Server Configuration

Step 2 - Configuring Digi-Access™ on the Server

The instructions below are for the two most popular servers (i.e. IIS and Apache). If you are using different web server software, use the online contact form for Support and they will supply the instructions for your server.

Allow 30 Minutes

Enabling Digi-Access™ client certificates for two factor authentication will take you 30 minutes (or less). Configure your server by following these simple steps:

Apache

 

IIS

For full detailed instructions and explanations, read the Apache Support pages.


1. Download and save this certificate bundle:

CA Bundle for Digi-Acess™

2. Open the httpd.conf file for editing and locate the Virtual Host section for your SSL secured site

3. Add the following directive line into your site/directory configuration section:

SSLOptions +StdEnvVars +ExportCertData

Once the StdEnvVars is enabled, the standard set of SSL related CGI/SSI environment variables are created. CGI and SSI requests are disabled by default. This is for performance reasons and we do not recommend changing this unless you are an experienced Apache Administrator. For further details and instructions, refer to the Apache Support page

4.Add the following directive line into your site/directory configuration section:

SSLVerifyClient require

This directive sets the certificate verification level for the Client Certificate Authentication. This directive can be used both on a per-server and a per-directory context. In the per-server context, the client authentication process is applied during the standard SSL handshake when a connection is established. In per-directory context, it forces the SSL re-negotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent. We recommend that you use the 'require' variable unless you are an experienced Apache Administrator. For further details and instructions, refer to the Apache Support page

5.Add the following directive line into your site/directory configuration section:

SSLVerifyDepth 10

This directive sets the depth of 10. This means that the client certificate has to be signed by a CA that is directly known to the server (i.e.: the CA's certificate is under SSLCACertificatePath). We recommend that you use the '10' variable unless you are an experienced Apache Administrator.

You can also add the following directive(s) to enable a customised authentication rule, if you choose the Apache web server to be the authentication level:

SSL Require

This directive specifies a general access requirement which has to be fulfilled in order to allow access. It's a very powerful directive because the requirement specification is an arbitrarily complex Boolean expression containing any number of access checks. We recommend do not recommend using this unless you are an experienced Apache Administrator. For further details and instructions, refer to the Apache Support page

Note:- If you are implementing a CGI application with Digi-Access™ some Apache versions may require the following directive to be present:

   SetEnvIf User-Agent ".*MSIE.*" \
   nokeepalive ssl-unclean-shutdown \
   downgrade-1.0 force-response-1.0

For further details and instructions, refer to the Apache Support page

6. Save your httpd.conf file

7. Restart Apache

  For full detailed instructions and screenshots, read the IIS Support pages.


1. Download and save these two certificates:

   Digi-Sign Root CA

   Digi-Sign CA Digi-Access™ Xs

2. On the server, click the Start button, select Run and type MMC, before clicking the 'OK' button

3. You should now be in the Microsoft Management Console and should follow these steps:

4. Now all you need to do is import the Digi-Access™ Root certificate, following these steps:

5. Then import the Digi-Access™ intermediate certificate, as follows:

6. Go to Windows Administrative Tools and open the properties window for the website that you have enabled SSL on. Open the Directory Security by right clicking on the Directory Security tab and then follow these steps:

7. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.




Your web server is now ready to start using Digi-Access™ client certificates for two factor authentication.


Follow the right side link below to learn how easily each user can get their Digi-Access™ certificate.