JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Strong authentication with IIS and TBS X509 Sign&Login

To use IIS with client certificate authentication, in particular for mapping certificates to a user account, you must first import the root certificate corresponding to the user certificates that will be used.

To use the TBS X509 Sign&Login certificates, the "Comodo AAA Certificate Services" certificate must be imported without a cross signature. To do so:

  1. On your server, launch the executable "mmc" (Start menu, Run, type "mmc" and OK)

  2. Click File, Add / Remove Snap-ins

  3. Choose "Certificates" and click on Add.

  4. Select "Computer Account" then "Local Computer" and Finish.

  5. Click on close and on OK.

  6. Click on the "+" next to Certificates (Local Computer)

  7. Click "+" next to "Trusted Root Certification Authorities"

  8. Right click on "Certificates"

  9. Select "All Tasks->Import..."

  10. Using the wizard, import the "Comodo AAA Certificate Services" certificate available here Comodo AAA Certificate Services.crt

  11. Click "+" next to "Intermediate Certification Authorities"

  12. Right click on "Certificates"

  13. Select "All Tasks->Import..."

  14. Using the wizard, import the "TBS X509 CA business 2" certificate available here: TBS X509 CA business 2.crt

  15. Do the same for the intermediate certificate "USERTrust RSA Certification Authority" available here: USERTrust RSA Certification Authority.crt
Once this is done, configure the IIS site to require a certificate and filter on it. Here is for example to authorize all certificates issued by our TBS X509 CA Business 2 authority to connect to the site.
  1. Launch IIS through the Control Panel, Administrative Tools, IIS

  2. Right click on the website then on Properties.

  3. Go to the "Directory Security" tab.

  4. In Secure communications, click the Edit button.

  5. Select either "Accept client certificates" or "Require client certificates"

  6. Choose "Enable certificate trust list" CTL

  7. Choose to Create or Edit an existing list.

  8. When the request to add a certificate appears, choose "Add from File" and give the file corresponding to "Comodo AAA Certificate Services" downloaded above.
To specify only certain certificates issued by our authority, you must use the mapping function of IIS, for example to select all finely admitted certificates.



If it is not already done: Then test the access. Although in theory what has been done is sufficient, if it does not work (the window for selecting the certificate displayed by IE remains empty), an additional operation must be carried out! Install a copy of the client certificate obtained (make a pfx export file with the whole chain) on the Internet Explorer from the server administrator account. We cannot explain what it is for, but ultimately the selection of the certificate works after that, when it was not initially working.

Remember that for proper functioning, the IIS server must be able to download the CRLs of the certificates of the certification chain. To be done , the server must have access to the HTTP protocol outside, at least to the CRL servers:
crl.tbs-x509.com
crl.tbs-internet.com
crl.comodoca.com
crl.sectigo.com
crl.usertrust.com