picture of tbs certificates
picture of tbs certificates
Our products range

Strong authentication with IIS and TBS X509 Sign&Login

To use IIS with client certificate authentication, in particular to map certificates to a user account, you must first import the root certificate corresponding to the user certificates that will be used.

To use TBS X509 Sign&Login certificates, you have to import the "TBSX509 CA Persona 2" certificate. To do so:

  1. On your server, launch executable "mmc" (Start menu, Run, type "mmc" and OK).

  2. Click on File, Add/Remove Snap-in...")

  3. Choose "Certificates" and click on Add.

  4. Choose the "Computer Account" then "Local Computer" and "Finish".

  5. Click on "Close" then "OK".

  6. Click on the "+" next to "Certificates (Local Computer)".

  7. Click on the "+" next to "Trusted Authority Certificates".

  8. Right click on "Certificates"

  9. Choose "All tasks", "Import".

  10. Using the wizard, import the "COMODO AAA Certificates Services" certificate available here:
    COMODO AAA Certificates Services.crt

  11. Click on the "+" next to "Intermediate Authority Certificates".

  12. Right click on "Certificates"

  13. Choose "All tasks", "Import".

  14. Using the wizard, import the "TBS X509 CA persona 2" certificate available here: TBS X509 CA persona 2.crt

  15. Also import the intermediate certificate "USERTrust RSA Certification Authority" available here :
    USERTrust RSA Certification Authority.crt

Once this is done, configure the IIS site to require a certificate and filter on it. Here is for example to authorize all issued certificates by our authority TBS X509 CA Persona 2 to connect to the site.

  1. Launch IIS through the Control Panel, Administrative Tools, IIS

  2. Right click on the website then on Properties.

  3. Go to the "Directory Security" tab.

  4. In Secure communications, click the Edit button.

  5. Select either "Accept client certificates" or "Require client certificates"

  6. choose "Enable certificate trust list" CTL

  7. choose "Create or Edit an existing list.

  8. When the request to add a certificate appears, choose "Add from File" and give the file corresponding to "USERTrust RSA Certification Authority" downloaded above.

To specify only certain certificates issued by our authority, you must use the mapping function of IIS, for example to select all certificates admitted finely.

If it is not already done:

Then test the access. Although in theory what has been done is sufficient, if it does not work (the certificate selection window displayed by IE remains empty), an additional operation must be carried out! Install a copy of the client certificate obtained (make a pfx export file with the whole chain) in Internet Explorer with the server administrator account. We cannot explain what it is for, but in the end the selection of the certificate works after that, when it did not work not initially.

Remember that for proper functioning, the IIS server must be able to download the CRLs of the certificates of the certification chain. To do this, the server must have access to the HTTP protocol outside, at least to the CRL servers: