Docstoc

HOW TO Configure SSL in a Windows 2000 IIS 5

Document Sample
HOW TO Configure SSL in a Windows 2000 IIS 5 Powered By Docstoc
					HOW TO: Configure SSL in a Windows 2000 IIS 5.0 Test
Environment by Using Certificate Server 2.0
http://support.microsoft.com/default.aspx?scid=kb;en-us;290625


View products that this article applies to.


This article was previously published under Q290625


IN THIS TASK

          SUMMARY
                  
                  o   Create a Certificate Request
                  o   Submit a Certificate Request
                  o   Issue a Certificate
                  o   Download a Certificate
                  o   Configure and Test the Certificate
                  
                  o
                  Appendix A: How to Change Certificate Issuing Policies
                  o
                  Appendix B: Install a Root Certification Authority Certificate in the Trusted Root Certification
                  Authority List in Internet Explorer 5.x
          REFERENCES


SUMMARY
This step-by-step article describes how to set up Secure Sockets Layer (SSL) in a Windows 2000 Internet Information
Services (IIS) 5.0 development lab environment. Microsoft Certificate Server 2.0 can create many different certificates;
this article only covers creation of a standard Web certificate.

back to the top

Create a Certificate Request
To create a Web server certificate, follow these steps:

     1.    Open the Internet Service Manager Microsoft Management Console (MMC). To do this, click Start, point to
           Programs, point to Administrative Tools, and then click Internet Service Manager.
     2.    Double-click the server name so that you see all the Web sites.
     3.    Right-click the Web site where you want to install the certificate, and then click Properties.
     4.    Click the Directory Security tab.

         You see three security methods. The one you will use to create a certificate request is Secure
         Communications.
     5. Click Server Certificate. The Certificate Wizard starts. Click Next to continue.
     6. Select Create a new certificate, and then click Next.
     7. Select Prepare the request now, but send it later, and then click Next.
     8. Type a name for your certificate, and then select a bit length. Unless it is needed for your lab, do not select the
         SGC Certificate check box. (For more information about SGC certificates, see the note at the end of this
         section.) Click Next to continue.
     9. Type your organization name and the organizational unit (for example, company name and development
         department). Click Next.
     10. For Common Name, type either the fully qualified domain name (FQDN) or the server name. If you are
         creating a certificate that will be used over the Internet, it is better to use an FQDN. Click Next.
     11. Type your location information, and then click Next.
     12. Type the path and file name where you want to save the certificate information, and then click Next.

         NOTE: If you type anything other than the default location and file name, make sure to note the name and
         location you select, because you must access this file in later steps.
     13. Verify the information that you have typed, and then click Next to complete the process and create the
         certificate request.
     14. In the Completing the Web Server Certificate Wizard dialog box, click Finish.
     15. Click OK to close the Web site properties.

NOTES: Server Gated Cryptography (SGC) certificates are used most frequently by financial institutions that require
high-encryption connections even when connecting with international users or browsers that are limited to 40-bit
encryption. When connecting to an international browser (40-bit), an SGC certificate creates a 128-bit tunnel to allow
128-bit encryption strength. When the secured connection or session ends, the intermediate certificate tunnel is closed.

Also, the SGC certificate is strictly domain-specific. Typically, if the domain name of a certificate does not match the
domain of the Web site, you receive a warning stating this fact and you can choose to continue or not. An SGC certificate
does not give you a warning or offer choices. The connection is unsuccessful, but you do not receive an explanation.

back to the top

Submit a Certificate Request
To submit a certificate request, follow these steps:

     1.   Open a browser, and then open http://YourWebServerName/certsrv/.
     2.   Select Request a Certificate, and then click Next.
     3.   Select Advanced Request, and then click Next.
     4.   Select the center option, Submit a Certificate Request using a Base64, and then click Next.
     5.   In Notepad, open the request document that you created in the first procedure section, "Create a Certificate
          Request".
     6.   Copy the contents of the document.

