Server SSL certificate for secure communication

Digipass Authentication for Windows Logon connects to the authentication server using the Secure Sockets Layer (SSL) protocol, which requires the identification of the authentication server with a valid SSL certificate. Digipass Authentication for Windows Logon can handle server SSL certificates in two ways, depending on the connection settings specified in the Digipass Authentication for Windows Logon Configuration Center:

  • If Verify server SSL certificate is selected, Digipass Authentication for Windows Logon will check whether the certificate is installed in the Trusted Root Certification Authorities certificate store. A connection to the authentication server will be established only if the server certificate is trusted, i.e. if the server certificate is installed in the certificate store.
  • Without this check, i.e. if Verify server SSL certificate is not selected, any SSL server certificate will be accepted, regardless of whether it is installed in the Trusted Root Certification Authorities certificate store.

Because accepting any SSL certificate from the server constitutes a major security risk, always select Verify server SSL certificate when in production mode.

You should disable this check only for evaluation or testing purposes, if required.

The steps to ensure the server SSL certificate is trusted depend on the server certificate type you are using:

  • If you intend to use the self-signed certificate created during OneSpan Authentication Server installation, you must import the ikey_soap_serverca.pem certificate file to client computers either locally with certmgr.msc, or, for larger installations, via Group Policy.

    For instructions to import this certificate file, refer to the Digipass Authentication for Windows Logon Installation Guide.

  • If you want to use your own enterprise SSL certificate trusted by your enterprise certification authority (CA), you need to configure certificate trust accordingly for the respective domain(s).
  • If you intend to use a public trusted certificate, no further steps are required to establish certificate trust. The certificate will be trusted automatically.