Geral

  • 1. How does one install the digital certificate?

    The way to install your digital certificate depends on its format and type:

    • USB Token - see the manual at https://suporte.multicert.com/usb
    • Smartcard - see the manual at https://suporte.multicert.com/cartao
    • File
      • SSL/TLS Certificate – See the manual: I have received an email with my SSL/TLS certificate as an attachment, and now? How do I install the SSL/TLS Certificate?
      • Other type of digital certificate - See the manual: I have received an email with my certificate for Application/Electronic invoicing/Code signing as an attachment. And now? How may I start using it?
  • 2. How is MS Outlook configured?

    The following instructions are related to versions 2010 and 2013 of MS Outlook.

     

    • Access the menu "File" and select the option “Options”
    • In the window "Outlook option" you shall select the option “Trust Center” on the left and then press the button "Trust Center Settings…"
    • In the window "Trust Center” you shall select the option “E-mail Security”
    • In the section "Encrypted e-mail" you shall press the button [Settings...]
    • In the window "Change Security Settings" you shall fill in the fields:
      • "Security Settings Name" – A name associated to your account (for example, your name)
      • "Signing certificate:" – Press the button [Choose...] and select your certificate, whose associated email has to be the same as that of the email account in which you are performing the configuration
      • Hash Algorithm - SHA1
      • Encryption certificate – Press the button [Choose...] and select your certificate. If it is a qualified digital certificate, it will not appear as an option because this is not proper to encrypt information.
      • Encryption Algorithm - 3DES
    • Send these certificates with signed messages – Select this option in order to send your certificate as an attachment, every time you send a signed message. Thus, the recipients of your signed emails have your certificate installed (public part) and may send you encrypted messages using your certificate.
    • Press the button [Ok]

     

    With this step, you have associated the certificate to your email account. At this point, the email client is ready to send signed emails and receive encrypted emails whenever he wants. To learn how to send a signed/encrypted message you shall see the article Sending signed messages through email client.

  • Which password shall I use to decompress the software for installing the smartcard?

    The password is available on the accompanying letter, which you received with your smartcard.

File

  • 3. I have received an email with my certificate for Application/Electronic invoicing/Code signing as an attachment. And now? How may I start using it?

    A .ZIP file is sent as an attachment to the email that you received, containing: the public part of your application digital certificate and the certification chain.

    To get a .p12 or .PFX file, in order to be able to install the certificate wherever you want, you shall:

    • Gather the three files that you have received by email and the private key created when you generated the .CSR file which you uploaded to Multicert’s web interface (.KEY file)
    • If you do not have the OpenSSL application installed, download it from https://slproweb.com/products/Win32OpenSSL.html and install it
    • Create a new text document
    • Open the file "MULTICERT - Entidade de Certificacao 002.cer", with Wordpad or VI and, at the end, add a line. Save with the name cadeia.pem
    • Open the file "Baltimore CyberTrust Root.cer", with Wordpad or VI
    • Copy the content of the file "Baltimore CyberTrust Root.cer" to the end of the  cadeia.pem and save it
    • Execute following command, replacing the names ficheiro.key and ficheiro.cer by the names of your files: openssl pkcs12 -export -inkey ficheiro.key -in ficheiro.cer -out ficheiro.p12 -certfile cadeia.pem
    • If needed, save the .p12 file as .pfx file.
  • 4. I have received the .cer files and need to create a .pfx file

    A .zip file is sent as an attachment to the email that you received, containing: the public part of your application digital certificate and the certification chain.

    To get a .p12 or .pfx file, in order to be able to install the certificate wherever you want, you shall:

    • Gather the three files that you have received by email and the private key created when you generated the .csr file which you uploaded to Multicert’s web interface (.key file)
    • If you do not have the OpenSSL application installed, download it from https://slproweb.com/products/Win32OpenSSL.html and install it
    • Create a new text document
    • Open the file "MULTICERT - Entidade de Certificacao 002.cer", with Wordpad or VI and, at the end, add a line. Save with the name cadeia.pem
    • Open the file "Baltimore CyberTrust Root.cer", with Wordpad or VI
    • Copy the content of the file "Baltimore CyberTrust Root.cer" to the end of the pem and save it
    • Execute following command, replacing the names key and ficheiro.cer by the names of your files: openssl pkcs12 -export -inkey ficheiro.key -in ficheiro.cer -out ficheiro.p12 -certfile cadeia.pem
    • If needed, save the .p12 file as .pfx file.
  • 5. I have received an email with my SSL/TLS certificate as an attachment, and now? How do I install the SSL/TLS Certificate?

