificate request
After pressing the authorize button, a request for a certificate (so-called request) containing information about the organization (CTU) and person (name, surname, personal number, primary e-mail) is sent to the certification authority and the certificate is issued. After generation, the certification authority retains only the serial number of the certificate.
You can view the details of the certificate by clicking on the “=” icon next to this certificate.
Picture 6) New certificate – successful issuance and detail of the certificate
- This certificate is valid for 390 days, after which you must apply for a new certificate in the same way.
- You can revoke the certificate yourself in the “Certificates for signing” tab with the “Revoke” button after the operation has been authorized.
- certificates are automatically revoked if you lose your type A identity or your relationship with CTU
- In this case, a certificate is issued by the CESNET CA certification authority, serving only for the internal circulation of electronic documents in the AEDO system and only for this internal system it is recognized and trusted, other documents cannot be signed or used in another way .
3. Change PIN
3.1. CESNET CA
If you feel that your PIN has been revealed, you can change the PIN. In the certificate details (see above) you will see the “Change PIN” button next to the Signature activation: hsm-pwd item. It is assumed that you remember the PIN.
Picture 7) PIN change – certificate detail and PIN change button
Picture 8) Change PIN – enter the current and new PIN
After entering a valid PIN and a new one in both fields (New PIN, Confirm PIN) and pressing the “Authorize” button, the PIN will be changed.
Picture 9) PIN change – successful change
4. Certificate revocation, blocked certificate, forgotten PIN
If you feel that the trustworthiness of your certificate has been compromised, you can revoke the certificate and issue a new certificate using the same procedure as described above. Likewise, in case you cannot use the certificate, due to a forgotten PIN or due to blocking the certificate after repeatedly incorrectly entered PIN. The fact that the certificate is blocked is not copied to the USERMAP system and it can therefore be seen in FIG. 2 as valid, although below in FIG. 9 can be seen to be blocked. Therefore, in case of problems with signing, it is appropriate to check here as well.
Picture 10) Certificate revocation – certificate detail and certificate revocation buttons
Picture 11) Certificate revocation – authorization of certificate revocation
Picture 12) Certificate revocation – successful revocation
Certificates of the CESNET certification authority for internal circulation of the Czech Technical University are free of charge and you do not have to worry, but certificates of other certification authorities are usually charged, for which caution is warranted.
5. Certificate renewal
5.1. CESNET CA
CESNET does not issue a so-called subsequent certificate, ie one where the request for another certificate would be signed by the currently valid certificate, but in principle it is a matter of issuing a new certificate.
Because you can only own one CESNET certificate, you will not see the “+ New certificate (CESNET CA)” button if you still have an existing certificate.
The certificate renewal procedure is therefore two-stage.
- you must first revoke the current certificate (with the “! Revoke” button on the right of the certificate).
- After this revocation, the “+ New certificate (CESNET CA)” button will appear on the certificates page, by pressing which you will request a new certificate according to the procedure above.
In the event of expiry of the original certificate, point a) is omitted and this is the same procedure as for the new certificate.
6. Use of the certificate
6.1. CESNET CA – internal circulation of CTU documents
The certificate is stored in a secure repository of the so-called HSM module, which is certified for use in the eIDAS system.
The user logs on to an application that supports the remote signing system. This authenticates the user. Furthermore, if the document is signed, the application sends a request to use the certificate and the user is redirected to the signing application.
Picture 13) A signature request was sent and the user was redirected to the signature application
This request to use the certificate needs to be authorized using the PIN belonging to this certificate.
Picture 14) Authorizing the use of a certificate using a PIN
After authorization, the signing result is returned by the signature application back to the application from which the signature request originated (AEDO…)
7. Event recording
Event logging is a way to detect possible errors when using a remote signature. If you have ruled out common errors, such as a forgotten PIN, no, invalid, or blocked certificate, look in the “Event log”, copy the event or take a screenshot and contact VIC support via the CTU helpdesk.
Picture 15) Logging of OBELISK system user portal events
8. Certificates issued before 9.10.2020
In the new signature identity policy, the PIN is tied to a specific certificate. If you still have a certificate issued according to the old policy, you can set the PIN globally as follows. However, we recommend that you revoke the existing certificate and issue a new one.
8.1. PIN change
8.1.1. CESNET CA
If you feel that your PIN has been revealed or you have forgotten your PIN, you can change the PIN.
This operation is verified using code that is sent by the system to the user’s primary address.
the PIN is set.