Strong authentication using SSL/TLS client certificates

Posted by Liaquat Khan on 05-Dec-2012 12:50:00

We have recently added a strong user authentication method into SigningHub that uses X.509 SSL/TLS client authentication certificates. This feature is only available to on-premise installations of SigningHub.

SSL-Client-Authentication_14

SSL/TLS client certificates

These certificates provide a more secure alternative to passwords. Passwords can be subjected to brute force attacks.

Not only is SSL client authentication more secure but it can also mean that users can login without providing passwords which makes life easier. 

Please note: SigningHub already uses SSL/TLS security but only with server authentication certificates, where users are authenticated using username/passwords.
 
The communication link between the browser and server is secured using strong encryption as used by many banking sites. Our SSL/TLS server authentication certificate is also trusted in almost all publicly-known browsers.

How to configure

After installing Ascertia Docs (the product which powers SigningHub), enable SSL/TLS client and server authentication by configuring the following tags inside the adocs.config file (see highlighted items):

SSL-Client-Authentication_18
 
 
 

 

User interface

Once configured, the Register and Login pages work differently. Before login, you need to register with your SSL/TLS client certificate. Accessing the registration page shows the following screen:

SSL-Client-Authentication_03

 

 

 

 

 

 

 

 

 

 

 

 


As you can see, the registration page is different. Now you cannot edit your email address (this is taken directly from your SSL/TLS client certificate) and there are no password fields. Once registered successfully, the user gets an activation email as normal and on activation is shown the welcome screen.

SSL-Client-Authentication_06

 

 

 

 

 

 

 

 

If your SSL/TLS authentication certificate is about to expire (every digital certificate has a validity period normally one year), a warning message is shown at login time, suggesting to re-register with a newly issued certificate.

SSL-Client-Authentication_10

 

 

 

 

 

 

 

 

 

 

The administrator can configure how many days before imminent expiry should these alerts be shown to the user.

Once your SSL/TLS client certificate is expired, it can no longer be used. However, you can register a new certificate, issued by your administrator.

Interested in using SigningHub in your business? Get in touch to discuss your requirements.

Recent Posts

Download this essential eBook

Choosing the right type of e-signature
for your business

Download your eBook