SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard RGS certificates eIDAS certificates SSL ECC SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates VMC certificates
E-signature Strong authentication S/MIME certificates
Test certificates PKI Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust Certigna ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
FAQ SHA256: Browsers' compatibility ECC: Browsers' compatibility
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


Strong authentication with IIS and TBS X509 Sign&Login

To use IIS with client certificate authentication, in particular to map certificates to a user account, you must first import the root certificate corresponding to the user certificates that will be used.

To use TBS X509 Sign&Login certificates, you have to import the "TBSX509 CA Persona 2" certificate. To do so:

  1. On your server, launch executable "mmc" (Start menu, Run, type "mmc" and OK).

  2. Click on File, Add/Remove Snap-in...")

  3. Choose "Certificates" and click on Add.

  4. Choose the "Computer Account" then "Local Computer" and "Finish".

  5. Click on "Close" then "OK".

  6. Click on the "+" next to "Certificates (Local Computer)".

  7. Click on the "+" next to "Trusted Authority Certificates".

  8. Right click on "Certificates"

  9. Choose "All tasks", "Import".

  10. Using the wizard, import the "COMODO AAA Certificates Services" certificate available here:
    COMODO AAA Certificates Services.crt

  11. Click on the "+" next to "Intermediate Authority Certificates".

  12. Right click on "Certificates"

  13. Choose "All tasks", "Import".

  14. Using the wizard, import the "TBS X509 CA persona 2" certificate available here: TBS X509 CA persona 2.crt

  15. Also import the intermediate certificate "USERTrust RSA Certification Authority" available here :
    USERTrust RSA Certification Authority.crt

Once this is done, configure the IIS site to require a certificate and filter on it. Here is for example to authorize all issued certificates by our authority TBS X509 CA Persona 2 to connect to the site.

  1. Launch IIS through the Control Panel, Administrative Tools, IIS

  2. Right click on the website then on Properties.

  3. Go to the "Directory Security" tab.

  4. In Secure communications, click the Edit button.

  5. Select either "Accept client certificates" or "Require client certificates"

  6. choose "Enable certificate trust list" CTL

  7. choose "Create or Edit an existing list.

  8. When the request to add a certificate appears, choose "Add from File" and give the file corresponding to "USERTrust RSA Certification Authority" downloaded above.

To specify only certain certificates issued by our authority, you must use the mapping function of IIS, for example to select all certificates admitted finely.

If it is not already done:

Then test the access. Although in theory what has been done is sufficient, if it does not work (the certificate selection window displayed by IE remains empty), an additional operation must be carried out! Install a copy of the client certificate obtained (make a pfx export file with the whole chain) in Internet Explorer with the server administrator account. We cannot explain what it is for, but in the end the selection of the certificate works after that, when it did not work not initially.

Remember that for proper functioning, the IIS server must be able to download the CRLs of the certificates of the certification chain. To do this, the server must have access to the HTTP protocol outside, at least to the CRL servers:

crl.tbs-x509.com
crl.tbs-internet.com
crl.comodoca.com
crl.sectigo.com
crl.usertrust.com