Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Strong authentication with IIS and TBS X509 server certificate

Although it is not its primary role, a server certificate can also perform client authentication (in the extended usages of the key)

To use IIS with server certificate authentication, especially for mapping certificates to a user or computer account, you must first import the root and intermediate certificates corresponding to the server certificates that will be used.

To use TBS X509 server certificates, you have to import the intermediate certificate "TBS X509 CA business 2". To do this:

  1. On your server, launch the executable "mmc" (Start menu, Run, type "mmc" and OK)

  2. Click File, Add / Remove Snap-ins

  3. Choose "Certificates" and click on Add.

  4. Select "Computer Account" then "Local Computer" and Finish.

  5. Click on close and on OK.

  6. Click on the "+" next to Certificates (Local Computer)

  7. Click "+" next to "Trusted Root Certification Authorities"

  8. Right click on "Certificates"

  9. Select "All Tasks->Import..."

  10. Using the wizard, import the "Comodo AAA Certificate Services" certificate available here Comodo AAA Certificate Services.crt

  11. Click "+" next to "Intermediate Certification Authorities"

  12. Right click on "Certificates"

  13. Select "All Tasks->Import..."

  14. Using the wizard, import the "TBS X509 CA business 2" certificate available here: TBS X509 CA business 2.crt

  15. Do the same for the intermediate certificate "USERTrust RSA Certification Authority" available here: USERTrust RSA Certification Authority.crt

Once this is done, you need to configure the IIS site to require a certificate and filter on it. Here is an example to allow all certificates issued by our TBS X509 CA Business 2 authority to connect to the site.

  1. Launch IIS through the Control Panel, Administrative Tools, IIS

  2. Right click on the website then on Properties.

  3. Go to the "Directory Security" tab.

  4. In Secure communications, click the Edit button.

  5. Select either "Accept client certificates" or "Require client certificates"

  6. Choose "Enable certificate trust list" CTL

  7. Choose to Create or Edit an existing list.

  8. When the request to add a certificate appears, choose "Add from File" and give the file corresponding to "Comodo AAA Certificate Services" downloaded above.

To specify only certain certificates issued by our authority, we have to use the mapping function of IIS, for example to select all the certificates admitted in a fine-grained way.



If it is not already done:

Depending on the product ordered, the import of the certification chain will differ according to the authority chosen.

Then test the access. Although in theory what has been done is sufficient, if it does not work (the certificate selection window displayed by IE remains empty), you need to perform an additional operation! Install a copy of the obtained client certificate (make a pfx export file with the whole chain) in Internet Explorer of the server administrator account. We can't explain what this is for, but in the end the certificate selection works after that, when it didn't work initially.



Remember that for proper functioning, the IIS server must be able to download the CRLs of the certificates of the certification chain. To be done , the server must have access to the HTTP protocol outside, at least to the CRL servers:
crl.tbs-x509.com
crl.tbs-internet.com
crl.comodoca.com
crl.sectigo.com
crl.usertrust.com