Setting up access to the OTE system
Access to the production and testing CS OTE environment
| Description | Files |
|---|---|
|
In the attached file you will find the procedure for configuring Mozilla Firefox, Google Chrome or Microsoft Edge browsers with a hardware certificate stored on a USB token or smart card. |
|
|
Production environment Testing environment |
|
|
Video tutorial for installing OTE PKI Component 32/64 bit |
Video tutorial for installing OTE PKI Component New: Video tutorial for installing OTE PKI Component (Czech only) |
|
Video tutorial for uninstalling/reinstalling OTE PKI Component |
Video návod k reinstalaci/odinstalování OTE PKI komponenty (Czech only) |
|
Video tutorial for setting up local certificate storage |
|
|
Manual for reinstallation/uninstallation of the component |
Manual for reinstallation and version verification of OTE PKI components |
|
Video tutorial: guide to exporting the private part of a certificate (.PFX or .P12) from the computer where the electronic signature is installed |
Video tutorial: exporting the private part of a certificate from a computer (Czech only) |
|
Setting up local certificate storage in Windows |
Local Storage Setup Manual |
|
Manual for exporting the public part of a certificate and registering it in CS OTE |
Certificate export and registration New: Certificate export and registration (Czech only) |
|
Setting up local certificate storage in Apple macOS |
Setting up local certificate storage in Apple macOS (Czech only) |
|
Manual for setting up Apple macOS computers for access to the CS OTE system |
Apple macOS setup (Czech only) |
Explanation of access settings
The OTE system supports two ways to log in to the system:
- Local storage with certificates
- OTE PKI component
Local certificate storage is intended for users who have a certificate installed on their device/PC and it is exportable (i.e. they have a backup of the certificate in .pfx or .p12 format).
It can be set up in any web browser and works by matching the private part of the certificate to the local store. It is also designed for setting up/pairing the POZE or VDT Electricity/Gas mobile application.
The local certificate store can be set up in any web browser and operating system.
The OTE PKI component is intended for users who have a certificate on a smart card, token, or do not have an exportable certificate. The component needs to be downloaded, installed and then paired with a web browser.
Once paired, the component will mediate all the certificates you have on your device/PC and allow seamless access to the OTE system.
However, the component must always be installed and running. If it is switched off/uninstalled, the component will also be unpaired and access will not work.
The component is designed for Windows operating system only.
| Description | Common for both production and testing environments |
|---|---|
|
Signing OTE PKI component for 64bit, latest version 2.10 |
Signing OTE PKI component for 64bit |
|
Signing OTE PKI component for 32bit for legacy systems Notice: this version is no longer actively maintained or updated. It is recommended to use the 64-bit version of OTE PKI Client instead. |
Signing OTE PKI component for 32bit |
If you have been instructed to update the PKI component to the latest version, you can check the currently installed version in:
Start menu - Add or remove programs - find OtePkiClient in the list and check the version there.
Communication with CS OTE is carried out
A. via web interface
B. via secure email
C. via automated communication
| Description | Common for both production and testing environments |
|---|---|
|
Signing OTE PKI component for 64bit, latest version 2.10 |
Signing OTE PKI component for 64bit |
|
Signing OTE PKI component for 32bit for legacy systems |
Signing OTE PKI component for 32bit |
| License agreement for the OTE PKI Client signing component software application | License agreement.pdf (Czech only) |
| License agreement for the OTE LauncherManager and OTECOM software applications | License agreement.pdf (Czech only) |
| Description | Production environment | Testing environment (Sandbox) |
|---|---|---|
|
1. This certificate is used to encrypt S/MIME messages sent by a participant to the production environment address - csote@csote.ote-cr.cz or to the testing environment address - cds@cds.sand.ote-cr.cz. The user assigns it to the recipient contact - CS OTE. |
This certificate is valid until 06.06.2026 This certificate is valid from 20.05.2026 |
This certificate is valid until 06.06.2026 This certificate is valid from 20.05.2026 |
|
This certificate is used to encrypt S/MIME messages sent by a participant to the Isotetest testing environment address csote@csote.isotetest.ote-cr.cz. The user assigns it to the recipient contact - CS OTE. |
||
|
2. Instructions for setting up email clients for sending/receiving encrypted messages to/from CS OTE: MS Outlook 2016 |
MS Outlook 2007 (Czech only) MS Outlook 2016 (Czech only) |
|
| Description | Production environment | Testing environment (Sandbox) |
|---|---|---|
| 1. Form for obtaining data for automated communication setup (SOAP). |
SOAP communication form.doc (Czech only) |
TEST SOAP communication form.doc (Czech only) |
|
2. SSL certificate of the communication server (Let's Encrypt), used for SSL/TLS encryption when your system/application is a web services client. These certificates are renewed automatically; therefore, we recommend verifying communication against the Let's Encrypt certificate authority chain. |
||
|
2. Root authorities for the new SSL certificate of the communication server (Let's Encrypt) |
Let's Encrypt root certificates | |
|
3. The attached certificate is intended for the electronic seal of messages and data sent from CS OTE to the participant. Unless special settings required by the processing software are needed on the participant's side, it does not need to be registered. This certificate is also used for electronic seals of EZP and invoices. |
||
|
4. For securing web services (BinarySecurityToken for WS-Security) and for TLS authentication in the OTE -> participant direction. |
This certificate is valid until 23.05.2029 |
This certificate is valid until 06.06.2026 This certificate is valid from 04.06.2026 15:00 |
| Manual for using certificates in automated communication (server-server communication and client-server communication) and email communication |
Use of certificates for automated communication with CS OTE.docx - updated 03.05.2023 |
|
| Description | Electronic seal for download |
|---|---|
|
CS OTE |
This certificate is valid until 04.09.2026 |
|
Emission Allowances |
This certificate is valid until 04.09.2026 |
|
Guarantees of Origin Register |
This certificate is valid until 04.09.2026 |
|
Invoicing |
This certificate is valid until 06.09.2026 |
|
Sandbox |
This certificate is valid until 04.09.2026 |
All messages and documents issued by OTE that are currently electronically sealed are sealed using qualified certificates for electronic seals pursuant to Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions and Act No. 297/2016 Coll., on trust services for electronic transactions.