/
(DC) Client Certificate

(DC) Client Certificate

Owned by Greg Jewett
Last updated: Feb 19, 2025
4 min read

Who needs a Client Certificate (aka Digital Certificate)?

Individuals who process or work with sensitive data are the ideal candidates who should be using a client certificate to ensure that data when transmitted via email or other means is encrypted to prevent accidental disclosure.  These are high-level guidelines and provide only a broad outline of likely users. Consult with your desktop support staff or the Information Security Office if you have questions.

Examples:

  • Researchers who have human subject information.

  • Medical Staff who deal with HIPAA information.

  • Faculty members who work with student information, aka FERPA .

  • Any Faculty or Staff who wishes to email CATEGORY I data to their colleagues or others.

  • When sending emails, you want to ensure that the recipients can verify that it was sent from you and your legitimate email account.

See the Extended List of Category-I Data for examples of what constitutes Category-I data.

Need a client certificate?

Click the button below to see instructions and the steps necessary to complete the request and install after it has issued.

Client/Digital Certificate Caveats

Important facts regarding Client/Digital certificates:

  • Available only to faculty and staff.   Student use may be considered in the future.

  • The certificate is only valid for three(3) years.  After that, a new or renewed certificate must be requested. It is highly recommended that you request and obtain a new certificate before the previous one expires.

  • Certificates are for use by individuals. Role-based certificates are not supported.
    This means that the name on a certificate is an individual name rather than a title, such as President, Provost, Professor, etc..

  • These are for individual use and can not be used on a server.  Please see (DC) SSL Certificates.

  • Certificates are not built into any Web or token-based authentication methods offered by ITS on campus at this time.

What is a digital certificate?

A digital certificate is a pair of files on your computer that you can use to create the digital equivalent of handwritten signatures and sealed envelopes. Each pair of files is divided into two parts: the public key and the private key. The public key is the portion that is shared; the private key is the portion that you, and only you, should have access to. Your computer and programs understand how to share only the public portion of your keys so that others can see them, while still keeping your private keys secure.

For example, when sending an email message, you can digitally sign the message by attaching your digital certificate. Once they receive the message, recipients can verify that it came from you by viewing the small attachment on the email, which contains your public key information.  Depending on the email client, it may be represented as an attachment, or displayed in the header. This protects you from people who might try to "spoof" an email that looks like it came from you but is really sent from a different email account.

You can also use digital certificates to electronically sign documents. This is one reason why it is extremely important to protect the private key portions of your certificate files and never share them. You could be legally bound to something, and it would be extremely difficult to prove that it wasn't you who digitally signed the message.

When you encrypt a message, you create the equivalent of a sealed envelope so that only you and the recipient can see the message. Normally, when you send an email message, it is the electronic equivalent of a postcard—anyone who has access to the network between you and the recipient can potentially read that postcard. With the encryption offered by the digital certificates, you can avoid this problem. In the case of encryption, you use the recipient's public key, which is easy to find using the university's directory, to encrypt the message. Only the recipient has the private key that allows the message to be decoded.

The digital certificates that are available from ITS are issued by an independent, recognized and mutually trusted third party that guarantees that the certificate is valid, and therefore guarantees that you can trust it. This third party is known as a certificate authority. The university has chosen the InCommon Federation, which uses Comodo Ltd., as its certificate authority.

SUMMARY
Security provided by certificates

  • Identification / Authentication:
    The persons / entities with whom we are communicating are really who they say they are.

  • Confidentiality:
    The information within the message or transaction is kept confidential. It may only be read and understood by the intended sender and receiver.

  • Integrity:
    The information within the message or transaction is not tampered accidentally or deliberately with en route without all parties involved being aware of the tampering.

  • Non-Repudiation:
    The sender cannot deny sending the message or transaction, and the receiver cannot deny receiving it.

  • Access Control:
    Access to the protected information is only realized by the intended person or entity.

All the above security properties can be achieved and implemented through the use of Public Key Infrastructure (aka Digital Certificates).

What makes up a digital certificate?

The electronic files that comprise the digital certificate contain:

  1. The person's name

  2. An email address

  3. A serial number

  4. A public key

  5. An expiration date

  6. A digital signature

When you download a digital certificate, you will receive both public and private keys. The public keys are the ones that you will use to sign and encrypt emails. The private keys are the ones that will be stored on your computer. You should never share the private key(s).

Related content

Confluence Documentation | Web Privacy Policy | Web Accessibility