A data security specialist by Swiss Post

Main section

3.1. Issuing certificates with Managed PKI


The intention of this guide is to show MPKI users how to create certificates using the established setup without a CMC interface. 

This is what the interface should look like for you on ra.swisssign.net:

You can see the available accounts in green. Normally, you’ll only have one account shown here.

Yellow indicates which access certificate you are currently logged in for.



Now let’s move to the step-by-step instructions for issuing a certificate:

1.Click on ‘New’ under ‘Certificates’ to create a certificate.

A selection of products will now be available. Select a product and click on ‘Next’ without entering anything in ‘Voucher code’.

2. You’ll then arrive at ‘Select the validity period’. Here you are confirming how long the created certificate is valid. This is a maximum of 3 years for email certificates. The selection is skipped for SSL certificates, as these can only be issued for 1 year. Select the validity period and continue by clicking ‘Proceed’.

3. In the third step, you have to accept the Subscriber Agreement to be able to continue. Clicking on the Participation Agreement or the Certificate Service (underlined and in blue) will download the respective documents as PDF files.

Once you have read the Subscriber Agreement, click on the box and ‘I accept the above conditions’ to continue.


4. For SSL certificates, we ask that you enter your CSR in the next step. Unfortunately, we cannot provide you with support with this. We have an explanation why this is so, and provide an example for creating a CSR with OpenSSL, on the following page:



If this message appears:

If the CSR contains attributes that are not supported in the selected product, you will receive the above message. You can continue by reading this and clicking on ‘Next’.

The CSR is not mandatory for email certificates. You can therefore click on ‘Next’ without inserting anything.

5. In the next step, you are required to specify the necessary attributes for the certificate.
Some are carried over by the CSR, others may have to be entered manually. As each product requires different attributes and this is a brief guide, we will not give further details about entering attributes. You can find a detailed guide in the ‘User guide’ document.

6. The certificate can be requested as soon as all attributes have been specified. All certificate data will be shown again for checking. If there are any errors, changes can be made either via the menu line or by clicking ‘Back’.

If no CSR has been specified, a password must be set. The following guidelines apply:

Please note that we cannot reset lost passwords. You then need to click on the ‘Request certificate’ button.

7. The last step involves approving, issuing and downloading the created certificate.

To do this, click on ‘Approve’ to the left of the certificate shown. Confirm approval on the page that will now have loaded by clicking on ‘Confirm approve’.

The certificate is now valid and the certificate validity period will begin. To download the created certificate, click on ‘Download/Attributes’.

There is a difference between SSL and email certificates again here.

You can only download SSL certificates without a private key. You created the private key in step 4, using the CSR.

You can download email certificates with the private key. To do this, you need the password that you set in step 6.

If you specified a CSR in step 4, you can only download the public key here.