[Go to /]

DCA Root Service
DCA Root CA G1

Trusted Certificate Service TCS
Request your instant cert now
Guide and tools

Production CA (MS)
Manage Your Certificates
  (for non-TCS users)

Find a local registrar

Classic interface
Help with your request
Host certificate requests
Submit your request
Download your certificate
Renew your certificate
Request revocation

Reliance information
Policy Statement
Reliance Information

NL e-Infra Zero
(training services)

Legacy Cert Request Guide
Change a passphrase
RA OpsGuide
OpenSSL for Windows
eToken Guide


Privacy Policy

Generation 4 GEANT Trusted Certificate Service TCS

The Trusted Certificate Service provides an easy and quick way to get certificates that are suitable for use in national and global e-Infrastructures, and with all major research collaborations.

This service is provided to qualified users (employees and most of the students) of all Dutch research and academic institutions through SURF, the collaborative organisation for ICT in Dutch education and research, in collaboration with your own institution. As an end-user you can obtain pesonal and personal software agent certificates from this service directly. ICT staff and service operators can also get server certificates for combined public web trust and e-Infrastructure use from TCS via their institutional IT department.

Get a certificateInstall your PKCS12 bundleUse in a browser
Getting a TCS G4 certificate (all browsers)

Visit the web interface below, login with your institutional account, and select the proper certificate profile. This applies to both new applications as well as to renewals and reissuance. Like this:

or just follow the steps below for experienced users

  1. Request a new TCS authentication certificate now from Sectigo

  2. In the dialog box, type (part of) your organisation name, and proceed to login there as usual
  3. Select a product:
    • IGTF MICS Personal - your preferred certificate: for authentication and accessing Research and e-Infrastructures like the DNI, GinA, WLCG, EGI, &c ('grid')
    • Personal certificate - for email signing and singing of simple (word) document, but not PDFs
    • IGTF MICS Robot Personal - credentials for automated processes and software agents that are running under your personal control
  4. Select the validity terms. For IGTF certificates this is always 395 days. For email certificates, you can also select 730 and 1095 days (2 and 3 years, respectively.
  5. For the Enrollment Method, choose "Key Generation" and select the Key type RSA - 4096. Do not choose any other option here (they are for experts only)
  6. Think of a strong passphrase (at least 12 characters), memorize it, or keep it in a secure password manager, then enter it in the dialog boxes (twice)
  7. Make your way through an End-User License Agreement (do click "Accept", but also: if you are ever phished or share the key, call your helpdesk)
  8. Download the certificate in a safe place and make a backup copy of the file. The filename is something.p12
  9. Convert the blob you get from Sectigo into useful formats with the script below.
    Do not use the blob as-is, not even for import into a browser or email client! - on Linux, MacOS, and Cygwin systems, always regularise it first with the install script.
  10. Import your certificate in your browser and/or email client

Personal Certifcate unmagling script for POSIX systems (tcsg4-install-credential.sh)

The ".p12" (PKCS#12) file with your certificate and private key that you download from Sectigo at the end of the process should not be used as-is since it contains legacy components that will upset you browser ... almost permanently. Therefore unpack and remote this unnecessary and harmful variant of "USERTrust ..." that is signed by "AAA Certificate Services", e.g., by using this script.

The "tcsg4-install-credential.sh" script will take a downloaded PKCS#12 (.p12) blob that you got from Sectigo, and convert it into a series of files you can use for grid, personal, and browser usage. You must enter the password you used during certificate application, and this will be the same password also for your newly created private secret keys.
This script is applicable to Linux, Cygwin, Solaris, BSD, MacOS, and similar operating systems.

  • Download tcsg4-install-credential.sh, e.g. by:
    curl -o tcsg4-install-credential.sh https://ca.dutchgrid.nl/tcsg4/tcsg4-install-credential.sh
  • Start it:
    sh ./tcsg4-install-credential.sh -R certs.p12
    or make the script executable and install it in your $PATH

Usage: tcsg4-install-credential.sh [-d destdir] [-p passfile] [-r|-R] [-f]
       [-n name] [-b backupprefix] PKCS12.p12

   -d destdir    write result files to <destdir>
                 if <destdir> contains "globus", also make the
                 symlinks userkey.pem and usercert.pem for GCT tools
   -p passfile   file with the password to use (same for input
                 and for output PKCS#12 and private keys)
   -r            use EEC commonName as basis for new filenames
   -R            use EEC commonName and date as basis for filenames
   -f            do not make backups of existing files
   -n name       set friendly name of the credential in corrected
                 PKCS#12 (.p12) file produced. If unset, is taken
                 from the commonName of the EEC and issuance date
   -b bckprefix  prefix of the filename to use when making backups
   --csr         generate a CSR request file for future use in destdir

