The most popular version of Microsoft's Web server offering is Internet Information Server (IIS) 5, which is included with Windows 2000 and Windows XP. IIS is used for many types of Web sites, from massive e-commerce stores to simple home pages.
A common task for an IIS administrator is to enable secure sockets layer (SSL). Most people are familiar with this by now through e-commerce experiences. It's the encryption process that allows a user's communication with the Web server to be secured so that others cannot intercept and decipher any of the data being transferred. Let's discuss how you can configure IIS to provide SSL connections. I'll show you how to request an SSL certificate, install it on the Web server, configure IIS to allow SSL connections, and test it out.
Requesting and installing an SSL certificate
Before you can enable SSL, your server must have a server certificate installed on it. Typically, this is done through a public certification authority such as Verisign. IIS provides a wizard to walk you through the steps. The first step in the process is to generate a request for a certificate through the IIS management console.
You can find the Internet Services management console by navigating to Control Panel | Administrative Tools | Internet Services Manager. The IIS console is shown in Figure A.
|Internet Services Manager|
You should see your Web server, with all of the Web sites on your server beneath it. By right-clicking on the server name, you can edit properties for the entire server. Or you can right-click on an individual Web site to configure just that site.
Right-click on your site and choose Properties, select the Directory Security tab, and click the Server Certificate button. This starts the Certificate Installation Wizard (Figure B).
|Certificate Installation Wizard|
Go through the wizard, complete the forms, and then save the request to a file. Then, point your Web browser to your chosen certificate authority's Web site. For my example, I'll use Verisign to request a trial server certificate.
While entering the information for your request, you'll need to provide the certificate request key generated by IIS. Open the request file in a text editor like Notepad, copy the text of the request, and paste it into the specified field on the Verisign Web site.
Once you complete the request forms, you'll be sent a public key from Verisign via e-mail. Copy the key from the e-mail and return to the Directory Security tab in the IIS console. Click on Server Certificate, and you'll be able to complete the request by pasting the response key from Verisign into the Certificate Installation Wizard. Once you complete the request, the certificate is installed and made available by IIS. You can confirm this by going to the Directory Security IIS tab and clicking View Certificate, which should provide details on your new certificate (as shown in Figure C).
|Viewing the certificate|
Right-click on the Default Web Site entry in the Internet Services management console to Navigate to the Web Site tab in the site properties. You'll then be able to edit the SSL port that the site uses because your certificate is installed (Figure D). The default port for SSL is 443, and I strongly recommend that you keep that port number.
|From here, you can change the SSL port.|
Configuring SSL options
To require that SSL be used to access all or part of your site, click on the desired site or directory in the IIS console and choose Properties. Go to the Directory Security tab and choose Edit in the Server Certificate section. Some available options require that SSL be used to connect to that resource, and you can choose whether to require 128-bit encryption.
Once you've configured this section, users will be able to use that site (or part of a site if you configured a specific site subdirectory) only by using SSL. That means they must use https:// instead of http:// when connecting to that directory or site. Once the user establishes an https connection, all data transferred between the user and your Web server will be encrypted.
You can test out an SSL connection by pointing your Web browser to https://yourservername/. The IIS default page should load as usual, but this time a small padlock icon will be displayed in the bottom of your browser. If you view the properties for the Web page, you should see a message that says something like:
Connection: SSL 3.0, RC4 with 128 bit encryption (High); RSA with 1024 bit exchange
If you view the certificate details, you should see the information that you used in your certificate request. Web users can then communicate securely with your server via an encrypted SSL connection.
An important side note is that SSL alone doesn't guarantee security on the Web—it merely makes it extremely difficult for a third party to intercept the data being sent between the server and the user. The process of ensuring the security of the Web server itself requires the implementation of additional procedures, which are beyond the scope of this article.
SSL is an important aspect of modern Internet and Web site usage and design. If you run an e-commerce site or supply confidential data to users, you need to use SSL to help ensure security. IIS makes it very easy to request, install, and use SSL. The steps I've outlined above should help you get SSL running on your own IIS Web server more quickly.