Enabling validation of the MYDIGIPASS.COM SSL certificate

The MYDIGIPASS.COM service is only accessible over HTTPS. In addition to providing encryption of data in transit, HTTPS allows the identification of servers by means of digital certificates. The identification of a server is done by validating the presented SSL server certificate.
When validating an SSL certificate, one typically checks that:

  • The certificate is still valid (by checking the startdate and the enddate of the certificate).
  • The certificate has been signed by a trusted Certificate Authority.
  • The name on the certificate is the name of the server to which a connection is being made.

By default, Drupal does not perform validation of SSL certificates when making connections to external web services. This makes Drupal sites vulnerable to advanced attacks like a Man-in-the-middle attack.

The mydigipass module allows Drupal site administrators to enforce the validation of the MYDIGIPASS.COM SSL certificate. When this setting is enabled, the mydigipass module will only communicate with a server if it can positively validate the remote server as being the MYDIGIPASS.COM server.

The certificate validation can be performed in two ways:

  1. Either the module uses the root CA certificates which can be found in the Trusted CA store of the operating system: this requires a correctly configured PHP application server.
  2. Or the Drupal site administrator uploads a PEM file to the Drupal site which is then used to validate the certificate.

When using the mydigipass module on a server that you own, you typically have the choice between the two presented options. If you want to use the module on a server on which you rent hosting, you will often be required to select the second option.
Note that the second option allows to have the most secure configuration since it allows to validate the certificate against only the certificates of the root CA which signed the MYDIGIPASS.COM certificate!

Configuring SSL certificate validation

Option 1: the PHP application has access to the operating system CA store

  1. Log in to your site as Site Administrator and go to the mydigipass module admin page.
  2. Click the "Security settings" tab.
  3. Select "Enable server certificate validation."
  4. Ensure that the "Location of Certificate Authority file" textfield is empty.
  5. Click "Save configuration".

The module will automatically check whether the MYDIGIPASS.COM certificate can be validated. If this is not the case, the following error will be displayed:
If this error is displayed, you have to use option 2 and upload a PEM file to allow the module to perform the certificate validation.

Option 2: upload a PEM file

The certificates of MYDIGIPASS.COM are signed by the GoDaddy Certificate Authority (see https://www.godaddy.com/). In order to allow the module to check whether the certificate presented by MYDIGIPASS.COM is really signed by GoDaddy, you have to upload a file containing the certificates of GoDaddy.
Follow these steps to upload the GoDaddy certificates and to enable strict SSL certificate validation:

  1. Download the latest GoDaddy Authority Certificates Repository from https://certs.godaddy.com/anonymous/repository.pki . The file you need is gd-class2-root.crt.
  2. Save the gd-class2-root.crt file somewhere on your webserver, for example in sites/all/libraries/
  3. Log in to your site as Site Administrator and go to the mydigipass module admin page.
  4. Click the "Security settings" tab.
  5. Select "Enable server certificate validation." and enter the path to the CRT file you just downloaded. If you saved the file in sites/all/libraries/ then you should enter sites/all/libraries/gd-class2-root.crt as the location of the Certificate Authority file.
  6. Click "Save configuration".