Direct Cert Portal Two-Factor Authentication

Configuring and Using Two-Factor Authentication for Your Direct Cert Portal

Two-factor authentication increases the security of your Direct accounts by allowing you to require two methods of identity verification before someone can log into the Direct Cert Portal to access their account. You can require two-factor authentication for all account users and for specific individual users (i.e., Jane Doe in IT).

» Configuring Two-Factor Authentication
» Using Two-Factor Authentication
» Managing Client Certificates

Direct ISSOs
If you are a Direct user who has the ability to approve certificate requests (ISSOs), see Two-Factor Authentication Requirements for Direct ISSO Accounts.

Configuring Your Two-Factor Authentication Rules

These instructions are for Direct admins and explain how to configure your Two-Factor Authentication rules/requirements for your Direct account.

How to Configure Your Two-Factor Authentication Requirements

Configuring your Two-Factor Authentication Rules for Your Direct Account

Log into your Direct account as an Admin.
In the Console, in the banner menu, click Settings > Authentication Settings.
Configuring an Account-wide Requirement.
1. To the right of Two-Factor Authentication Requirements, click Add a requirement.
2. In the Create a Two-Factor Authentication Requirement section, under Authentication type select the second factor authentication type that you want to require all account users to use to log into their Direct account.
  - Client Certificate requirement
    
    Select this option if you want all account users to use a Client Certificate to complete the authentication process. Users can only access their Direct account from a computer/device on which the certificate is installed.
  - One-time Password (OTP) requirement
    
    Select this option if you want all account users to use an OTP App on their mobile device to complete the authentication process. Users can access their Direct account from any computer/device.
3. Under Apply rule to, select All account users.
4. Click Add Requirement.
  
  You should receive the “Requirement is successfully added.” message.
  
  The rule is automatically created and appears in the list of requirements under Two-Factor Authentication Requirements.
Configuring a requirement for a specific individual user.
1. To the right of Two-Factor Authentication Requirements, click Add a requirement.
2. In the Create a Two-Factor Authentication Requirement section, under Authentication type, select the second factor authentication type that you want to require this user to use to log into their Direct account
  - Client Certificate
    
    Select this option if you want users to use a Client Certificate to complete the authentication process. Users can only access their Direct account from a computer/device on which the certificate is installed.
  - One-Time Password (OTP)
    
    Select this option if you want users to use an OTP App on their mobile device to complete the authentication process. Users can access their Direct account from any computer/device.
3. Under Apply rule to, select Specific user and then in the drop-down list, select the user that you want this rule/requirement to target.
4. Click Add Requirement.
  
  You should receive the “Requirement is successfully added.” message.
  
  The rule is automatically created and appears in the list of requirements under Two-Factor Authentication Requirements.
Allowing OTP Authenticators to verify their computer for 30 days.
(Optional - For OTP Authenticators Only)

To display the Remember verification on this computer for 30 days check box for OTP authenticators, check Display “Remember verification for this computer” checkbox during OTP login.

This option allows your OTP authenticators to verify the computer that they are logging in on. For the next thirty days, they can bypass entering the verification code each time they log in from that computer. At the end of the thirty days, OTP authenticators are required to enter their verification code and decide if they want to remember the verification on that computer for the next thirty days.

If you don’t check this option, than the Remember verification on this computer for 30 days check box remains hidden.
You have now successfully configured your Two-Factor Authentication requirements for logging into your DigiCert account.
The lists under Issued Client Certificates and One-Time Password (OTP) Devices populate as users log into your Direct account and generate their Client Certificates and initialize their OTP App devices.

Generating Your Client Certificate
Initializing Your OTP App Device

How to Configure an Account-wide Requirement

Configuring an Account-wide Requirement for Your Direct Account

Log into your Direct account as an Admin.
In the Console, in the banner menu, click Settings > Authentication Settings.
To the right of Two-Factor Authentication Requirements, click Add a requirement.
In the Create a Two-Factor Authentication Requirement section, under Authentication type select the second factor authentication type that you want to require all account users to use to log into their Direct account.
- Client Certificate requirement
  
  Select this option if you want all account users to use a Client Certificate to complete the authentication process. Users can only access their Direct account from a computer/device on which the certificate is installed.
- One-time Password (OTP) requirement
  
  Select this option if you want all account users to use an OTP App on their mobile device to complete the authentication process. Users can access their Direct account from any computer/device.
Under Apply rule to, select All account users.
Click Add Requirement.

