Services requiring client certificate

About the client certificate issuing service

JAIST is subscribed  to the UPKI service of the National Institute of Informatics (NII), accordingly, it provides services such as issuing client certificates with the Information Society Infrastructure Research Center.


With this certificate, our university information system provides high security services, such as VPN connection from outside the university and changing of user account password.


The teachers and students of our university who wish to use the client certificate can issue / renew / revoke the client certificate as described below. At the same time, users are obliged to properly manage the issued client certificates.

Notes on the handling of Certificates

Do not pass your client certificate to others because it is for proving your identity. If your certificate might have been accessed by someone else, revoke it immediately.

  1. Do NOT give your client certificate to others or copy it for them.
    Spoofing, such as browsing and falsification of information might occur.
  2. Be sure to create a password when you export and save your certificate in your computer.
    When you export your certificate, be sure to set a password. If the file that is not protected by password is stolen, it may be abused.
  3. Do NOT save your certificate in folder (directory) which other persons can access.
    It should not be stolen even if it is in an encrypted certificate file. Save it in a folder where other persons can not access.

Issue / Update / Revoke of client certificate

You can issue, update and revocation UPKI client certificates by using the J-UPKI system.
To get a certificate, you can use only Firefox or Internet Explorer(IE), in case of using IE you must change some settings beforehand.


In the certificate, the user's e-mail address is registered、
If you would like to change your e-mail address, please get the certificate after the address change.
Otherwise, please get a certificate again if you change your address.



Please note UPKI service only allows issuing only one certificate at a tinme and downloading that certificate once. Unlike the previous certificate issuing system which was used until 2015 and allowed downloading the same certificate many times. For the case of requiring and using the certificate in several locations, please export and import the acquired certificate and use it.

Notes for Issuing UPKI Client Certificate

The eligible Web browsers to issue client digital certificates are Internet Explorer (IE) and Firefox.  (If you try to use other Web browsers, issuing will not be successful.)

  • To obtain the digital certificate via Windows
  • To obtain the digital certificate via macOS
    • Firefox: No need to change any setting. In order to access Wireless LAN (JAIST or eduroam), the digital certificate file must be exported from Firefox and imported in Keychains Access.


   ・Digital certificate export procedure

   ・Digital certificate import procedure (PDF file)

      - Internet Explorer

      - Firefox

      - Safari (How to import in Keychains Access)



 The client digital certificate can be downloaded only once. If you need it for 2 or more devices, please export your obtained certificate from the issuing Web browser and import in other software or devices.




Issuing a new certificate

The steps to apply for issuing a certificate are as follows.

  1. Login to the J-UPKI system (if you use IE, change the settings beforehand).
    ※Access to the J-UPKI system is possible only from the campus network (also possible using the SSL-VPN connection to the network).
  2. Click [発行] [Issue].
  3. Wait for the completion of the certificate issuance preparation. The process might take up to 10 minutes.
  4. Click [証明書をダウンロード] [Download certificate] (this will transfer you to the NII site for certificate issuance).
  5. On NII's certificate download site, proceed to 【STEP 2】to import the certificate into the web browser. If any part is not clear, please refer to the NII issuing manual (skipping the part  "【SETP1】アクセスPINを入力" "[SETP1] input access PIN").


In case of using Firefox

In【STEP2】鍵長を選択する.(choose the key length)


Set "Key length" to "High Grade"
鍵長: 高強度の暗号化


    ・After clicking [発行] (Issue) button, please don't click on anything in the web-page until 【STEP3】 screen appears.     

    ・Do not click [一つ戻る] (Back to previous) after clicking [発行] (Issue), otherwise the certificate won't be obtained.

In【STEP3】証明書を受け取る.(Obtaining the certificate)

To import the certificate into the browser please approve, you can confirm the import here.

In【STEP4】 証明書の確認 (Confirm the certification usage)









In case of using Internet Explorer

If you have not changed the setting of IE, please change the setting. You can find a guide to make the changes here.

In【STEP2】 CSPと鍵長を選択 (choose the CSP and the key length)

CSP: Microsoft Enhanced Cryptographic Provider v1.0 (Please change the default set value)  
: 2048bit (Please change the key length from default set value)

・After clicking the [発行] (Issue) button、please wait without doing anything until the【STEP3】screen is displayed.

・Do not click [一つ戻る] (Back to previous) after clicking [発行] (Issue), otherwise the certificate won't be obtained.

In【STEP3】証明書を受け取る.(Obtaining the certificate)

In【STEP4】 証明書の確認 (Confirm the certification usage)

Certificate renewal

This option is available about 30 days before the expiration date of the certificate currently in use.

  1. Access the J-UPKI System and log in (required settings before using IE)。
    ※You can access J-UPKI system only from inside  the campus network (or using the SSL-VPN service).
  2. Click the [更新] (Update) button.
  3. The following steps are the same as in the  3 steps of (Issuing a new certificate).

Certificate revoking

  1. Access the J-UPKI system and log in.
    ※You can access J-UPKI system only from inside  the campus network (or using the SSL-VPN service).
  2. Click the [失効] (Revoke) button.
  3. Select the reason for revoking (失効理由を選択し), choose revoke (失効を実行) and click [OK] to confirm.

Please note that this process may take up to 10 minutes.

To use the certificate with another application

If you want to use the certificate with other applications, you need to export the certificate and then add it to that other application.

To use the campus wireless LAN (JAIST, eduroam) if the certificate was obtained using Firefox, please import the certificate into Windows (IE) or key chain (in case of MacOS).

Others manuals