Enabling Client Certificate Authentication on IIS 5.x web server

To enable Client Certificate Authentication on IIS 5.x you will need to obtain your own Digi-ID™ Client Certificate, Certification Authority Certificate and setup a local user (or Active Directory Domain) account on a Windows Server that the IIS 5.x web server is installed and running on.

2.1 Obtaining the Digi-Sign Certification Authority Certificate

You will need to download the GTECyberTrustRootCA.cer file and save it on/upload to the Windows Server where the IIS 5.x web server is installed and running on.

To obtain the Digi-Sign Certification Authority Certificate, use the following URL:

http://digi-sign.com/downloads/certificates/GTECyberTrustRootCA.cer

2.2 Preparing IIS 5.x for Digi-Access™ Client Certificate Authentication

To prepare IIS 5.x for Digi-Access™ Client Certificate Authentication:

Go to Windows Administrative Tools.

• Start Internet Services Manager.

• Open the properties window for the website that you have enabled SSL on. You can do this by right clicking on the Default Website and selecting Properties from the menu.
• Open Directory Security by right clicking on the Directory Security tab.









• Click Edit in the Anonymous access and authentication control section.
• An Authentication Methods window will appear.









• Make sure that all options (check boxes) in this section are disabled, including the Anonymous Access, Basic Authentication, Digest Authentication and Integrated Windows Authentication.
• Click OK to apply changes.
• Click Edit in Secure communications section.
• A Secure Communications window will appear.









• Ensure that Require secure channel (SSL) option is enabled. Require 128-bit encryption option should be disabled. You may enable it if you are sure that all end users connecting to your Digi-Access™ protected web site will have 128-bit enabled browsers.
• Ensure that Enable client certificate mapping option is enabled.
• Ensure that Enable certificate trust list option is enabled.
• Under Current CTL, click New.
• Click Next.
• A Certificate Trust List Wizard window will appear.









• Click Add from file.
• Browse for the GTECyberTrustRootCA.cer Certificate file that you downloaded and saved on/uploaded to the server in section 2.1 of this document.
• Once located, select the file and click Open.
• Click Next.









• Type Friendly Name, for example: Digi-Access.
• Type Description, for example: Digi-Access Client Authentication for my system.
• Click Next.
• Click Finish.
• You should now see your CTL List on the Secure Communications window.









• Click OK and then OK again.

Your IIS 5.x web server is now ready to start working with Digi-Access™ Client Certificate Authentication.