IIS [1]

   Digi-Sign Root CA [2]

   Digi-Sign CA Digi-Access™ Xs [3]

2. On the server, click the Start button, select Run and type MMC, before clicking the 'OK' button

3. You should now be in the Microsoft Management Console and should follow these steps:

• Click File and select Add/Remove Snap-in

• Select Add, select Certificates from the Add Standalone Snap-in box and click Add

• Select Computer Account, then Local Computer and click Finish

• Close the Add Standalone Snap-in box and click OK in the Add/Remove Snap-in

• Return to the Microsoft Management Console

4. Now all you need to do is import the Digi-Access™ Root certificate, following these steps:

• Right click the Trusted Root Certification Authorities, select All Tasks, and then select Import

• After clicking Next > you should browse to the Digi-Sign Root CA [2]

• Ensure that the Digi-Sign Root CA certificate appears under Trusted Root Certification Authorities

• Then click Next > and then Finish

5. Then import the Digi-Access™ intermediate CA certificate, as follows:

• Right click the Intermediate Certification Authorities, select All Tasks, and then select Import

• After clicking Next > you should browse to the Digi-Sign CA Digi-Access Xs [3]

• Ensure that the Digi-Sign CA Digi-Access Xs appears under Intermediate Certification Authorities

• Then click Next > and then Finish

• Restart the IISAdmin service, or reboot the computer to complete the installation

6. Go to Windows Administrative Tools and open the properties window for the website that you have enabled SSL on. Open the Directory Security by right clicking on the Directory Security tab and then follow these steps:

• Click Edit in the Anonymous access and authentication control section. The Authentication Methods window will appear

• Make sure that all options (check boxes) in this section are disabled, including the Anonymous Access, Basic Authentication, Digest Authentication and Integrated Windows Authentication

• Click OK to apply changes

• Click Edit in Secure communications section and the Secure Communications window will appear

• Ensure that both the 'Require secure channel (SSL)' option and the 'Require 128-bit encryption' option are enabled

• Then ensure that the 'Enable client certificate mapping' option is enabled and that the 'Ensure that Enable certificate trust list' option is enabled

• Move to the 'Under Current CTL' and click New, followed by Next > and a Certificate Trust List Wizard window will appear

• Browse for the Digi-Sign_Root_CA.cer Certificate file and click Open, followed by Next>

• In the Friendly Name field enter: Digi-Access

• In the Description field enter: Digi-Access Two Factor Client Authentication

• Click Next > and then Finish

• You should now see your Certificate Trust List [CTL] List on the Secure Communications window

• Click OK and then OK again

7. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.

• Right-click the Web site for which you want to configure authentication (for example, Default Web Site), and then click Properties

• Click the Directory Security tab, and then under Secure communications, click Edit

• Click to select the Enable client certificate mapping check box, and then click Edit

• Click the Many-to-1 tab, and then click Add

• In the General dialog box, type 'Digi-Access' as the name for the rule, and then Next

• In the Rules dialog box, click New

• In the Edit Rule Element dialog box that appears, configure the settings that you want for the rule
  
  There are two fields from client certificates that can be used as criteria for many-to-one rules:
  
  * Issuer - This field specifies information about the Certification Authority [CA] that issued the Digi-Access™ certificate
  
  * Subject - This field specifies information about the entity to whom the Digi-Access™ certificate was issued
  
  Each of these fields can contain common LDAP sub fields for example:
  
         * CN = commonName (for example, "Bob Smith")
         * OU = organizationalUnitName (for example, "Sales")
         * OU = organizationalUnitName [4] (for example, "2xacme")
         * OU = organizationalUnitName [4] (for example, "2x10003")
         * O = organizationName (for example, "Acme, Inc.")
         * L = localityName (for example, "Dublin")
         * S = stateOrProvinceName (for example, "Dublin")
         * C = countryName (for example, "IE")
  
  
  To create a mapping, you create a rule based on a field/subfield pair for a specific value. For example, you could create a rule that matched the Subject's O subfield with 'Acme' to allow access to all clients with certificates that were issued for the Acme organization. This effectively eliminates client connections from any clients that are not part of the Acme organization.
  
  When finished creating the rule settings, click OK, and then click Next
  
  
  
  
  
  
  

  IMPORTANT NOTE:- In addition to the above parameters you enter, two additional rule sets will be generated by the Registration Authority [RA] that will be used to distribute [5] the end users' Digi-Access™ certificates. These two rule sets are based on Organizational Unit Name [OU] fields and will be 'silently' pre-appended to each Digi-Access™ Certificate issued by the Digi-Access™ CA.

  These OU field values distinguish end users as belonging to your specific user domain. You must obtain these values from Digi-Access™ RA Certificate Management Console where these two rule sets can be found in the Certificate Manager's 'Distinguished Name' policy configuration.

• In the Mapping dialog box, click Accept this certificate for Logon Authentication, and then in the Account box, type, or click Browse to browse to the Windows user account that you want to map. Type the password of the user account in the Password box.

• Click OK three times, and then quit Internet Services Manager, or close the IIS snap-in