    Depending of your web server, the installing procedure may vary. Select your web server:

    1. IIS6
      1. In the Properties window click on the tab “Directory Security" (1) and, in section “Secure Communications", click the button "Server Certificate…" (2).
      2. InInternet Information Server (IIS) right click on the site to which you want to associate the Certificate (1) and select "Properties" (2).
      3. The Wizard window will be displayed, where you shall select "Process the pending request and install the certificate’" (1) and click “Next>” (2).
      4. In “Path and file name” (1) indicate the directory where you saved the Certificate sent by Multicert and click “Next>” (2).
      5. In the SSL port field (1) specify the chosen port, which is usually 443. Press the button “Next>” (2).
         
      6. The parameters of the Certificate chosen to install are then presented. If the data is correct press the button “Next>” (1) and, in the following window, press the button “Finish” to complete the installation of your Web Server Certificate.  
    2. IIS7

      1. On Windows, go to “Start” > “Programs” > “Administrative Tools” and choose the option “Internet Services Manager” to open the Internet Information Server (IIS)
      2. On the left tab, in “Connections”, click on the corresponding server (1) and on the central tab double-click “Server Certificates” (2).
      3. On the right tab, in Actions, press “Create Certificate Request” (1).
      4. In the window "Complete Certificate Request" (1) indicate the location in which the Certificate is saved and, in the field "Friendly name” (2), give it a friendly name so that you can easily identify it. Press "OK” (3).
      5. On the left tab, in "Connections", select the corresponding server (1) and the site where you want to install the certificate (2).
      6. On the right tab, in "Actions", click on "Bindings" (1).
      7. In the window "Site Bindings" is where you are going to associate the Certificate with the website. Click on the button "Add" (1), fill in the following fields and, at the end, press "OK” (6):
        1. In "Type” (2) select "https”
        2. In "IP Address” (3) fill in your site IP or leave as "All Unassigned”
        3. In "Port” (4) enter the port for the SSL connection of this site (the SSL default port is 443)
        4. In "SSL Certificate” (5) select the Certificate which you have just installed on the server (visible through the friendly name you have assigned)
      8. Your certificate was installed and configured successfully. Restart your IIS server to complete the installation.
      9. In the window “Cryptographic Service Provider Properties”, in the field “Cryptographic Service Provider” (1) you shall select “Microsoft RSA Schannel Cryptographic Provider” and 2048 bits as the key length in the field “Bit length” (2). At the end click on “Next” (3).
      10. Finally, you shall define the name for the Certificate request, as well as choosing where you want to save it and press “Finish” (1) to complete the CSR generation.
      11. If you do not know how to install the CSR file using IIS7, see our installation manual.
    3. IIS8

      1. On Windows, go to “Start” > “Programs” > “Administrative Tools” and choose the option “Internet Services Manager” to open the Internet Information Server (IIS8).
      2. On the left tab, in “Connections”, click on the corresponding server (1) and on the central tab double-click “Server Certificates” (2).
      3. On the right tab, in “Actions”, click on “Create Certificate Request” (1).
      4. In the window "Complete Certificate Request" indicate the location in which the Certificate is saved (1) and, in the field "Friendly name” (2), give it a friendly name so that you can easily identify it. Press "OK” (3).
      5. On the left tab, in "Connections", select the corresponding server (1) and the site where you want to install the certificate (2).
      6. On the right tab, in "Actions", click on "Bindings" (1).
      7. In the window "Site Bindings" is where you are going to associate the Certificate with the website. Click on the button "Add" (1), fill in the following fields and, at the end, press "OK” (7):
        1. In "Type” (2) select "https”
        2. In "IP Address” (3) fill in your site IP or leave as "All Unassigned”
        3. In "Port” (4) enter the port for the SSL connection of this site (the SSL default port is 443)
        4. In “Host name” (5) define the name of the site
        5. In "SSL Certificate” (6) select the Certificate which you have just installed on the server (visible through the friendly name you have assigned)
      8. Your certificate was installed and configured successfully. Restart your IIS server to complete the installation.

Token USB

  • 7. What shall I do to be able to use my Certificate on Mozilla Firefox?

    To be able to use your Digital Certificate on Mozilla Firefox, and although you have already installed it properly on your computer and can see it perfectly on Internet Explorer, you will have to install it on Mozilla Firefox as well.