          The contents look similar to the following:

          7. -----BEGIN NEW CERTIFICATE REQUEST-----

          8. MIICcjCCAhwCAQAwYjETMBEGA1UEAxMKcm9ic3NlcnZlcjELMAkGA1UECxMCT
              VMx

          9. CzAJBgNVBAoTAk1TMREwDwYDVQQHEwhCZWxsZXZ1ZTERMA8GA1UECBMIV2Fza
              Gl0

          10.            b24xCzAJBgNVBAYTAlVTMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBA
                  LYK4sYDNQ7h

          11.            LmSfL0qpIvUfY7Ddw7fNCvDp3rM7z4QqoLhA2c8TkyamqWTBsV0WR
                  HIidf/J6mU4

          12.            wN4wrUzJTLUCAwEAAaCCAVMwGgYKKwYBBAGCNw0CAzEMFgo1LjAuM
                  jE5NS4yMDUG

          13.            CisGAQQBgjcCAQ4xJzAlMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUED
                  DAKBggrBgEF

          14.            BQcDATCB/QYKKwYBBAGCNw0CAjGB7jCB6wIBAR5aAE0AaQBjAHIAb
                  wBzAG8AZgB0

          15.            ACAAUgBTAEEAIABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAb
                  wBnAHIAYQBw

          16.            AGgAaQBjACAAUAByAG8AdgBpAGQAZQByA4GJAGKa0jzBn8fkxScrW
                  sdnU2eUJOMU

          17.            K5Ms87Q+fjP1/pWN3PJnH7x8MBc5isFCjww6YnIjD8c3OfYfjkmWc
                  048ZuGoH7Zo

          18.            D6YNfv/SfAvQmr90eGmKOFFiTD+hl1hM08gu2oxFU7mCvfTQ/2IbX
                  P7KYFGEqaJ6
          19.            wn0Z5yLOByPqblQZAAAAAAAAAAAwDQYJKoZIhvcNAQEFBQADQQCgR
                  CWkaXlY2nVa

          20.            tbn6p5miPwWfrbViYo0B62wkuH0f7J0nSGcxMnn/6Q/iLEIsgHqFh
                  ox5PWCzIV0J

          21.               tXKPWrBL

          22.               -----END NEW CERTIFICATE REQUEST-------



           NOTE: If you save the document with the default name and location, it is located at C:\Certreq.txt.

           NOTE: Make sure that you copy all the content just as shown here.

     23. Paste the contents of the document in the Base64 Encoded Certificate Request text box of the Web form.
         Click Submit.
     24. If Certificate Server is set to Always Issue the Certificate, you are immediately directed to the Certificate
         Issued page. The address bar reads:

           http://YourWebServerName/certsrv/certfnsh.asp

           On this page, you can download the Web server certificate immediately. To do so, follow these steps on the
           Certificate Issued page:

                  1. Click the top link, Download Certification Authority Certificate (do not click Download
                     Certification Authority Certificate path).
              2. When you are prompted, select Save this file to disk and save the certificate to your desktop or
                     another location that you will remember.
              3. Now, go straight to the "Install the Certificate" section.
     25. If Certificate Server is set to Set the certificate request status to pending, you will receive the following
         "Certificate Pending" message:

          26.               Certificate Pending.

          27.            Your certificate request has been received. However,
                  you must wait for an administrator to issue the certificate
                  you requested.

          28.            Please return to this web site in a day or two to
                  retrieve your certificate.

          29.            Note: You must return with this web browser within 10
                  days to retrieve your certificate.



           To continue, move on to the "Issue a Certificate" section.

NOTE: For more information about configuring certificate issuing policies, see Appendix A.

back to the top

Issue a Certificate
To issue (that is, authorize) a certificate in Certificate Server, follow these steps:

     1.    Open the certification authority Microsoft Management Console (MMC) snap-in. To do this, click Start, point
           to Programs, point to Administrative Tools, and then click Certification Authority.
     2.    Expand Certification Authority.
     3.    Click the Pending Requests folder. Your pending certificate requests appear in the right pane.
     4.    Right-click the pending certificate request (that is, the request that you submitted in the third procedure in this
           article), select All Tasks, and then click Issue.

           NOTE: After you select Issue, the certificate is not displayed in this window and folder. It now resides in the
           Issued Certificate folder.NOTE: For more information about configuring certificate issuing policies, see
           Appendix A.

back to the top

Download a Certificate
After you have issued and authorized the certificate, you can return to the Certificate Server Web interface to select and
download the certificate:

     1.    Open http://YourWebServerName/certsrv/.NOTE: You must use lowercase letters when you type certsrv.
           If you do not, you cannot see pending requests.

