Dealing with the PrivacyIDEA web interface

The privacyIDEA authentication system is used at the Institute to set up 2-factor authentication for key services and to roll out KPH signed certificates for internal Institute use.

Short instructions for registration

  1. You will need a smartphone running Android or IOS and with a working camera. It is recommended to install the "PrivacyIDEA Authenticator App" by "NetKnights GmbH" from the Google Playstore or Apple App Store. Alternatives
  2. You will receive a registration email from us with the subject "KPH Authentication System Registration". Log in to the account provided and keep the email for reference - however, the one-time password is worthless after registration.
  3. After logging in, you can give your first token a description. Leave this field empty for now. Press "Enroll token".
  4. Scan the QR code that appears with your Authenticator app. If successful, press "Logout".
  5. Log in again. This time use the 6 digits displayed in the smartphone app as password. The code changes every 30 seconds. As long as you are inexperienced, it is better to wait for the code to change and then start transferring it into the password field.
  6. Select the "Token" tab in the menu bar and "All Tokens" in the left menu. In the list you should see a token "TOTP00...". Click on this token. Token details for TOTP00..." will appear.
  7. To further increase the security of your access to the authentication system, you should enter a PIN for the token. The future access password is then PIN+OTP (OneTimePassword: The 6 digits from the app). 2 or 3 letters for the PIN would be perfectly sufficient. It would be important to remember the PIN well and not to write it down anywhere. In the penultimate line of the "Token details for TOTP00..." enter the token PIN, repeat and set the PIN.
  8. Before you log out, you can test PIN and/or OTP. If your PIN consists of 3 letters, on the last line of the page, enter these 3 letters and, without spaces, the 6 digits from the app and press "Test Token".
  9. If this test was successful, you can log out. From then on, your access password will be PIN+OTP.

Short instructions for certificate creation and download

  1. Log in with PIN+OTP
  2. If you have already created a certificate, you can skip straight to point 6.
  3. Select the "Token" tab in the menu bar and "Enroll a new token" in the left menu
  4. Under "Enroll a new token", select "Certificate: Enroll an x509 Certificate Token". CA Connector "vwCA" should be preselected. Under Certificate Template, select "user". Optionally enter your name under Description and click on "Enroll Token".
  5. The certificate displayed contains only the public part of your newly created certificate. You can download this part now or later or skip this step, as the public part of the certificate is only needed in a few exceptional cases.
  6. A PKCS12 file, on the other hand, contains the private part of the certificate and should never be downloaded without a transport PIN. PKCS12 files should also never be archived, rather the files should be deleted immediately after the private part of the certificate has been made known to Adobe Reader or the email program. Please take the handling of the private part of the certificate very seriously. This is, so to speak, your proof of identity for the digital signature.
  7. To download a PKCS12 file with the private part of your certificate, select "All tokens" in the left menu and then the "CRT00...." Token in the overview.
  8. Important: Set a transport PIN. This PIN can be different for each download and is normally only needed once, e.g. to make your certificate available to your mail programme. Enter a token PIN in the second to last line, repeat the PIN and press "Set PIN".
  9. Now download the PKCS12 file via the link in the info section. Load your private certificate into Adobe Reader or your email program and delete the PKCS12 file again immediately when the transport process is complete.


Why is the procedure so complicated?

You manage nothing less than your personal digital identity in the authentication system. The procedure is not much different from procedures that are also used or at least planned at the university. Since passwords are fundamentally insecure, the KPH authentication system consistently uses 2-factor authentication.

Are there alternatives to the PrivacyIDEA Authenticator App?

TOTP, or time-based one-time passwords, can also be managed with the Google Authenticator or the Microsoft Authenticator. In the future, however, we plan to expand the use of 2-factor authentication and the PrivacyIDEA Authenticator app offers more possibilities, e.g. so-called push tokens.

I have lost my smartphone or it has been stolen. What to do?

Please send an email, from your university account, to and report the incident. We would then immediately deactivate all your tokens and then coordinate further action with you.

I forgot my PIN, deleted the token from the smartphone, got a new smartphone. What to do?

Please send an email, from your university account, to describing your problem. A PIN can be reset with administrator privileges - in all other cases the registration procedure would need to be gone through again, but apart from the TOTP, all other tokens and certificates would be retained.

Can I connect multiple smart devices to my account in the "KPH Authentication System"?

Currently, there are no plans to subsequently share the TOTP "secret" with additional devices. That would also contradict the security philosophy a bit if it were possible quite easily. I would also not quite see the point of transferring the QR code to several of your own devices with the Authenticator app when registering, but that would still be tolerable. On the other hand, photographing the QR code or saving the link outside an authentication app would be considered misuse and a deliberate threat to KPH's IT security. Please do not do this.

Where do I store my public certificate?

You can recognise the public part of your certificate by the extension ".pem". There are only a few applications for this file, as the public part of your certificate is usually transferred automatically with your digital signature. Since it is a public key, you do not need to protect this part and can also send it to colleagues as an attachment to an email, for example.

Where do I store my private certificate?

Under no circumstances should you make copies of your private certificate - not on USB sticks, not on external disks, nowhere. You can recognise the private part of your certificate by the extension ".p12" and it is stored in PKCS12 format. The instructions above describe how to generate your private certificate and provide it with a transport PIN for download. After you have transferred your certificate to an application, e.g. Thunderbird or Acrobat, the ".p12" file should be deleted again immediately. If you need your certificate again on other devices or at a later date, you can request a new download in the "KPH Authentication System". Please do not treat your digital identity lightly.