    1. Confirm that your card reader or USB token is not connected to your computer.
    2. On Mozilla Firefox, access the menu "Tools” (1) and select "Options” (2).
    3. Select the tab "Advanced” (1) and press the button "Security Devices” (2).
    4. In the window “Device Manager”, press the button "Load” (1) on the right. In the window "Load PKCS#11 device” you shall press the button "Browse...” (2)
      1. If you are using an USB token, select the file c:\WINDOWS\system32\etpkcs11.dll and click "OK” (3)
      2. If you are using a smartcard, select the file C:\Program Files\Gemalto\Classic Client\BIN\gclib.dll or C:\Program Files (x86)\Gemalto\Classic Client\BIN\gclib.dll . On MacOS, the file can be found at /usr/lib/ClassicClient/libgclib.dylib
    5. Finally, connect the USB token to your computer or insert your smartcard in the card reader to be able to use your Digital Certificate on Mozilla Firefox..
  • 8. I have updated my operating system to Windows 10 and my Certificate is not being displayed in the list of certificates to use when I try to use it. What shall I do?
    1. Try to uninstall Safenet Authentication Client
      1. Go to “Control Panel” > "Programs” >  "Programs and Features” and search the “Safenet Authentication Client”
      2. Right-click on the option “Uninstall”
    2. If error 1721 is displayed, download the software available on the Microsoft website, at http://go.microsoft.com/?linkid=9779673
    3. Execute the downloaded file as administrator (by right-clicking the executable and selecting "Run as administrator")
    4. Press the button “Accept”

          5. Wait a few moments until the following image is displayed (before, other windows can be displayed)

          6. Press the button “Detect problemsand let me select the fixes to apply”

          7. Wait a few moments, until the window in the following picture is displayed (before, other windows can be displayed)

                                                         Figure 9

          8. Press the button “Uninstall”

          9. Wait a few moments, until the following window is displayed (before, other windows can be displayed)

          10. Select the line concerning “Safenet Authentication Client” – the number of the version may vary

          11. Press the button “Next”

          12. In the next window, click on the option “Yes, try uninstall”

          13. In the following window, press the button “Next"

          14. In the following, press “Next” again

          15. In the window similar to the one below, select “Yes, the problem has been fixed” and click on “Next”

           16. In the following window, press “Close”

           17. You shall now follow the steps at https://suporte.multicert.com/usb

     

  • 9. My Certificate is not being displayed in the list of certificates to use when I try to use it. What shall I do?

    Sometimes, when you try to use your Digital Certificate to authenticate yourself in a website or to sign data, it may not be presented as an option to select on Internet Explorer, or program which you are using, even if you have your smartcard inserted in the card reader or the USB token inserted in the USB port of your computer.

    1. Open Internet Explorer and go to "Tools” > "Internet Options” > "Content” (1) and press the button "Certificates" (2).
    2. If in the window "Certificates”, on the tab "Personal” (1), the holder’s name is not presented (2) and the expiration date of the Certificate (3), as exemplified on the image, you shall:

      1. Certificate in USB token – validate if you are using a USB port which works well, or confirm if the USB token is well inserted in a USB port.
    3. If you still do not find your Certificate, you shall:
      1. Verify if there is a white circle with a red "S" in the middle, next to your computer’s clock
      2. If it is not there, on your Windows go to "Start”, choose "All programs” and select the option "SafeNet” >"Safenet Authentication Client”
    4. If your Certificate still does not appear, it is possible that you do not have the software for your cryptographic token correctly installed. To reinstall it, you shall:
      1. On Windows, go to "Control Panel” > "Add or Remove Programs” / "Programs ad Features”
      2. Select the software Safenet authentication Client Tool, from Safenet, and click on Uninstall
      3. Restart your computer
      4. Follow the instructions provided at https://suporte.multicert.com/usb
    5. If on the tab "Personal” of the "Certificates” window is displayed the holder’s name and expiration date of the Certificate:
      1. Verify if your Certificate is still valid, i.e., if the date presented is prior to the current date. If your Certificate has already expired, you will have to Renew it.
      2. Double-click on the Certificate holder’s name to open the details window of the "Certificate”. Click on the tab "Certification path" (1) and verify if you have three levels, as illustrated in the figure:
      3.  
        1. Baltimore CyberTrust Root (2)
        2. MULTICERT –Entidade de Certificação 001 or MULTICERT - Entidade de Certificação 002 (3)
        3. Name of the holder of the Certificate (4)
      4. If only the Certificate holder’s name is displayed, you will have to install the two missing Certificates. For that:
        1. Access to http://pki.multicert.com/cert/MULTICERT_CA/mca_001.cer or http://pki.multicert.com/cert/MULTICERT_CA/mca_002.cer . The download of the Certificate will start automatically. To install it on Internet Explorer double-click on the downloaded file, press the button "Open” and, finally, press the button "Install certificate…”.
        2. The download of the Certificate will start automatically. To install it on Internet Explorer double-click on the downloaded file, press the button "Open” and, finally, press the button "Install certificate…”.
  • 10. How to install my digital certificate?

