JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Strong authentication with IIS and TBS X509 Sign&Login

To use IIS with client certificate authentication, in particular to map certificates to a user account, you must first import the root certificate corresponding to the user certificates that will be used.

To use TBS X509 Sign & Login certificates, you must import the "USERTrust RSA Certification Authority" certificate without cross signature. To do so:

  1. On your server, launch executable "mmc" (Start menu, Run, type "mmc" and OK).

  2. Click on File, Add/Remove Snap-in...")

  3. Choose "Certificates" and click on Add.

  4. Select "Computer Account" then "Local Computer" and Finish.

  5. Click on close and on OK.

  6. Click "+" next to "Certificates (Local Computer)"

  7. Click "+" next to "Trusted Root Certification Authorities"

  8. Right click on "Certificates"

  9. Select "All Tasks->Import..."

  10. Using the wizard, import the "USERTrust RSA Certification Authority" certificate available here:
    USERTrust RSA Certification Authority.crt

  11. Click "+" next to "Intermediate Certification Authorities"

  12. Right click on "Certificates"

  13. Select "All Tasks->Import..."

  14. Using the wizard, import the "TBS X509 CA persona 2" certificate available here: TBS X509 CA persona 2.crt

Once this is done, configure the IIS site to require a certificate and filter on it. Here is for example to authorize all issued certificates by our authority TBS X509 CA Persona 2 to connect to the site.

  1. Launch IIS through the Control Panel, Administrative Tools, IIS

  2. Right click on the website then on Properties.

  3. Go to the "Directory Security" tab.

  4. In Secure communications, click the Edit button.

  5. Select either "Accept client certificates" or "Require client certificates"

  6. choose "Enable certificate trust list" CTL

  7. choose "Create or Edit an existing list.

  8. When the request to add a certificate appears, choose "Add from File" and give the file corresponding to "USERTrust RSA Certification Authority" downloaded above.

To specify only certain certificates issued by our authority, you must use the mapping function of IIS, for example to select all certificates admitted finely.

If it is not already done:

Then test the access. Although in theory what has been done is sufficient, if it does not work (the certificate selection window displayed by IE remains empty), an additional operation must be carried out! Install a copy of the client certificate obtained (make a pfx export file with the whole chain) in Internet Explorer with the server administrator account. We cannot explain what it is for, but in the end the selection of the certificate works after that, when it did not work not initially.

Remember that for proper functioning, the IIS server must be able to download the CRLs of the certificates of the certification chain. To do this, the server must have access to the HTTP protocol outside, at least to the CRL servers:

crl.tbs-x509.com
crl.tbs-internet.com
crl.comodoca.com
crl.comodo.net
crl.usertrust.com