You should receive the “Requirement is successfully added.” message.

The rule is automatically created and appears in the list of requirements under Two-Factor Authentication Requirements.
You have now successfully configured an account-wide requirement for logging into your Direct account.
The lists under Issued Client Certificates and One-Time Password (OTP) Devices populate as users log into your Direct accont and generate their Client Certificates and initialize their OTP App devices.

Generating Your Client Certificate
Initializing Your OTP App Device

How to Configure a Requirement for a Specific Individual User

Configuring a Requirement for a Specific Individual User for Your Direct Account

Log into your Direct account as an Admin.
In the Console, in the banner menu, click Settings > Authentication Settings.
To the right of Two-Factor Authentication Requirements, click Add a requirement.
In the Create a Two-Factor Authentication Requirement section, under Authentication type, select the second factor authentication type that you want to require this user to use to log into their Direct account
- Client Certificate
  
  Select this option if you want users to use a Client Certificate to complete the authentication process. Users can only access their Direct account from a computer/device on which the certificate is installed.
- One-Time Password (OTP)
  
  Select this option if you want users to use an OTP App on their mobile device to complete the authentication process. Users can access their Direct account from any computer/device.
Under Apply rule to, select Specific user and then in the drop-down list, select the user that you want this rule/requirement to target.
Click Add Requirement.

You should receive the “Requirement is successfully added.” message.

The rule is automatically created and appears in the list of requirements under Two-Factor Authentication Requirements.
You have now successfully configured a requirement for a specific user for logging into your Direct account.
The lists under Issued Client Certificates and One-Time Password (OTP) Devices populate as users log into your Direct account and generate their Client Certificates and initialize their OTP App devices.

Generating Your Client Certificate
Initializing Your OTP App Device

How to Allow OTP App Authenticators to Verify a Computer for 30 Days

Configuring the Option to Allow OTP App Authenticators to Verify a Computer for 30 Days

Log into your Direct account as an Admin.
In the Console, in the banner menu, click Settings > Authentication Settings.
To display the Remember verification on this computer for 30 days check box for OTP authenticators, check Display “Remember verification for this computer” checkbox during OTP login.

This option allows your OTP authenticators to verify the computer that they are logging in on. For the next thirty days, they can bypass entering the verification code each time they log in from that computer. At the end of the thirty days, OTP authenticators are required to enter their verification code and decide if they want to remember the verification on that computer for the next thirty days.

If you don’t check this option, than the Remember verification on this computer for 30 days check box remains hidden.
You have now successfully configured the option to allow OTP App authenticators to verify a computer for 30 days for logging into your Direct account.
The lists under Issued Client Certificates and One-Time Password (OTP) Devices populate as users log into your Direct account and generate their Client Certificates and initialize their OTP App devices.

Generating Your Client Certificate
Initializing Your OTP App Device

Using the Second Factor of Your Two-Factor Authentication

These instructions explain how to use Two-Factor Authentication after it has been configured for your Direct account. The instructions are divided into two sections: Admin Specific instructions and User instructions.

User Instructions

Generating Your Client Certificate

After your administrator has turned on and configured two-factor authentication for your account, you must initialize the second factor of your two-factor authentication: your Client Certificate. The next time that you log into your Direct account you will be asked to generate your Client Certificate.

If you need to initialize your OTP App device, see Initializing Your OTP App Device.

Depending on which Web browser you use to initialize/generate your Client Certificate, you may need to use that browser to log into the Console.