   PKCS12.p12    filename of the blob produced by Sectigo 

Notice: do NOT import the blob from Sectigo directly into
anything, since it may corrupt your key chain. Always use
the "package-name.p12" file created by this script
so for example:
$ tcsg4-install-credential.sh --csr grid-robot-email-test-2020042202244CEST.p12
Passphrase (existing) for your secret key: ENTER_YOUR_PASSPHRASE_HERE
Processing EEC certificate: Robot - grid.sysadmin@nikhef.nl
  (friendly name: Robot - grid.sysadmin@nikhef.nl issued 22 Apr 2020)
Processing CA  certificate: GEANT eScience Personal CA 4
Processing EEC secret key
Repackaging Robot - grid.sysadmin@nikhef.nl issued 22 Apr 2020 as PKCS12
Generating CSR file for future use and renewal
The following files have been created for you:
  -rw-r--r-- 1 davidg None 2236 Apr 23 14:42 /home/davidg/.globus/cert-grid-robot-email-test-2020042202244CEST.pem
  -rw-r--r-- 1 davidg None 2469 Apr 23 14:42 /home/davidg/.globus/chain-grid-robot-email-test-2020042202244CEST.pem
  -rw-r--r-- 1 davidg None 1054 Apr 23 14:43 /home/davidg/.globus/request-grid-robot-email-test-2020042202244CEST.pem
  -rw------- 1 davidg None 1834 Apr 23 14:42 /home/davidg/.globus/key-grid-robot-email-test-2020042202244CEST.pem
  -rw------- 1 davidg None 5275 Apr 23 14:42 /home/davidg/.globus/package-grid-robot-email-test-2020042202244CEST.p12
Making Grid Community Toolkit compatible link in /home/davidg/.globus
$ ls -l ~/.globus/
total 26
-rw-r--r-- 1 davidg None 2236 Apr 23 14:42 cert-grid-robot-email-test-2020042202244CEST.pem
-rw-r--r-- 1 davidg None 2469 Apr 23 14:42 chain-grid-robot-email-test-2020042202244CEST.pem
-rw------- 1 davidg None 1834 Apr 23 14:42 key-grid-robot-email-test-2020042202244CEST.pem
-rw------- 1 davidg None 5275 Apr 23 14:42 package-grid-robot-email-test-2020042202244CEST.p12
-rw-r--r-- 1 davidg None 1054 Apr 23 14:43 request-grid-robot-email-test-2020042202244CEST.pem
lrwxrwxrwx 1 davidg None   48 Apr 23 14:43 usercert.pem -> cert-grid-robot-email-test-2020042202244CEST.pem
lrwxrwxrwx 1 davidg None   47 Apr 23 14:43 userkey.pem -> key-grid-robot-email-test-2020042202244CEST.pem

I have my certificate in one system or browser, but I need it in another

The certificates from Sectigo are delivered to you as PKCS#12 or ".p12" files. You can import these in your browser, email client, or keychain (preferably after the processing described above):

If you have your certificate in, e.g. Internet Explorer, but you now need it in Firefox. Or in your MacOS keychain. Or vice versa? The browser in which you can use your certificate holds two elements you need to export: the certificate itself and the private key. For this reason, you must protect any intermediate files you create with a passphrase - the browser will ask you for it.
Precise steps differ per browser, but generally include "Export" or "Backup" of the certificate and private key to a ".p12" or "PKCS#12" file. Once you have the ".p12 file", import it using "Restore" or by double-clicking on the .p12 file:
Internet Explorer & MS Windows
  1. Open Internet Explorer (iexplore.exe)
  2. From the menu bar, select "Tools" -> "Internet Options"
  3. In the tabbed dialog box, select the "Content" tab
  4. Click "Certificates"
  5. In the "personal" tab, select your valid certificate
  6. Click "Export", and "Next" in the Wizard dialog
  7. Select "Yes, export the private key" and click "Next"
  8. In the "File format" dialog, keep "Personal Information Exchange" selected, "include all certificates in the path if possible" must be chekced, and "Enable certificate privacy" must be checked. Do not delete the private key. Click "Next"
  9. In the security screen, check "Password" and provide a strong but memorable passphrase twice. Any Encryption will do here. Click "Next"
  10. In the "File to Export" dialog, profile a filename (the ".pfx" is similar to ".p12"). E.g. "M:\security\DigiCert\personalrobot.p12", and click "Next"
  11. Review what you provided and click "Finish" in the next dialog.
  12. Provide the existing passphrase if you're asked for it
  13. It will say "Export was successful"
  14. Close all dialog boxes again
Alternatively, you can start the "certmgr.msc" control panel, open "Current User\Personal\Certificates", and use the context menu of your valid personal certificate to "All Tasks" -> "Export" and follow the same steps from "Certificates" onwards.
You can now use the ".pfx" file for import elsewhere. Rename it to ".p12" if needed for other browsers.
  1. Navigate to the folder containing your ".p12" file using the Explorer
  2. Double-click on the .p12 or .pfx file - a Certificate Import Wizard will open
  3. Select the "Current User" store location, and click Next
  4. Confirm the file you want to import and click Next
  5. Privide the passphrase used to protect the file, and check the "Enable strong private key protection" box. Also marking it as exportable will be good, but not needed. Click Next
  6. Let windows automatically select the certificate store based on the format, so just click "Next"
  7. Click "Finish" in the final dialog.
  8. You're done!
There are screenshots in the step by step guide under point 20.
Firefox To export from Firefox, see the example above - it will give you also the PKCS12 (.p12) file.
  1. Open the Options screen and the "Privacy & Security" section (type "about:preferences#privacy" in the address bar)
  2. Scroll to the very bottom of the page to vind "View Certificates..."
  3. Click on "View Certificates..."
  4. In the dialog box, click on "Import..."
  5. Select the file (.p12 or .pfx) using the file selection box and click "Open"
  6. "Please enter the password that was used to encrypt this certificate backup:", do that and click OK
  7. You're done!
Chrome and Safari Chrome and Safati use your operating system browser store.

