Old certificates issued before December 24, 2020 cannot be used after January 17, 2022.
(For certificates issued on or after December 25, 2020, please refer to this page.)
The UPKI digital certificate issuing service used by JAIST is switching the intermediate certificate authority. Client certificates issued on or after December 25, 2020 (new certificates) will be issued by the new Intermediate Certification Authority. However, client certificates issued before December 24, 2020 (old certificates) will no longer be available when the Intermediate Certification Authority expires. If you are using the old certificates, please read the following notes and procedures to switch to the new certificates.
* There is no need to take immediate action in the following cases.
- You do not need a certificate (e.g. you will leave JAIST by December)
- You can use the one-time password
[Notice]
Confirm that you can use the campus LAN or use SSL-VPN with One Time Password (OTP) before switching
Before issuing a new certificate, you need to "revoke" the old one. After revocation, the old certificate will not be available for services that use client certificates (SSL-VPN and Wi-Fi). In particular, if you are off-campus, please make sure that you can connect to SSL-VPN using OTP or FIDO2 before do procedures. (About One Time Password)
Allow plenty of time when switching to the new certificate
Normally, the issuance and revocation of a digital certificate is processed in about 30 minutes. But since around April 2021, it has been confirmed that the process can take several hours to several days. We told Certification Authority Operators to improve the processing time through the National Institute of Informatics, which provides the UPKI digital certificate issuing service, but it may take some time to improve because COVID-19 pandemic. The job of revoking the old certificate and issuing the new certificate should be done when there is enough time (Several days).
Certificates cannot be issued or revoked during maintenance of the UPKI service
The J-UPKI system use the UPKI service of the National Institute of Informatics (NII). When the UPKI service is not available due to maintenance, etc., the J-UPKI system will also not be available. Please refer to the following link for the UPKI service announcement.
Process for switching to a new certificate
1. Revoke old certificate
Access the J-UPKI system (https://pki.jaist.ac.jp/, SSL-VPN connection or campus LAN is required) and click 失効 / Revoke .
When you apply for revocation, "状態/Status" will be "失効申請中 / Revoke Processing".
* It may take some time to revoke the old certificate.
2. Issue new certificate
After the revocation is completed, you will be able to apply for issuance on the J-UPKI system.
Click on the 発行 / Issue button to apply for issuance.
Once the publishing process is complete, 証明書をダウンロード / Download certificate will be displayed on the J-UPKI system. Click it to access the UPKI website (National Institute of Informatics).
When the screen shown in [STEP2] appears, click 発行 (Issue) only once to download the p12 file.
* Please click the button only once. After clicking the button, it may take some time before you get a response.
* If you are prompted to enter your password on the [STEP1] screen, please contact us.
3. Import the new certificate
Please import the new certificate to your PCs, tablets, smartphones, web browsers, apps, etc.
You can check the initial password required when importing a new certificate on the J-UPKI system.
Please refer the this page for the importing process.
* It is recommended to delete the old certificate unless it is used for email encryption.
If you find it difficult to switch certificates, the help desk staff will assist you.
Please come to the RCACI reception desk when the help desk staff is available (click here for the calendar).
For more information on switching between intermediate certificate authorities, please visit the following web page by The UPKI digital certificate issuing service.
【重要・要対応】UPKI電子証明書発行サービス 中間認証局の切り替えについて (Japanese page)
[FAQ about certificate switching]
Q. Can I switch my certificate from off-campus?
A. If you have a one-time password (OTP), yes. Please follow the steps above after connecting to the SSL-VPN. If you don't have an OTP, please come to the campus.
Q. I am asked to enter "password". What do I need to enter?
A. Please refer to FAQ "What is the 'password' for issuing/importing certificates?".
Q. The revocation process has not been completed even after several days.
A. First, please access the J-UPKI system and check the "状態/Status".
If the status is still "有効 / Valid" instead of "失効申請中 / Revoke Processing", the revocation request has not been submitted. Please submit the revocation request again.
If the blue "発行 / Issue" button is clickable, please proceed to Step 2 above.
If the status remains "失効申請中 / Revoke Processing" for more than 3 business days, please contact the Center.
Q. After renewing the certificate, authentication with JAIST-SSO (Webmail, SSL-VPN, etc.) fails.
A. The new certificate may not be available for authentication. Please see the "When login fails in JAIST-SSO" page.
Q. After renewing the certificate, I cannot connect to the campus Wi-Fi (SSID=JAIST, eduroam).
A. It is considered that the old certificate is used for on-campus Wi-Fi authentication.
First, check that the certificate has been imported into the OS by referring to "How to check the validity/revoked of the client certificate".
After that, refer to "How to Replace Digital Certificates for Wi-Fi", delete the old Wi-Fi setting, set it again, and then try the connection.
Q. My certificate has not expired yet, do I need to switch certificates?
A. Yes, you need to switch certificates. The certificates issued before December 24, 2020 will no longer be available regardless of the expiration date.
Q. How can I connect to the campus network during the certificate revocation/issuance process?
A. When you are on campus -> Use wired LAN or JAIST-ALL.
When you are off-campus -> Use SSL-VPN connection using OTP.
If you have any questions, please contact us via the inquiry form or email(isc-query[at]ml.jaist.ac.jp).