Windows installs the Client Certificate in its own Certificate Store and can be shared by Chrome and Internet Explorer.
Mac installs the Client Certificate in its own Certificate Store and can be shared by the keychain for Safari and Chrome.
Firefox installs the Client Certificate in its own Certificate Store and can only be accessed by Firefox (Windows or Mac).

For more information about taking care of your Client Certificate, see Managing Your Client Certificate.

How to Generate Your Client Certificate

Log into your DigiCert account.
On the Two-Factor Authentication Client Certificate Initialization page, click Generate Certificate.
When the browser presents your certificates, select your newly generated Client Certificate and click OK.
You should now be logged into your account.

Your certificate should now be installed in the Certificate Store related to the browser that you are currently using. We recommend that you back up your Client Certificate.

(Windows) Backing Up/Exporting Your Client Certificate.
(Mac) Backing Up/Exporting Your Client Certificate.

You will now use two-factor authentication each time you log into your DigiCert account. See Signing In with Your Client Certificate.

Initializing Your OTP App Device

After your administrator has turned on and configured two-factor authentication, you must initialize the second factor of your two-factor authentication: your OTP App Device. The next time you log into your Direct account, you will be asked to initialize your OTP App Device.

If you need to generate your Client Certificate, see Generating Your Client Certificate.

Because our Two-Factor Authentication process implements the Time-based One-Time Password (TOTP) protocol, you must use a Mobile Application that supports the TOTP protocol.

Most OTP Applications (compatible with the TOTP protocol) will work with our process. The following list contains the OTP Applications that we have tested:

Google Authenticator: Android, iPhone, Blackberry
Authy: Android, iPhone
Authenticator: Windows Phone
Duo Mobile: iPhone

How to Initialize Your OTP App Device

Install an OTP App that is compatible with the TOTP protocol on you mobile device.
Log into your DigiCert account.
On the One-Time Password (OTP APP) Device Initialization page, do the following:
1. On your mobile device, open your OTP App.
2. Use your OTP App to scan the QR code.
3. In the Enter code box, type the code that is displayed on you device.
4. Click Submit.
You should now be logged into your account.

Your OTP App device should now be initialized. You will now use two-factor authentication each time you log into your DigiCert account. See Signing In with Your OTP App Device.

Signing In with Your Client Certificate

After you have generated your Client Certificate, you will need to supply your credentials and select that certificate to log into the DigiCert account. You can only log into the Console from a computer on which this certificate is installed.

If you need to sign in with your OTP App Device, see Signing In with Your OTP App Device.

Depending on which Web browser you used to initialize/generate your Client Certificate, you may need to use that browser to log into the Console.

Windows installs the Client Certificate in its own Certificate Store and can be shared by Chrome and Internet Explorer.
Mac installs the Client Certificate in its own Certificate Store and can be shared by the keychain for Safari and Chrome.
Firefox installs the Client Certificate in its own Certificate Store and can only be accessed by Firefox (Windows or Mac).

For more information about taking care of your Client Certificate, see Managing Your Client Certificate.

How to Sign In Using your Client Certificate

Log into your DigiCert account.
On the DigiCert Account Login page, in the Username and Password boxes, type your username and password and then, click LOGIN.

Make sure to log in with a browser that can access your Client Certificate. You should be safe using the browser that you used to initialize/generate the Client Certificate.
When your browser presents your certificates, select the Client Certificate that you generated for logging into your account. This completes the authentication process and logs you into your account.

Signing In with Your OTP App Device

After you have initialized your OTP App device, you will need to supply your account credentials and use the code generated in your OTP App to log into your DigiCert account.

If you need to sign in with your Client Certificate, see Signing In with Your Client Certificate.

How to Sign In Using Your OTP App

Log into your DigiCert account.
On the DigiCert Account Login page, in the Username and Password boxes, type your username and password and then, click LOGIN.
On the Enter Verification Code page, in the Enter code box, type the code displayed in your OTP App.
(Optional) If you want to verify this computer for thirty days, check Remember verification on this computer for 30 days.