     2.    On the default page, select Check on a pending certificate, and then click Next.NOTE: If you select
           Retrieve the certification authority certificate or certificate revocation list from the default Welcome page,
           you will download the root certification authority certificate and not the Web server certificate. If you try to
           install a root certification authority certificate to a Web site, you will receive the following error message:

                  Selected certificate was already installed to another server. Please, choose another response file.

     3.    Select your pending certificate, and then click Next to open the download page.
     4.    On the download page, click the top hyperlink, Download Certification Authority Certificate (do not click
           Download Certification Authority Certificate path).
     5.    When you are prompted, select Save this file to disk and save the certificate to your desktop or another
           location that you will remember.

You have issued and downloaded your certificate.

The next step is to install the certificate and set up an SSL-encrypted Web site.

back to the top

Install the Certificate
There are several ways to install and set up an SSL certificate: for example, you can double-click the certificate and use
the Certificate Installation Wizard to preinstall the certificate, then bind it to the site. This article describes how to install
the certificate by using the Internet Service Manager MMC through the Web Server Certificate Wizard.

To install a certificate in Certificate Server, follow these steps:

     1.    Open the Internet Services Manager, and then expand the server name so that you can view the Web sites.
     2.    Right-click the Web site that you created the certificate request for, and then click Properties.
     3.    Click the Directory Security tab. Under Secure Communications, click Server Certificate.

           This opens the Certificate Installation Wizard. Click Next to continue.
     4.    Select Process the pending request and install the certificate, and then click Next.
     5.    Type the location of the certificate that you downloaded in the "Download a Certificate" section, and then click
           Next.
     6.    When the Wizard displays the certificate summary, verify that the information is correct, and then click Next
           to continue.
     7.    Click Finish to complete the process.

back to the top

Configure and Test the Certificate
To configure and test the certificate, follow these steps:

     1.    On the Directory Security tab, under Secure Communications, note that you now have three available
           options. To set the Web site to require secure connections, click Edit. The Secure Communications dialog
           box appears.
     2.    Select Require Secure Channel (SSL), and then click OK.
     3.    Click Apply and then OK to close the Properties window.
     4.    Locate the site and verify that it works:
               1. Access the site through http by typing http://localhost/Postinfo.html in the
                     browser. You receive an error message that resembles the following:

                           HTTP 403.4 - Forbidden: SSL required.

                  2.   Try to access the same Web page with a secured connection (https) by typing
                       https://localhost/postinfo.html in the browser.NOTE: The Postinfo.html
                       page is a standard HTML page that is found in the root of the default Web site.

                  3.   If you receive a security message that states that the certificate is not from a trusted root certification
                       authority, click Yes to continue to the Web page.

                       NOTE: To learn how to add your root certification authority to the Trusted Root Certification
                       Authorities list in your browser, see Appendix B.

If you can view the page, you have successfully installed your certificate.

back to the top

Appendix A: How to Change Certificate Issuing Policies
You can select whether you want to issue a certificate upon request (no authorization) or whether you want all requests to
be submitted for pre-authorization through the certification authority MMC snap-in. To do this, follow these steps:

     1.    Open the Certification Authority tool. To do this, click Start, point to Programs, point to Administrative
           Tools, and then click Certification Authority.
     2.    Right-click your certification authority name, and then click Properties.
     3.    In the Properties window, click the Policy Module tab, and then click Configure.
     4.    On the Default Action tab, select either of the following:
                 o Set the certificate request status to pending: The administrator must explicitly issue the
                      certificate.
                 o Always issue the certificate: This issues the certificate immediately, with no authorization
                      required.NOTE: If a certificate is recognized on the network, select the second option.

back to the top

Appendix B: Install a Root Certification Authority Certificate in the Trusted Root Certification Authority
List in Internet Explorer 5.x
You can deliver the root certification authority certificate to the Web site users in several ways. One way is to e-mail it
and have the users install it from the e-mail. Another way is to include a download page on your Web site with a link to
the certificate. A corporate-wide solution is to use the Internet Explorer Administration Kit (IEAK) to push a customer
Internet Explorer browser with the root certification authority certificate already installed into the Trusted Root
Certification Authorities list. However you make the certificate available, one thing stays the same: the way you install
the certificate in the Trusted Root Certification Authorities list in Internet Explorer, as this appendix demonstrates.

