Translations of this page:

User Tools

Site Tools



With aid of a X.509 certificate, you can sign and encrypt files.

Certificate Management-Software

First, you need to install a proper certificate management software on your computer. Here, the software called “Kleopatra” would be suitable, for example. Kleopatra is a free (in the sense of freedom), open source and free of charge software.

  • When using Windows, Kleopatra is part of a so-called “Gpg4win” package, which is appropriate for “…the encryption and signing of e-mails, files and folders within Windows”. Download the Gpg4win package here. If you like to, you can donate to Gpg4win, but you can also start the download by selecting “0€”. Install Gpg4win on your computer. You can accept all the default values.
  • When using Linux, install the package “kleopatra” with aid of the integrated software management.

Set-Up of the Software for X.509 Certificates

Certification Chains

At first, you will need to import the two complete certification chains of DFN-PKI for the Jade University in Kleopatra. The necessary files can be found in the network system of computers within the university campus and via WebFiler from outside.

  • JADE-HS - Daten (X:) / HRZ-Support / Zertifikatsdienste (ENG: „ JADE-HS - Data (X:) / University Computing Centre Support / Certification Services“)

To do so, import the following files from the Kleopatra menu item „Datei / Importieren“ (ENG: „File / Import“) in the given order.

  • In the sub-folder DFN-Global-G1:
    • Deutsche_Telekom_Root_CA_2-19990709.der
    • DFN-Verein_PCA_Global_-_G01-20140722.der
    • HS-WOE_CA_-_G01-20140605.der
  • In the sub-folder DFN-Global-G2:
    • T-Telesec_GlobalRoot_Class_2-20081001.der
    • DFN-Verein_Certification_Authority_2-20160222.der
    • DFN-Verein_Global Issuing_CA-20160524.der

At the end, close all tabs with the name „Importierte Zertifikate“ (ENG: „Imported Certificates“). Only keep the tab „Alle Zertifikate“ (ENG: „All Certificates“) opened.

Certificate Revocation Lists

At the moment, certificate revocation lists are not being supported. This is why you need to deactivate the check:

  • Select the group „S / MIME-Prüfung“ (ENG: „S / MIME-Check“) in the Kleopatra menu entry „Einstellungen / Kleopatra einrichten…“ (ENG: „Settings / Set Up Kleopatra…“).
  • Click on the checkbox “Nie Sperrlisten zu Rate ziehen” (ENG: „Do not console revocation lists ever“) and, afterwards, on the button “OK”.

User Certificate

In the further course, you need to import your X.509 certificate with aid of your certificate file, which has been created under backup:

Therefore, import the certificate file created under backup by going to the Kleopatra menu item „Datei / Importieren“ (ENG: „File / Import“). In the course of the import-dialogue, the window „pinentry“ asks you to type in a passphrase. A passphrase is the password you have already typed in under backup (it is possible that you will be asked to type in your password two more times).

Public User Certificates

In case you would like to encrypt files or e-mails for other persons, you must have the public user certificates of your recipient, which are necessary for encryption. You will also have to import them in Kleopatra.

After set-up, the main window of Kleopatra is supposed to look something like this:

Sign / Encrypt File

Now you can sign and / or encrypt files in Kleopatra:

  • Click on the Kleopatra menu item „Datei / Signieren/Verschlüsseln…“ (ENG: „File / Sign/Encrypt“) and select the file that is wished to be signed / encrypted.
    • Verify authenticity (sign).
      • Select the checkbox „Signieren als:“ (ENG: „Sign as:“).
      • Click on the button “Signieren” (ENG: „Sign“).
      • You will be asked to type in your passphrase in the window “pinentry”. Type in your certificate password here.
      • Next to the file that needs to be signed, there will appear another file with the same name plus the adjunct
        • p7s when it is an X.509 certificate (the signed file is in the PKCS#7 format)
      • You must keep the original file and the signature file in the exact same folder.
    • Encrypt:
      • Select the checkbox „Für mich verschlüsseln“ (ENG: „Encrypt for me“), if you want to encrypt the file for yourself.
      • Select the checkbox „Für andere verschlüsseln“ (ENG: „Encrypt for others“), if you want to encrypt the file for other people. To do so, you need to import the public certificate of the respective user as described above and select it here.
      • Click on the button “Verschlüsseln” (ENG: „Encrypt“).
      • Next to the file that needs to be signed there will appear another file with the same name plus the adjunct
        • .p7m when it is a X.509 certificate (the signed file is in the PKCS#7 format)

Check / Decrypt File

Now you can check files in Kleopatra for valid signatures and / or decrypt them:

  • Therefore, click on the Kleopatra menu item „Datei / Entschlüsseln/Überprüfen…“ (ENG: „Encrypt/Check File“).
    • Check:
      • Select the signature file (with the ending .p7s).
    • Decrypt:
      • Select the signed file (with the ending .p7m).
  • A notification window will pop up and indicate the status of the signature / decryption.