4.5 Setting up SSL

4.5.1 One-way SSL

If you want to configure the Self-Service Kiosk to use one-way SSL for its communications with the MyID Web Services server, you must install the server's certificate under the Trusted Root Certification Authorities in the user's certificate store.

4.5.2 Two-way SSL

Note: If your server is set up to use two-way SSL, you must set up your client to use two-way SSL. If you do not use the /ssl command-line option, an error is displayed.

Note: The Self-Service Kiosk does not support two-way SSL using a certificate stored on a smart card.

To use two-way SSL using a specific certificate:

  1. Install the client certificate in the user's personal store.

    The client certificate must have the Client Authentication application policy – this has the following OID:

    1.3.6.1.5.5.7.3.2

    Note: Make sure that you issue the client certificate from a different certificate authority from the one you use to issue certificates to end users.

  2. Find the client certificate's serial number:

    1. Run the CertMgr.msc snap-in.
    2. Expand Personal > Certificates.
    3. Double-click the client certificate.
    4. Click the Details tab.
  3. Run the application using the following command line:

    MyIDKiosk.exe /ssl /sslsn:<serial number>

    where:

    <serialnumber> – the serial number of the client certificate. Enter the serial number without spaces. For example, if the serial number is:

    62 00 00 00 34 fe 3c a9 a8 1c 98 6a f1 00 00 00 00 00 34

    use the following command line

    MyIDKiosk.exe /ssl /sslsn:6200000034fe3ca9a81c986af1000000000034

    Note: If you copy the serial number from the Details tab of the certificate properties dialog, you may inadvertently copy a non-printing character at the start of the serial number. You must make sure that you delete this character from the Kiosk command line. (Position the cursor before the : in the command line. Press the right-cursor key once. The cursor appears after the colon. Press the right-cursor key again. If the cursor does not move to after the first number in the serial number, there is a non-printing character present; press the Backspace key to delete it.)

If you run the application with the /ssl command line option but omit the /sslsn option, the application carries out the following:

  1. The application checks the application settings file for the details of the last certificate that was successfully used to log on.
  2. If no details are found, if the certificate is no longer in the personal store, or the server rejects the certificate, the application searches the personal store for certificates that match the issuer DN (optionally set up when you install the application) and have the Client Authentication policy.
  3. If more than one certificate is found, the application displays a list of certificates for the user to select.

When the application has successfully logged on to the server using a certificate, the certificate's details are stored in the user's application settings file.