    The way to install your digital certificate depends on the format in which it was provided and its type: USB Token – see manual at https://suporte.multicert.com/usb

Smartcard

  • 11. What shall I do to be able to use my Certificate on Mozilla Firefox?

    To be able to use your Digital Certificate on Mozilla Firefox, and although you have already installed it properly on your computer and can see it perfectly on Internet Explorer, you will have to install it on Mozilla Firefox as well.

    1. Confirm that your card reader or USB token is not connected to your computer.
    2. On Mozilla Firefox, access the menu "Tools” (1) and select "Options” (2).
    3. Select the tab "Advanced” (1) and press the button "Security Devices” (2).
    4. In the window “Device Manager”, press the button "Load” (1) on the right. In the window "Load PKCS#11 device” you shall press the button "Browse...” (2)
      1. If you are using an USB token, select the file c:\WINDOWS\system32\etpkcs11.dll and click "OK” (3)
      2. If you are using a smartcard, select the file C:\Program Files\Gemalto\Classic Client\BIN\gclib.dll or C:\Program Files (x86)\Gemalto\Classic Client\BIN\gclib.dll . On MacOS, the file can be found at /usr/lib/ClassicClient/libgclib.dylib
    5. Finally, connect the USB token to your computer or insert your smartcard in the card reader to be able to use your Digital Certificate on Mozilla Firefox..
  • 12. My Certificate is not being displayed in the list of certificates to use when I try to use it. What shall I do?

    Sometimes, when you try to use your Digital Certificate to authenticate yourself in a website or to sign data, it may not be presented as an option to select on Internet Explorer, or program which you are using, even if you have your smartcard inserted in the card reader or the USB token inserted in the USB port of your computer.

    1. Open Internet Explorer and go to "Tools” > "Internet Options” > "Content” (1) and press the button "Certificates" (2).
    2. If in the window "Certificates”, on the tab "Personal” (1), the holder’s name is not presented (2) and the expiration date of the Certificate (3), as exemplified on the image, you shall:

      1. Certificate in smartcard – validate if the cryptographic card is well inserted in the reader, or if the card reader is correctly connected to the computer.
    3. If you still do not find your Certificate, you shall:
      1. On Windows go to "Start”, choose "All programs” and select the option "Gemalto” >"Classic Client ToolBox”
      2. On the left side of the window, select the section "Card Contents” (1)
      3. On the upper-right corner enter the user PIN of the card and press the button "Login” (2)
      4. On the bottom right corner, press the button "Register all” (4)
      5. Verify if your Certificate already appears on Internet Explorer
    4. If your Certificate still does not appear, it is possible that you do not have the software for your cryptographic token correctly installed. To reinstall it, you shall:
      1. On Windows, go to "Control Panel” > "Add or Remove Programs” / "Programs and Features”
      2. Select the software Classic Client 6.1 Patch 3, and click on Uninstall
      3. Restart your computer
      4. Follow the instructions provided at https://suporte.multicert.com/cartao
    5. If on the tab "Personal” of the "Certificates” window is displayed the holder’s name and expiration date of the Certificate:
      1. On Windows, go to "Control Panel” > "Add or Remove Programs” / "Programs and Features”
      2. Double-click on the Certificate holder’s name to open the details window of the "Certificate”. Click on the tab "Certification path" (1) and verify if you have three levels, as illustrated in the figure:
        1. Baltimore CyberTrust Root (2)
        2. MULTICERT –Entidade de Certificação 001 or MULTICERT - Entidade de Certificação 002 (3)
        3. Name of the holder of the Certificate (4)
      3. If only the Certificate holder’s name is displayed, you will have to install the two missing Certificates. For that:
        1. Access to http://pki.multicert.com/cert/MULTICERT_CA/mca_001.cer or http://pki.multicert.com/cert/MULTICERT_CA/mca_002.cer . The download of the Certificate will start automatically. To install it on Internet Explorer double-click on the downloaded file, press the button "Open” and, finally, press the button "Install certificate…”.
        2. The download of the Certificate will start automatically. To install it on Internet Explorer double-click on the downloaded file, press the button "Open” and, finally, press the button "Install certificate…”.
  • 13. How to install my digital certificate?

    The way to install your digital certificate depends on the format in which it was provided and its type: