About the client certificate issuing service
JAIST is subscribed to the UPKI service of the National Institute of Informatics (NII), accordingly, it provides services such as issuing client certificates with the Information Society Infrastructure Research Center.
With this certificate, our university information system provides high security services, such as VPN connection from outside the university and changing of user account password.
The teachers and students of our university who wish to use the client certificate can issue / renew / revoke the client certificate as described below. At the same time, users are obliged to properly manage the issued client certificates.
Services requiring client certificate
Notes on the handling of Certificates
A client certificate is imported into an application (web browser, mail client, etc.) together with a pair of private keys and used for the purpose of proving the user's identity. Therefore, you have to be very careful not to let the certificate containing the private key fall into the hands of others. If the private key is stolen, the user's identity can be spoofed, which may lead to the leakage or falsification of information. If your private key has fallen into the hands of others, or is likely to fall into the hands of others, please take steps to revoke your client certificate immediately.
- Do not give to others, do not import the into a shared computer that is being used by a common account, or do not import into a computer whose identity is unknown.
Under an environment where other people can access the imported certificate, it is easy for someone to steal your private key. Please make sure that you use the client certificate only on a trusted computer where nobody can access it except you.
- When exporting client certificates, protect with proper passwords.
When exporting and extracting certificates that have been imported into a web browser or email software, etc., please make sure to save them with a proper password. Saving without a password or with a simple or easy password can easily lead to the loss of your private key, so make sure to protect it with a proper password.
- Do not place your certificates in a folder (location) where others can see it.
Keep exported files containing your private key in a place where no one else can access it. Even if the files are password-protected, there is still a chance that your password can be broken.
Web browsers available for certificate download
The types of web browsers that can download certificate from the UPKI site are limited.
UPKI specifies that the following Web browsers can be used.
It is recommended that you download the certificate on a PC (windows or macOS).
- Google Chrome
- Edge Chromium
- Internet Explorer (You need to change the settings in advance) (Due to the UPKI system problem, IE will not be able to get certificates from the end of August 2020.)
- Google Chrome
Client Certificate Issuance Procedure
[ Before you apply for a certificate ]
An information in a client certificate contains the applicant's email address information. If you (student) are planning to change your e-mail address, you must get a certificate after you change your e-mail address. If you have changed your e-mail address after the certificate has been issued, you must reacquire the certificate (revocation -> issuance) as soon as possible.
Client certificates can be obtained by the following operations.
- Apply for issuance from the J-UPKI system (accessible only from the campus LAN including SSL-VPN connection).
- Access the UPKI website from the J-UPKI system and download the certificate.
- Import the downloaded certificate to the terminal/application.
For details, please read the "Client certificate issuance procedure" page.
|OS||Apps etc.||Storage of imported certificates (References for each Apps)|
|Windows||Windows (For wireless LAN configuration (JAIST, eduroam))||Windows Certificate Store (Control Panel -> Internet Options -> Contents)|
|Firefox||Certificate Manager in Firefox (Options -> Privacy & Security -> View Certificates)|
|macOS||macOS (For wireless LAN configuration (JAIST, eduroam))||Keychain Access.app (Applications → Utilities)|
|Firefox||Certificate Manager in Firefox (Preferences -> Privacy & Security -> View Certificates)|
Client Certificate Revocation Procedure
[Notice] Re-issuance of Digital Certificates
If you plan to reissue a certificate after it has been revoked, please prepare an environment that allows you to access the J-UPKI system without using the certificate in advance.
In the case of on-campus
Some time after the revocation, the campus Wi-Fi (SSID: JAIST/eduroam) that is used to authenticate the certificate will become unavailable. Please prepare an environment where you can use wired LAN or JAISTALL.
In case of off-campus
If you have only a certificate as an authentication factor, SSL-VPN connection will be disabled when it is revoked. Please make sure that you can connect to the SSL-VPN using another authentication factor, such as OTP or FIDO2 authentication.
- Access the J－UPKI system and log in.
※You can access J-UPKI system only from inside the campus network (or using the SSL-VPN service).
- Click the 失効 / Revoke button.
- Select the reason for revoking (失効理由を選択し), choose revoke (失効を実行) and click [OK] to confirm.
Please note that this process may take up to 10 minutes.
Client certificate update procedure
This option is available about 30 days before the expiration date of the certificate currently in use.
Various operating procedures
- Client certificate issuance procedure
- IE Preperation & Certificate getting procedure
- How to check the validity/revoked of the client certificate
- Exporting & Importing certificates
- NII Document for import in various Web browsers (Provided by NII)
- NII Document for import in various mailers (Provided by NII)