Depending on how your OTP authentication requirement was configured, you may be able to remember the verification on this computer. With this option checked, when you log into your DigiCert account from this computer, you are only required to enter your credential for the next thirty days. At the end of thirty days, you are required to enter your verification code again and choose whether to verify this computer for another thirty days.
Click Submit. This completes the authentication process and logs you into your account.

User: Getting Your Client Certificate Reset

If you lose your Client Certificate (lose computer, computer breaks down, or certificate gets deleted from your computer or the Certificate Store), you should immediately contact your administrator to get your certificate reset.

Lost My Client Certificate

Contact your administrator.
After your administrator resets your Client Certificate, you will be sent an email.
Follow the instructions in the email to regenerate your certificate.

User: Getting Your OTP App Device Reset

If you lose your OTP App Device (phone, tablet, iPad, etc.), you should immediately contact your administrator to get your OPT App Device reset. Do not be tempted to wait until you get your new device because you have a trusted computer from which you can log into your DigiCert account. It is important to have your administrator reset your OTP App Device immediately to prevent unauthorized access to your DigiCert account.

Lost My OTP App Device

Contact your administrator.
After your administrator resets your device, you will be sent an email.
Follow the instructions in the email to reset your OTP App Device.

Admin Specific Instructions

Admin: Resetting a User’s Client Certificate

If one of your users loses their Client Certificate (loses computer, computer breaks down, or certificate gets deleted from their computer or the Certificate Store), you can reset their Client Certificate in your Direct account.

How to Reset a Client Certificate

Log into your Direct account as an Admin.
In the Console, in the banner menu, click Settings > Authentication Settings.
On the Two-Factor Authentication page, under Issued Client Certificate, in the Reset column of the user who lost their certificate, click the Reset symbol.
The user is sent an email that contains instructions on how to reset their Client Certificate.

The next time that user logs into their Direct account, they will need to generate a new Client Certificate.

Admin: Resetting a User’s OTP App Device

If one of your users loses their OTP App Device (phone, tablet, iPad, etc.), you can reset their OTP App Device in your Direct account.

How to Reset an OPT App Device

Log into your Direct account as an Admin.
In the Console, in the banner menu, click Settings > Authentication Settings.
On the Two-Factor Authentication page, under One-Time Password (OTP) Device, in the Reset column of the user who lost their device, click the Reset symbol.
The user is sent an email that contains instructions on how to reset their OTP Device.

The next time that user logs into their Direct account, they will need to initialize there OTP App Device.

Admin: Getting Your Client Certificate Reset

If you lose your Client Certificate or the computer on which it is installed, and you do not have another admin who can reset your Client Certificate for you, contact us immediately to get your certificate reset.

Admin: Lost My Client Certificate

Contact DigiCert.

Direct Customers:
Contact your account representative or contact our Sales Team:
sales@digicert.com
Sales Toll Free: 855-800-3444.
After the request is confirmed and your Client Certificate is reset, you will be sent an email.
Follow the instructions on the email to regenerate your Client Certificate.

Admin: Getting Your OTP App Device Reset

If you lose your OTP App Device (phone, tablet, iPad, etc.), and you do not have another admin who can reset your OTP App Device for you, contact us immediately to get your OTP App Device reset.

Admin: Lost My OTP App Device

Contact DigiCert

Direct Customers:
Contact your account representative or contact our Sales Team:
sales@digicert.com
Sales Toll Free: 855-800-3444
After the request is confirmed and your OTP App Device is reset, you will be sent an email.
Follow the instructions on the email to reset your OTP App Device.

Managing Your Client Certificate

After generating a Client Certificate as the second factor for your authentication process, we recommend that you back it up. Once you have backed up (exported) your Client Certificate, you can do the following things with it, if needed:

Import it into other Certificate Stores so that you can use multiple Web browsers to log in to your Direct account.
Transfer it to another computer should you get a new one. Then, you can install it in the necessary Certificate Stores on your new computer.

For instructions about how to verify Client Certificate installation, back up/export your Client Certificate, and import your Client Certificate. See Managing Your Client Certificates.

Direct Cert Portal: Two-Factor Authentication