Setting up access to the OTE system

 


Access to the production and testing CS OTE environment

Access to CS OTE via web browser
Description Files

In the attached file you will find the procedure for configuring Mozilla Firefox, Google Chrome or Microsoft Edge browsers with a hardware certificate stored on a USB token or smart card.

PC Configuration for accessing CS OTE

Production environment

Testing environment

https://portal.ote-cr.cz/

https://portal.sand.ote-cr.cz/

Video tutorial for installing OTE PKI Component 32/64 bit

Video tutorial for installing OTE PKI Component

New: Video tutorial for installing OTE PKI Component (Czech only)

Video tutorial for uninstalling/reinstalling OTE PKI Component

Video návod k reinstalaci/odinstalování OTE PKI komponenty (Czech only)

Video tutorial for setting up local certificate storage

Video tutorial for setting up local certificate storage

Manual for reinstallation/uninstallation of the component

Manual for reinstallation and version verification of OTE PKI components

Video tutorial: guide to exporting the private part of a certificate (.PFX or .P12) from the computer where the electronic signature is installed

Video tutorial: exporting the private part of a certificate from a computer (Czech only)

Setting up local certificate storage in Windows

Local Storage Setup Manual

Manual for exporting the public part of a certificate and registering it in CS OTE

Certificate export and registration

New: Certificate export and registration (Czech only)

Setting up local certificate storage in Apple macOS

Setting up local certificate storage in Apple macOS (Czech only)

Manual for setting up Apple macOS computers for access to the CS OTE system

Apple macOS setup (Czech only)

Explanation of access settings

The OTE system supports two ways to log in to the system:

  • Local storage with certificates
  • OTE PKI component

Local certificate storage is intended for users who have a certificate installed on their device/PC and it is exportable (i.e. they have a backup of the certificate in .pfx or .p12 format).

It can be set up in any web browser and works by matching the private part of the certificate to the local store. It is also designed for setting up/pairing the POZE or VDT Electricity/Gas mobile application.

The local certificate store can be set up in any web browser and operating system.


The OTE PKI component is intended for users who have a certificate on a smart card, token, or do not have an exportable certificate. The component needs to be downloaded, installed and then paired with a web browser.

Once paired, the component will mediate all the certificates you have on your device/PC and allow seamless access to the OTE system.

However, the component must always be installed and running. If it is switched off/uninstalled, the component will also be unpaired and access will not work.

The component is designed for Windows operating system only.

OTE PKI signing component
Description Common for both production and testing environments

Signing OTE PKI component for 64bit, latest version 2.10

Signing OTE PKI component for 64bit

Signing OTE PKI component for 32bit for legacy systems

Notice: this version is no longer actively maintained or updated.

It is recommended to use the 64-bit version of OTE PKI Client instead.

Signing OTE PKI component for 32bit

If you have been instructed to update the PKI component to the latest version, you can check the currently installed version in:

Start menu - Add or remove programs - find OtePkiClient in the list and check the version there.

Communication with CS OTE is carried out

  A.   via web interface

  B.   via secure email

  C.   via automated communication

 

A. Access to CS OTE via web browser
Description Common for both production and testing environments

Signing OTE PKI component for 64bit, latest version 2.10

Signing OTE PKI component for 64bit

Signing OTE PKI component for 32bit for legacy systems

Signing OTE PKI component for 32bit
License agreement for the OTE PKI Client signing component software application License agreement.pdf (Czech only)
License agreement for the OTE LauncherManager and OTECOM software applications License agreement.pdf (Czech only)

B. Sending/receiving messages to/from CS OTE via secure email
Description Production environment Testing environment (Sandbox)

1. This certificate is used to encrypt S/MIME messages sent by a participant to the production environment address - csote@csote.ote-cr.cz or to the testing environment address - cds@cds.sand.ote-cr.cz.

The user assigns it to the recipient contact - CS OTE.

CS OTE S/MIME OLD

This certificate is valid until 06.06.2026

CS OTE S/MIME NEW

This certificate is valid from 20.05.2026

CS OTE S/MIME TEST OLD

This certificate is valid until 06.06.2026

CS OTE S/MIME TEST NEW

This certificate is valid from 20.05.2026

This certificate is used to encrypt S/MIME messages sent by a participant to the Isotetest testing environment address csote@csote.isotetest.ote-cr.cz.

The user assigns it to the recipient contact - CS OTE.

 

CS OTE S/MIME ISOTETEST

2. Instructions for setting up email clients for sending/receiving encrypted messages to/from CS OTE:
MS Outlook 2007
MS Outlook 2010

MS Outlook 2016

MS Outlook 2007 (Czech only)
MS Outlook 2010 (Czech only)

MS Outlook 2016 (Czech only)


C. Automated communication with the CS OTE system via SOAP web services
Description Production environment Testing environment (Sandbox)
1. Form for obtaining data for automated communication setup (SOAP).

SOAP communication form.doc (Czech only)

TEST SOAP communication form.doc (Czech only)

2. SSL certificate of the communication server (Let's Encrypt), used for SSL/TLS encryption when your system/application is a web services client.

These certificates are renewed automatically; therefore, we recommend verifying communication against the Let's Encrypt certificate authority chain.

   

2. Root authorities for the new SSL certificate of the communication server (Let's Encrypt)

Let's Encrypt root certificates

Let's Encrypt root certificates

3. The attached certificate is intended for the electronic seal of messages and data sent from CS OTE to the participant. Unless special settings required by the processing software are needed on the participant's side, it does not need to be registered. This certificate is also used for electronic seals of EZP and invoices.

CS OTE

CS OTE Sandbox

4. For securing web services (BinarySecurityToken for WS-Security) and for TLS authentication in the OTE -> participant direction.

CS OTE NEW

This certificate is valid until 23.05.2029

CS OTE TEST OLD

This certificate is valid until 06.06.2026

CS OTE TEST NEW

This certificate is valid from 04.06.2026 15:00

Manual for using certificates in automated communication (server-server communication and client-server communication) and email communication

Use of certificates for automated communication with CS OTE.docx - updated 03.05.2023


Electronic seals
Description Electronic seal for download

CS OTE

CS OTE

This certificate is valid until 04.09.2026

Emission Allowances

Emission Allowances

This certificate is valid until 04.09.2026

Guarantees of Origin Register

EZP

This certificate is valid until 04.09.2026

Invoicing

Invoicing

This certificate is valid until 06.09.2026

Sandbox

Sandbox

This certificate is valid until 04.09.2026


All messages and documents issued by OTE that are currently electronically sealed are sealed using qualified certificates for electronic seals pursuant to Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions and Act No. 297/2016 Coll., on trust services for electronic transactions.