In your profile on Windows, use Internet Explorer or certmgr.msc to export. Start certmgr.msc, click "Personal" and then "Certificates", and right-click for context menu to go to "All Tasks" and select "Export".

On Apple MacOS, use your keychain to backup (export) your certificate and key, as explained in Export your certificate from Apple's KeyChain
Chrome and Safari use your operating system browser store:

On Windows, double-click on the p12 file and follow the "Internet Explorer" instructions above. There are screenshots in the step by step guide under point 20.

On Apple MacOS, opening a p12 file will open it in Keychain; follow the Apple Import guide from DigiCert.

Need to re-new or re-issue your personal certificate?

Renewal and re-issuance are not needed for your TCS personal certificates, since you can just request a completely fresh one every time! In case you need to revoke your current certificate because your private key is compromised (e.g. you posted it on-line by accident, or your client computer was infected with malware), please contact your institutional helpdesk to get it revoked. Then, get a new one with a new keypair.

No access to the TCS service?

  • Test first by going to https://cert-manager.com/customer/surfnet/idp/clientgeant and type (part of) the name of your institution
  • If you are able to login, verify your attributes at https://cert-manager.com/Shibboleth.sso/Session
  • No luck finding your organsiation? Ask your institute help desk to request "that the AAI responsible person or SURFnet ICP requests a connection be made to Sectigo Cert-Manager in the SURFcontext dashboard and to permit inclusion of the IdP in eduGAIN"
  • You find your institution but cannot log in (it complains about missing attributes) but you are an employee? Ask your institute helpdesk to request "that the eduPersonEntitlement to access the TCS, namely urn:mace:terena.org:tcs:personal-user, is set by default for all employees, since they are eligible anyway because the organization keeps a copy of a photo-ID to fulfil the requirements of the 'Wet op de Loonbelasting'"
  • Still getting stuck and does your institution need help? Tell them to contact the SURFnet product manager for TCS. You can contact your own organisation by mail at scs-ra@instelling.nl

Downloading TCS Server and SSL Certificates

To help you generate proper requests for the TCS Server SSL profiles (OV Multi-domain, IGTF Multi-domain, and EV) that only have the necessary CN field, use this script

The file formats for server SSL certificates that are returned by Sectigo from the SCM page (with the Select button after "Download The Certificate") are all either corrupt or in the wrong order. The only format that is actually correct is the binary "PKCS#7" format.
However, this file is not directly usable by most servers, so you should download this ".p7b" file and then convert it for use. The following script will do that for you:

Usage: tcsg4-install-servercert.sh [-d destdir] [-r|-R] [-f]
       [-b backupprefix] <PKCS7.p7b>

   -d destdir    write result files to <destdir>
   -r            use EEC commonName as basis for new filenames
   --no-rename   use the base filename of the P7B file for new filenames
   -R            use EEC commonName and date as basis for filenames
   -f            do not make backups of existing files
   -b bckprefix  prefix of the filename to use when making backups

   <PKCS7.p7b>   filename of the PKCS#7 blob produced by Sectigo,
                 the self-enrolment ID number, or
                 the URL to the PKCS#7 blob from the success email
                 remember to "quote" the URL to preserve the ampersands