In order to allow your users to login to your application with a new Digital Passport or Business Authentication certificate, you will need to configure your webserver for Client SSL Authentication and update your trust store with the new CA certificates.
The methods for configuring this vary according to the webserver software used. In general, the webserver configuration files will specify a file containing all intermediate and root certificates to be trusted for Client SSL Authentication.
In order to allow for the use of the new Digital Passport or Business Authentication certificates, you will need to add the Digidentity Assurance Root CA and the Digidentity SIVI CA to your server's trust store for Client SSL authentication. You can find the certificates here:
Here are some basic examples for configuring Client SSL Authentication via an nginx or Apache webserver.
Note: Besides delivering the provided examples, Digidentity is unable to provide support for the configuration of your webserver/application for Client SSL Authentication.
Apache Client SSL Authentication Example:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateKeyFile /path/to/private_key
SSLVerifyClient none # Change this to "require" to require client SSL authentication for the entire host.
SSLCACertificateFile conf/ssl.crt/ca.crt
# Configure client SSL authentication for a specific URL, whilst allowing anonymous access to the rest of the server
<Location /secure/area>
SSLVerifyClient require
SSLVerifyDepth 3
</Location>
# enable HTTP/2, if available
Protocols h2 http/1.1
</VirtualHost>
nginx Client SSL Authentication Example:
server {
listen 443;
ssl on;
server_name myserver.com;
ssl_certificate /etc/nginx/certificates/cert.crt ##Replace with your own certificate
ssl_certificate_key /etc/nginx/certificates/cert.key ##Replace with your own private key
ssl_trusted_certificate /etc/nginx/certificates/CA.pem ##Replace with location of trustchain
ssl_protocols TLSv1.2 TLSv1.3; ##Adjust as necessary to match the supported versions of TLS
ssl_verify_client on;
ssl_verify_depth 3; ## Sets the verification depth in the client certificates chain
}