NOTE: The certificate must be installed for Internet Explorer to trust that your site certificate is not the certificate that
you just created but instead the root certification authority certificate, which was created when you installed Certificate
Server.

For the purposes of this document, download the certificate by using the Certificate Servers Web interface, which is
located at http://<YourServerName>/certsrv/. After you have arrived at the Welcome page, select Retrieve the
certification authority certificate or certificate revocation list, and then click Next.

You now have two choices:


          Install this certification authority certification path. If you are installing the root certification authority
           certificate into the browser that you are currently connected with, click the Install this certification authority
           certification path link, and the root certification authority certificate is automatically installed in the Trusted
           Root Certification Authorities list in your Internet Explorer browser.

           After the installation is complete, you receive a confirmation page. -or-

          Download certification authority certificate. If you must install the root certification authority certificate in
           the root certification authorities list in any other Internet Explorer browser, you can download it and install it
           as follows:
                   1.   Click Download certification authority certificate.
                   2.   Select Save the file to disk.
                   3.   Access the location where you saved the root certification authority certificate, and then double-
                        click the certificate to open the Properties window for that certificate.
                   4.   Click Install Certificate to start the Certificate Import Wizard. Click Next to continue.
                   5.   Select Place all certificates in the following store.
                   6.   Click Browse, select Trusted Root Certification Authorities, and then click Next.
                   7.   Verify the settings, and then click Finish.

                        You receive the following message:

                            The import was successful.

                   8.   Click OK to dismiss this message, and then click OK to close the Properties window.

           To see if you receive the trusted root certification authority warning again, close and reopen your browser, and
           then open the following Web site:

           https://<MySecureWebsite>/Postinfo.html

           NOTE: The Postinfo.html page is a standard HTML page that is found in the root of the default Web site.

           If you can open this site, you have successfully added your root certification authority to the Trusted Root
           Certification Authorities list in your Internet Explorer browser.

 back to the top
REFERENCES
 For additional information about using certificates with IIS 5.0, click the article numbers below to view the articles in the
 Microsoft Knowledge Base:

 232136 HOW TO: Back Up a Server Certificate in Internet Information Services 5.0

 Summary: When you use IIS 5.0, you may want to back up your server certificates. Windows 2000 makes this process
 easy with the new Certificates snap-in.

 232137 How to Import a Server Certificate for Use in Internet Information Services 5.0

 Summary: When you use IIS version 5.0, you may want to restore a server certificate (for example, if you are migrating
 one Web site to another server in a Web farm). This task is very easy to do with the Web Site Certificate Wizard and the
 Certificate Manager Import Wizard that is included with Windows 2000 and IIS 5.0.

 248107 Creating Server Certificates Using Certificate Services Web Forms

 Summary: When you enable secure communications such as SSL and Transport Layer Security (TLS) on an IIS 5.0
 computer, you must first obtain a server certificate. The integration of certificates in Windows 2000 and the new
 additions to IIS 5.0 provide several ways to obtain a server certificate.

 227888 Importing a Key Backup File to Use in Internet Information Services 5.0

 Summary: After you install IIS 5.0, you may want to import a backup key file from an older version of Internet
 Information Server (IIS). When you do this, you can use the SSL capabilities on your new server (and replace the old
 one).

 201255 HOW TO: Enable SGC on Internet Information Server

 Summary: This article describes how to request and enable Server Gated Cryptography (SGC) on a computer that is
 running Internet Information Server (IIS).

 295298 INFO: IIS 5: What Does Check on Pending Requests Do?

 Summary: This article briefly describes what occurs when a certificate request is submitted to Certificate Services 2.0
 through the Certificate Services Web pages and what occurs when you view your pending request on the Certificate
 Services Web pages.
323470 How To: Create a Secure WebDAV Publishing Directory

Summary: This step-by-step article describes how to create a secure Web Distributed Authoring and Versioning
(WebDAV) publishing directory.

313071 HOW TO: Configure Certificate Trust Lists in Internet Information Services 5.0

Summary: This step-by-step article describes how to create and configure Certificate Trust Lists (CTLs) by using the
Certificate Trust List Wizard in IIS version 5.0. back to the top

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:8/27/2011
language:English
pages:7