The instructions below are for the two most popular servers (i.e. IIS and Apache). If you are using different web server software, use the online contact form for Support [1] and they will supply the instructions for your server.
Enabling Digi-Access™ client certificates for two factor authentication will take you 30 minutes (or less). Configure your server by following these simple steps:
For full detailed instructions and explanations, read the Apache Support [2] pages. 1. Download and save this certificate bundle: 2. Open the httpd.conf file for editing and locate the Virtual Host section for your SSL secured site 3. Add the following directive line into your site/directory configuration section: SSLOptions +StdEnvVars +ExportCertData Once the StdEnvVars is enabled, the standard set of SSL related CGI/SSI environment variables are created. CGI and SSI requests are disabled by default. This is for performance reasons and we do not recommend changing this unless you are an experienced Apache Administrator. For further details and instructions, refer to the Apache Support [2] page 4.Add the following directive line into your site/directory configuration section: SSLVerifyClient require This directive sets the certificate verification level for the Client Certificate Authentication. This directive can be used both on a per-server and a per-directory context. In the per-server context, the client authentication process is applied during the standard SSL handshake when a connection is established. In per-directory context, it forces the SSL re-negotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent. We recommend that you use the 'require' variable unless you are an experienced Apache Administrator. For further details and instructions, refer to the Apache Support [2] page 5.Add the following directive line into your site/directory configuration section: SSLVerifyDepth 10 This directive sets the depth of 10. This means that the client certificate has to be signed by a CA that is directly known to the server (i.e.: the CA's certificate is under SSLCACertificatePath). We recommend that you use the '10' variable unless you are an experienced Apache Administrator. You can also add the following directive(s) to enable a customised authentication rule, if you choose the Apache web server to be the authentication level: SSL Require This directive specifies a general access requirement which has to be fulfilled in order to allow access. It's a very powerful directive because the requirement specification is an arbitrarily complex Boolean expression containing any number of access checks. We recommend do not recommend using this unless you are an experienced Apache Administrator. For further details and instructions, refer to the Apache Support [2] page Note:- If you are implementing a CGI application with Digi-Access™ some Apache versions may require the following directive to be present: SetEnvIf User-Agent ".*MSIE.*" \ For further details and instructions, refer to the Apache Support [2] page 6. Save your httpd.conf file 7. Restart Apache |
For full detailed instructions and screenshots, read the IIS Support [3] pages. 1. Download and save these two certificates: Digi-Sign CA Digi-Access™ Xs [6] 2. On the server, click the Start button, select Run and type MMC, before clicking the 'OK' button 3. You should now be in the Microsoft Management Console and should follow these steps: 4. Now all you need to do is import the Digi-Access™ Root certificate, following these steps: 5. Then import the Digi-Access™ intermediate certificate, as follows: 6. Go to Windows Administrative Tools and open the properties window for the website that you have enabled SSL on. Open the Directory Security by right clicking on the Directory Security tab and then follow these steps: 7. Start Internet Services Manager, or open the MMC that contains the IIS snap-in. |
Links:
[1] http://www2.digi-sign.com/contact
[2] http://www2.digi-sign.com/support/digi-access/apache
[3] http://www2.digi-sign.com/support/digi-access/iis
[4] http://www.digi-sign.com/downloads/certificates/digi-access/BundledCAXp.pem
[5] http://www.digi-sign.com/downloads/certificates/dsroot/Digi-Sign_Root_CA.cer
[6] http://www.digi-sign.com/downloads/certificates/digi-access/Digi-Sign_CA_Digi-Access_Xs.cer
[7] http://www2.digi-sign.com/digi-access/configure/ou
[8] http://www2.digi-sign.com/digi-access/distribute