Enabling SSL on your IIS 4.0 Web server
Increasing numbers of companies are setting up Web servers on the Internet to provide information about themselves or their products. It’s becoming more common to have some type of e-commerce functionality for purchasing goods or services, or to grant access to sensitive information that should be encrypted as it crosses the Internet and the intranet. This is where SSL (Secure Socket Layer) comes into the picture. By using a special file from a CA (certificate authority), encrypted communications can be set up between browsers and the Web server. This article will take you through the steps required to enable SSL on Microsoft’s IIS 4.0 Web server.
Where to get the certificate
The main three certificate authorities are Verisign , Thawte Consulting , and Cybertrust , a GTE Company. Other CA’s exist, but you must verify whether their certificates are supported by the browsers you intend to support and whether users have to install a certificate or other service so they can establish an SSL connection to your Web site. Part of the process of securing an SSL certificate for your Web site is to decide the level of encryption you need (basic encryption, 128 bit, and so forth). You must also determine if you need any additional services with the certificate (e.g. performance measurement of the Web site from multiple cities), and the type of certificate that you want. You can expect the cost to range from $125 for one year with Thawte Consulting to around $1,300 from Verisign for a certificate that can support all of the known browsers.
If you have multiple servers, you’ll have to decide whether to purchase an SSL certificate for each server, or to buy a certificate for one server and redirect all SSL traffic to that server. Although it’s cheaper to have just one certificate, you’ll expose your company to a single point of failure if the server the certificate resides on is down or overloaded with requests. If your company provides Web hosting services, it may be possible to use just one SSL certificate. If your site needs SSL functionality and you’re planning to have a different company host it, you will probably have to obtain a certificate. If your current Web hosting company uses IIS for Web hosting services and your next company uses Apache, you will have to get a new certificate for the new platform that your site will be driven on.
Getting an SSL certificate for your Web site isn’t something that should be done at the last minute. Depending on the CA that you go through and the level of encryption/service that you want, the time to get a certificate could take somewhere from a couple of hours to a week. The length of time will depend on the amount of background checking the CA must do to confirm you and your company’s identities to ensure that you are who you say you are.
Starting the certificate process
The first step is generating a certificate signing request (CSR). This will create a text file that, in most cases, you’ll cut and paste into a form on the CA’s Web site so they can generate a SSL certificate for you. You begin your journey by starting the Internet Service Manager (non-HTML version). This will bring up the Microsoft Management Console (MMC).
Once the splash screen disappears, right-click the Web site name and click Properties. When the Web site properties sheet appears, right click the Web site you want to add the certificate to. Select the Directory Security tab and look for the box labeled Secure Communications. Select the Key Manager tab to start the file creation process. When the Key Manager window appears, select the service you want to install SSL for. Click WWW. When it’s highlighted, right-click WWW. Select Create New Key and the Create New Key wizard will guide you through the process of creating a certificate request.
Unless you’re going to be your own certificate authority (normally only a good idea if you are looking for SSL services on a corporate intranet), step through the wizard to create a text file. You’ll either e-mail or cut and paste this file into the Web site for the CA you’ll use.
When the wizard first appears, the default location and filename is c:\NewKeyRq.txt. Unless you must change the location of this file, click Next to continue. The next screen will ask you to supply a name for the key. Provide a name for the key request and the password you want to use to control the installation of the SSL certificate. The next window prompts you for information to help differentiate this certificate from others you have and from others on the Internet. In the next window, provide the country, state, and city where you are located. Supply your name, e-mail address, and telephone number in the final window so the CA can contact you if there are any problems processing your request. Click Finish to end the Create New Key wizard. You should see a key entry below the WWW label in the Key Manager window.
Depending on the CA you use, you can either have the file mailed to you or you can cut and paste the file onto your local hard disk. Once the file is in your possession, right-click the key name in Key Manager and select Install Key Certificate. Using Windows Explorer, browse the directory structure until you find the file, then click OK to install the file. Once the SSL certificate is installed, you should see additional information that details when the certificate expires, who it belongs to, and so forth.
This article has walked you through the process of setting up your Web server to handle SSL communications. Make sure you keep both the certificate request and the license file you received from the CA in case you have to replace the files in the event of corruption or if you have to reinstall your Web server. Good luck setting this up and may all your sensitive information be encrypted!
The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.