menu

About the client certificate issuing service

JAIST is subscribed  to the UPKI service of the National Institute of Informatics (NII), accordingly, it provides services such as issuing client certificates with the Information Society Infrastructure Research Center.

 

With this certificate, our university information system provides high security services, such as VPN connection from outside the university and changing of user account password.

 

The teachers and students of our university who wish to use the client certificate can issue / renew / revoke the client certificate as described below. At the same time, users are obliged to properly manage the issued client certificates.

[IMPORTANT] About change of a client certificate via the J-UPKI System

 

Now, the issued client certificate (for S/MIME) of the JAIST members can use the following purposes.

 

  1. Wireless Network Service (SSID: JAIST and eduroam)
  2. An authentication factor of the JAIST-SSO
  3. S/MIME (Email with Digital Certificate and Encrypt)

 

However, a client certificate (for individual) which issued after maintenance work of J-UPKI System at 25th Aug. 2023 will change to the following purposes.

 

  1. Wireless Network Service (SSID: JAIST and eduroam)
  2. An authentication factor of the JAIST-SSO

The client certificate (for individual) can not be used for S/MIME.

 

If you want to use S/MIME after that, we can issue another client certificate for using S/MIME.
Please ask to RCACI. 

Services requiring client certificate

By importing the client certificate into the WEB browser, mail software, etc., you can access the following services.

Notes on the handling of Certificates

A client certificate is imported into an application (web browser, mail client, etc.) together with a pair of private keys and used for the purpose of proving the user's identity. Therefore, you have to be very careful not to let the certificate containing the private key fall into the hands of others. If the private key is stolen, the user's identity can be spoofed, which may lead to the leakage or falsification of information. If your private key has fallen into the hands of others, or is likely to fall into the hands of others, please take steps to revoke your client certificate immediately.

 

  1. Do not give  to others, do not import the  into a shared computer that is being used by a common account, or do not import  into a computer whose identity is unknown.
    Under an environment where other people can access the imported certificate, it is easy for someone to steal your private key. Please make sure that you use the client certificate only on a trusted computer where nobody can access it except you.
  2. When exporting client certificates, protect with proper passwords.
    When exporting and extracting certificates that have been imported into a web browser or email software, etc., please make sure to save them with a proper password. Saving without a password or with a simple or easy password can easily lead to the loss of your private key, so make sure to protect it with a proper password.
  3. Do not place your certificates in a folder (location) where others can see it.
    Keep exported files containing your private key in a place where no one else can access it. Even if the files are password-protected, there is still a chance that your password can be broken.

Web browsers available for certificate download

The types of web browsers that can download certificate from the UPKI site are limited.

UPKI specifies that the following Web browsers can be used.

It is recommended that you download the certificate on a PC (windows or macOS).

 

【Windows】

  • Google Chrome
  • Edge Chromium
  • Firefox
  • Internet Explorer (You need to change the settings in advance) (Due to the UPKI system problem, IE will not be able to get certificates from the end of August 2020.)

【macOS】

  • Google Chrome
  • Firefox
  • Safari

Client Certificate Issuance Procedure

Client certificates can be obtained by the following operations.

  1. Apply for issuance from the J-UPKI system (accessible only from the campus LAN including SSL-VPN connection).
  2. Access the UPKI website from the J-UPKI system and download the certificate.
  3. Import the downloaded certificate to the terminal/application.

 

For details, please read the "Client certificate issuance procedure" page.

Client certificate issuance procedure

 

 

【appendix】Certificate storage location for each app
OSApps etc.Storage of imported certificates (References for each Apps)
Windows




Windows (For wireless LAN configuration (JAIST, eduroam))Windows Certificate Store (Control Panel -> Internet Options ->  Contents)



Microsoft Edge
Google Chrome
Internet Explorer
FirefoxCertificate Manager in Firefox (Options -> Privacy & Security -> View Certificates)
macOS



macOS (For wireless LAN configuration (JAIST, eduroam))Keychain Access.app (Applications → Utilities)


Safari
Google Chrome
FirefoxCertificate Manager in Firefox (Preferences -> Privacy & Security -> View Certificates)

 

 

 

Client Certificate Revocation Procedure

[Notice] Re-issuance of Digital Certificates
If you plan to reissue a certificate after it has been revoked, please prepare an environment that allows you to access the J-UPKI system without using the certificate in advance.
In the case of on-campus
Some time after the revocation, the campus Wi-Fi (SSID: JAIST/eduroam) that is used to authenticate the certificate will become unavailable. Please prepare an environment where you can use wired LAN or JAISTALL.
In case of off-campus
If you have only a certificate as an authentication factor, SSL-VPN connection will be disabled when it is revoked. Please make sure that you can connect to the SSL-VPN using another authentication factor, such as OTP or FIDO2 authentication.

 

  1. Access the J-UPKI system and log in.
    ※You can access J-UPKI system only from inside  the campus network (or using the SSL-VPN service).
  2. Click the  失効 / Revoke button.
  3. Select the reason for revoking (失効理由を選択し), choose revoke (失効を実行) and click [OK] to confirm.

Please note that this process may take up to 10 minutes.

Client certificate update procedure

This option is available about 30 days before the expiration date of the certificate currently in use.

  1. Access the J-UPKI System and log in (required settings before using IE)。
    ※You can access J-UPKI system only from inside  the campus network (or using the SSL-VPN service).
  2. Click the [ 更新 / Update ] button.
  3. The following steps are the same as in the  3 steps of (Issuing a new certificate).

Replacing certificates

When you update/reissue a certificate, please replace the certificate used for each service/browser by referring to the following pages.