Login with WWPass

Begin by registering at the WWPass Developer's site. You can use your WWPass PassKey to register or provide a valid email address. Once you have registered with WWPass, you will receive a validation e-mail containing a link to activate your new account.

Step One: Domain name validation

Your web site/service will be known to WWPass as a Service Provider. Your Service Provider name is the domain name for your site (e.g. www.example.com). To begin, the Service Provider name needs to be validated.

To validate your Service Provider, use your account and click on "Add new service provider", Enter a domain name, such as www.example.com, and click "Add".

A text file with a unique text will be presented. This file needs to be placed in the root directory of your web site. You can download the file or copy the text to a file with the name specified. The file name and content should not be changed. This file should be accessible through a URL such as:

http://www.example.com/cc0ea038e0dc5645a0f9ed0482dc61dd.txt

You can verify that this file is accessible from your web browser before pressing the Validate button. Click the “Validate” button. If the text file is properly placed, your Service Provider listed on your account page will indicate “Validated” and a Service Provider ID will be assigned. This is the ID that identifies your web service to WWPass.

Once validated, you can delete the text file from your Website.

Step Two: Generating the key pair

Your web site has to authenticate itself with WWPass. This requires the generation of a private key and certificate request. This begins the process of obtaining an SSL certificate. The key pair is best generated on the system hosting your web site.

Keys can be generated using OpenSSL.

Instructions for POSIX (Linux, OS X and BSD system) and Windows using OpenSSL


OpenSSL is installed on Linux, OS X and BSD operating systems. You can download the precompiled Windows binary and Windows Installer for OpenSSL from http://www.slproweb.com/products/Win32OpenSSL.html.

If you use OpenSSL on Windows enter the following command before first call to OpenSSL in a command prompt:

set OPENSSL_CONF=c:\[PATH TO YOUR OPENSSL DIRECTORY]\bin\openssl.cfg

To generate the key and certificate request:


Open a command prompt and enter the following using you Service Provider name. Please note that this is a single command line that is displayed using multiple lines.

openssl req -new -newkey rsa:4096 -nodes -subj 
"/O=<Your Service Provider name>" 
-keyout <Your Service Provider name>.key 
-out <Your Service Provider name>.req

Or to generate an encrypted key and certificate request:


To ensure that your private key can be safely transferred to or from your web server, this command will create an encrypted key. Please note that SSH access to your web server is required to decrypt the key once you have uploaded the files to your server.

Open a command prompt and enter the following using you Service Provider name. Please note that this is a single command line that is displayed using multiple lines.

openssl req -new -newkey rsa:4096 -subj 
"/O=<Your Service Provider name>" 
-keyout <Your Service Provider name>.key 
-out <Your Service Provider name>.req

You'll be asked for a passphrase to encrypt your private key.

Transmit the resulting .key file to your web server.

Open a command prompt on your web server and enter the following to decrypt:

openssl rsa -in <Your Service Provider name>.key 
-out <Your Service Provider name>.key

You'll be asked for a passphrase used to encrypt the private key.

Instructions for ASP.NET


ASP.Net applications running on a Windows server requires that certificates are stored in a certificate store. To facilitate key generation and deployment, the following PowerShell scripts, Request generation script, Certificate installation script have been provided for your convenience. Download these scripts to your Windows Server.

Open PowerShell on the Windows Server machine as Administrator and enter the following command to enable execution of signed scripts:

Set-ExecutionPolicy AllSigned

Generate the certificates by executing the Request Generation script using your Service Provider name and Service Provider ID. When prompted, answer with “A” to always trust WWPass scripts, or “R” to trust the script once.

.\certreq.ps1 -SPID '<Your Service Provider ID>' -SPName '<Your Service Provider name>'

Your private key and certificate request, with your public key information, are now available for use. WWPass needs to be made aware of your certificate. On the your account page, locate the Service Provider and click “Add Certificate Request”. Upload the certificate request (.req file) or paste the content of the file and click “Send”.

Step Three: Getting the certificate

On the your account page, click on your Service Provider name and then click “Issue Certificate” next to the new certificate request. Download the certificate or copy and paste the certificate content to a file as specified below.

Instructions for POSIX (Linux, OS X and BSD system) and Windows using OpenSSL


Put the certificate and private key on the web server in a folder that is not accessible from the web (/etc/ssl/certs is an example of such a folder on POSIX systems). Set the access rights for the web server process to have Read rights for you private key and certificate. No other user should have any rights to access the file with your private key.

When your web service connects to WWPass, the WWPass server will present an SSL certificate signed by WWPass. For your web service to verify the validity of the WWPass front end. It will need the WWPass CA certificate. Download it and put it in the same location as your certificate. Later you should provide the path to this CA certificate to a code that will handle connection to WWPass.

Instructions for ASP.NET


Put the certificate generated in Step 2 onto your web server. Using PowerShell, run the 2nd script (Certificate Installation script):

.\install.ps1 -CertFile '<Your Service Provider name>'

This script will install your certificate and the WWPass CA certificate. When your web service connects to WWPass, the WWPass server will present an SSL certificate signed by WWPass. This allows your web service to verify the validity of the WWPass front end.

Your Service Provider is now registered with WWPass and all the necessary credentials have installed. All that is left is to implement the WWPass login logic within your web site.