Setting up SSL/TLS on the SSRP

2.3 Setting up SSL/TLS on the SSRP

2.3.1 Web applications

The SSRP system comprises the following web applications:

Start – the launch page that allows you to select from multiple identity providers.
StartPage – the launch page that allows you to use only a client certificate on a PIV card as the source for the derived credential.
SSRP – the web application that carries out secure requests for client certificate-based derived credentials.
SSRPOID – a web application you can configure for OpenID authentication for derived credentials based on information from an external system.

You must set up the Start, StartPage, SSRP, and SSRPOID web applications to require 1-way SSL/TLS.

If you are using PIV card-based derived credentials, you must also set up the SSRP web application to require 2-way SSL/TLS. This web application verifies the cardholder's request and initiates the issuance of the client certificate-based derived credential. Make sure the Client certificates option in IIS is set to Accept; this is required if you are using the Start launch page.

If you are using only the StartPage launch page, and do not require OpenID as an authentication option, you can set the Client certificates option in IIS to Require.

2.3.2 SSL certificates

For client certificate-based derived credentials, it is important that the IIS server has a certificate in its trusted root that matches a certificate in the user’s SSL certificate chain.

The user’s computer must also have a certificate in the trusted root CA that matches a certificate in the server's SSL certificate chain.

Certificates that have expired or are not trusted by the IIS server are not be eligible for use and may well be hidden by the browser.

2.3.3 Using TLS 1.3

By default, TLS 1.3 is enabled on Windows Server 2022. To use TLS 1.3 with the Self-Service Request Portal, you must modify the https port bindings to enable client certificate negotiation. You cannot do this through the IIS user interface, but you can use a PowerShell script instead.

To enable the use of TLS 1.3 for the SSRP:

Ensure TLS 1.3 is enabled for the web server:
1. In Internet Information Services (IIS) Manager, in the Connections pane, expand the server name, then Sites, then select the website used for SSRP; by default, this is Default Web Site.
2. Right-click the website, then from the pop-up menu select Edit Bindings.
3. In the Site Bindings dialog, select https.
4. Click Edit.
5. Make sure the Disable TLS 1.3 over TCP option is not selected.
6. Click OK, then click Close.
Take a note of the server TLS certificate thumbprint:
1. In IIS, select the server on which SSRP is installed, then double-click Server Certificates.
2. Double-click the certificate used for TLS authentication.
3. Select the Details tab.
  
  You can view the Thumbprint field here.

Run the following PowerShell script, substituting in the thumbprint in the serverTlsCertThumbprint variable:

Copy

$port = 443
$serverTlsCertThumbprint = '[thumbprint]'
$iisBindingAppId = New-Guid
Start-Process -FilePath "netsh" -ArgumentList @("http", "del", -join("sslcert", " 0.0.0.0:", $port)) -Wait
Start-Process -FilePath "netsh" -ArgumentList @("http", "add", "sslcert", -join("ipport=", "0.0.0.0:", $port), -join("certhash=", $serverTlsCertThumbprint), -join("appid={", $iisBindingAppId, "}"), "certstorename=MY", "clientcertnegotiation=Enable") -Wait

Note: Any subsequent changes to the https binding through the IIS user interface reverts this change. If this happens, run through the above steps again to re-enable TLS 1.3 for SSRP.