Import the OneSpan Authentication Server SSL certificate on the client workstation

Digipass Authentication for Windows Logon uses secure connections to the instances of OneSpan Authentication Server via the Secure Sockets Layer (SSL) protocol. When establishing a connection, Digipass Authentication for Windows Logon needs to validate a server certificate. To do so, the relevant server certificate must be registered in the certificate store on the client workstation.

You can import the server certificate either locally via Microsoft Management Console (MMC) on each client workstation, or deploy it via Group Policy, which is recommended for larger installations.

Import a OneSpan Authentication Server certificate via Microsoft Management Console (MMC)

To import a OneSpan Authentication Server certificate with Microsoft Management Console (MMC)

  1. On the client workstation, start Microsoft Management Console by entering mmc in a command-line prompt.
  2. If the Console Root tree does not contain the Certificates snap-in, add the snap-in:
    1. Select File > Add / Remove Snap-in.
    2. Select the Certificates snap-in in the Available snap-ins list and click Add.
    3. Select Computer account and click Next.
    4. Select Local computer and click Finish.
    5. Click OK to return to the Microsoft Management Console application window.
  3. Select Certificates (Local Computer) in the Console Root tree.
  4. In Logical Store Name, select Trusted Root Certification Authorities > All Tasks > Import....

    The Certificate Import Wizard is displayed.

  5. Click Next.
  6. Specify the file containing the OneSpan Authentication Server certificate.
  7. Select Place all certificates in the following store and ensure that Trusted Root Certification Authorities is selected in the Certificate store field.
  8. Click Finish.

Deploy a OneSpan Authentication Server certificate via Group Policy

This section contains a brief overview of how to use Group Policy for certificate deployment. For more information, refer to the Windows Server Group Policy documentation on Microsoft TechNet (technet.microsoft.com).

To complete the following procedure, you need to use Group Policy Management Console (GPMC).

To deploy a OneSpan Authentication Server certificate with Group Policy

  1. On the domain controller, start Group Policy Management by entering gpmc.msc in a command prompt.
  2. To create a new Group Policy Object:
    1. Select the domain or organizational unit for which you want to set a Group Policy in the Group Policy management tree.
    2. Select Create a GPO in this domain, and Link it here... from the context menu.

      Configuring DAWL via Group Policy (1) - Group Policy Management

    3. Enter a name for the new Group Policy Object.
  3. Select the relevant Group Policy Object in the tree.

    Ensure the Group Policy Object is associated with the domain, site, or organizational unit whose users will be affected by the policy.

  4. Select Edit... from the context menu.

    The Group Policy Object Editor is displayed.

    Configuring DAWL via Group Policy (2) - Group Policy Object Editor

  1. Select Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities in the Policy tree.

    Deploying SSL certificate via Group Policy (1) - Group Policy Object Editor

  2. Select Import... from the context menu.

    The Certificate Import Wizard is displayed.

  3. Click Next.
  4. Specify the OneSpan Authentication Server certificate file.
  5. Select Place all certificates in the following store and ensure that Trusted Root Certification Authorities is selected in the Certificate store field.
  6. Click Finish.

Additional considerations

  • OneSpan Authentication Server can create a certificate used for secure connections during installation. This certificate, i.e. ikey_soap_serverca.pem, is located in <install_dir>\VASCO\IDENTIKEY Authentication Server\bin.
  • You can configure Digipass Authentication for Windows Logon to accept any certificate from the server, which is not recommended, though. In this case, you do not necessarily need to deploy the self-signed certificate as described.
  • You can also use a third-party SSL certificate.
  • When issuing a certificate via Group Policy, it is imported to the client workstation the next time a user logs on.