4.3 Setting up SSL/TLS

4.3.1 One-way SSL/TLS

If you want to configure the Self-Service App to use one-way SSL/TLS for its communications with the MyID Web Services server, you must install the server's certificate under the Trusted Root Certification Authorities in the user's certificate store.

4.3.2 Two-way SSL/TLS

Note: If your server is set up to use two-way SSL/TLS, you must set up your client to use two-way SSL/TLS. If you do not specify SSL on the client, an error is displayed.

Note: The Self-Service App does not support two-way SSL/TLS using a certificate stored on a smart card.

To use two-way SSL/TLS using a specific certificate:

  1. Install the client certificate in the user's personal store.

    The client certificate must have the Client Authentication application policy – this has the following OID:

    1.3.6.1.5.5.7.3.2

  2. Find the client certificate's serial number:

    1. Run the CertMgr.msc snap-in.
    2. Expand Personal > Certificates.
    3. Double-click the client certificate.
    4. Click the Details tab.

  3. Run the application using the following command line:

    myidapp.exe /ssl /sslsn:<serial number>

    where:

    <serialnumber> – the serial number of the client certificate. Enter the serial number without spaces. For example, if the serial number is:

    62 00 00 00 34 fe 3c a9 a8 1c 98 6a f1 00 00 00 00 00 34

    use the following command line

    myidapp.exe /ssl /sslsn:6200000034fe3ca9a81c986af1000000000034

If you run the application with the /ssl command line option but omit the /sslsn option, the application carries out the following:

  1. The application checks the application settings file for the details of the last certificate that was successfully used to log on.
  2. If no details are found, if the certificate is no longer in the personal store, or the server rejects the certificate, the application searches the personal store for certificates that match the issuer DN (optionally set up when you install the application) and have the Client Authentication policy.
  3. If more than one certificate is found, the application displays a list of certificates for the user to select.

When the application has successfully logged on to the server using a certificate, the certificate's details are stored in the user's application settings file.

Specifying two-way SSL in the configuration file

An alternative to specifying /ssl and /sslsn on the command line each time you run the Self-Service App (for example, if you are launching the Self-Service App using a hyperlink, and therefore cannot specify /ssl or /sslsn) you can add settings to the <appSettings> node of the configuration file.

To edit the configuration file:

  1. On the client PC, shut down the Self-Service App.

  2. Back up the MyIDApp.exe.config file.

    By default, this is in the following folder:

    C:\Program Files (x86)\Intercede\MyIDApp\Self Service Application\

  3. Using a text editor, open the config file.

    Note: Make the changes to the config file exactly as shown. The case is important.

  4. In the <appSettings> node, add the following lines:

    <add key="TwoWaySSL" value="true"/>

    <add key="SSLCertificateSN" value="YourCertificateSerialNumber"/>

    If you want to stop using two-way SSL, you can set the TwoWaySSL value to false or remove the line. If you set this value to false, but include /ssl on the command line, the command line takes precedence, and the Self-Service App attempts to use SSL. If you specify a value for SSLCertificateSN but also include /sslsn on the command line, the command line takes precedence.

  5. Save the configuration file.