Server TLS/SSL certificate for secure communication

Digipass Authentication for IIS Basic uses the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols to connect to the authentication server, which requires the identification of the authentication server with a valid TLS/SSL certificate. Digipass Authentication for IIS Basic has two ways of handling server TLS/SSL certificates, depending on the connection settings specified in the Digipass Authentication for IIS Basic Configuration Center:

  • If Verify server SSL certificate is selected, Digipass Authentication for IIS Basic will check whether the certificate is installed in the Trusted Root Certification Authorities certificate store. A connection to the authentication server will be established only if the server certificate is trusted, i.e. if the server certificate is installed in the certificate store.
  • If Verify server SSL certificate is not selected, any TLS/SSL server certificate will be accepted, regardless of whether it is installed in the Trusted Root Certification Authorities certificate store.

Because accepting any SSL certificate from the server constitutes a major security risk, always select Verify server SSL certificate when in production mode.

You should disable this check only for evaluation or testing purposes, if required.

The steps to ensure the server TLS/SSL certificate is trusted depend on the used server certificate type:

  • If you intend to use the self-signed certificate created during OneSpan Authentication Server installation, you must import the ikey_soap_serverca.pem certificate file to client computers either locally with certmgr.msc, or, for larger installations, by deployment via Group Policy.

    For more information, refer to the Windows Server Group Policy documentation on Microsoft TechNet (technet.microsoft.com).

  • If you want to use your own enterprise TLS/SSL certificate trusted by your enterprise certification authority (CA), you need to configure certificate trust accordingly for the respective domain(s).
  • If you intend to use a public trusted certificate, no further steps are required to establish certificate trust. The certificate will be trusted automatically.