About the client certificate issuing service
JAIST is subscribed to the UPKI service of the National Institute of Informatics (NII), accordingly, it provides services such as issuing client certificates with the Information Society Infrastructure Research Center.
With this certificate, our university information system provides high security services, such as VPN connection from outside the university and changing of user account password.
The teachers and students of our university who wish to use the client certificate can issue / renew / revoke the client certificate as described below. At the same time, users are obliged to properly manage the issued client certificates.
[IMPORTANT] About change of a client certificate via the J-UPKI System
Now, the issued client certificate (for S/MIME) of the JAIST members can use the following purposes.
- Wireless Network Service (SSID: JAIST and eduroam)
- An authentication factor of the JAIST-SSO
- S/MIME (Email with Digital Certificate and Encrypt)
However, a client certificate (for individual) which issued after maintenance work of J-UPKI System at 25th Aug. 2023 will change to the following purposes.
- Wireless Network Service (SSID: JAIST and eduroam)
- An authentication factor of the JAIST-SSO
The client certificate (for individual) can not be used for S/MIME.
If you want to use S/MIME after that, we can issue another client certificate for using S/MIME.
Please contact to RCACI.
Services requiring client certificate
By importing the client certificate into the WEB browser, mail software, etc., you can access the following services.
- Using SSL-VPN
- Access JAIST wireless LAN (JAIST, eduroam)
- Electronically sign emails, encrypted your email S/MIME)
- Change personal JAIST user account password
Notes on the handling of Certificates
A client certificate is imported into an application (web browser, mail client, etc.) together with a pair of private keys and used for the purpose of proving the user's identity. Therefore, you have to be very careful not to let the certificate containing the private key fall into the hands of others. If the private key is stolen, the user's identity can be spoofed, which may lead to the leakage or falsification of information. If your private key has fallen into the hands of others, or is likely to fall into the hands of others, please take steps to revoke your client certificate immediately.
- Do not give to others, do not import the into a shared computer that is being used by a common account, or do not import into a computer whose identity is unknown.
Under an environment where other people can access the imported certificate, it is easy for someone to steal your private key. Please make sure that you use the client certificate only on a trusted computer where nobody can access it except you. - When exporting client certificates, protect with proper passwords.
When exporting and extracting certificates that have been imported into a web browser or email software, etc., please make sure to save them with a proper password. Saving without a password or with a simple or easy password can easily lead to the loss of your private key, so make sure to protect it with a proper password. - Do not place your certificates in a folder (location) where others can see it.
Keep exported files containing your private key in a place where no one else can access it. Even if the files are password-protected, there is still a chance that your password can be broken.
Web browsers available for certificate download
The types of web browsers that can download certificate from the UPKI site are limited.
UPKI specifies that the following Web browsers can be used.
It is recommended that you download the certificate on a PC (windows or macOS).
【Windows】
- Google Chrome
- Edge Chromium
- Firefox
【macOS】
- Google Chrome
- Firefox
- Safari
Client Certificate Issuance Procedure
Client certificates can be obtained by the following operations.
- Apply for issuance from the J-UPKI system (accessible only from the campus LAN including SSL-VPN connection).
- Access the UPKI website from the J-UPKI system and download the certificate.
- Import the downloaded certificate to the terminal/application.
For details, please read the "Client certificate issuance procedure" page.
OS | Apps etc. | Storage of imported certificates (References for each Apps) |
---|---|---|
Windows | Windows (For wireless LAN configuration (JAIST, eduroam)) | Windows Certificate Store (Control Panel -> Internet Options -> Contents) |
Microsoft Edge | ||
Google Chrome | ||
Internet Explorer | ||
Firefox | Certificate Manager in Firefox (Options -> Privacy & Security -> View Certificates) | |
macOS | macOS (For wireless LAN configuration (JAIST, eduroam)) | Keychain Access.app (Applications → Utilities) |
Safari | ||
Google Chrome | ||
Firefox | Certificate Manager in Firefox (Preferences -> Privacy & Security -> View Certificates) |
Client Certificate Revocation Procedure
[Notice] Re-issuance of Digital Certificates
If you plan to reissue a certificate after it has been revoked, please prepare an environment that allows you to access the J-UPKI system without using the certificate in advance.
In the case of on-campus
Some time after the revocation, the campus Wi-Fi (SSID: JAIST/eduroam) that is used to authenticate the certificate will become unavailable. Please prepare an environment where you can use wired LAN or JAISTALL.
In case of off-campus
If you have only a certificate as an authentication factor, SSL-VPN connection will be disabled when it is revoked. Please make sure that you can connect to the SSL-VPN using another authentication factor, such as OTP or FIDO2 authentication.
- Access the J-UPKI system and log in.
※You can access J-UPKI system only from inside the campus network (or using the SSL-VPN service). - Click the 失効 / Revoke button.
- Select the reason for revoking (失効理由を選択し), choose revoke (失効を実行) and click [OK] to confirm.
Please note that this process may take up to 10 minutes.
Client certificate update procedure
This option is available about 30 days before the expiration date of the certificate currently in use.
- Access the J-UPKI System and log in (required settings before using IE)。
※You can access J-UPKI system only from inside the campus network (or using the SSL-VPN service). - Click the [ 更新 / Update ] button.
- The following steps are the same as in the 3 steps of (Issuing a new certificate).
Replacing certificates
When you update/reissue a certificate, please replace the certificate used for each service/browser by referring to the following pages.
Various operating procedures
- Client certificate issuance procedure
- IE Preperation & Certificate getting procedure
- How to check the validity/revoked of the client certificate
- Exporting & Importing certificates
- NII Document for import in various Web browsers (Provided by NII)
- NII Document for import in various mailers (Provided by NII)