Lock IT Down: Implementing Secure Socket Layer

Benefits of Secure Socket Layer implementation

Security on the Web is a growing concern. The last thing you want when you design a Web site is to have third parties sneaking a peek at what you’re doing. Fortunately, you can implement Secure Socket Layer (SSL) to increase security on your Web site. In this Daily Drill Down, I’ll look at secure communication over the Internet using SSL.

Why you need SSL
Microsoft Internet Information Server 4.0 (IIS) supports the industry-standard SSL 2.0 and 3.0 protocols for secure communications. SSL negotiates a secure link between your Web server and your client’s Web browser. Therefore, it should be used on any IIS Web server that passes confidential information and/or requires logon information.

SSL will encrypt all data—including logon usernames and passwords—so that communications cannot be intercepted and misused by unauthorized parties. Clients accessing an SSL-enabled Web server will notice a “lock” icon near the bottom of their browser, indicating that their session is secure.

To use SSL on your IIS Web server, you must obtain and install a valid server certificate. Digital certificates contain information about your organization’s identity and must be trusted by your clients, since the server certificate also contains a public key used to initiate secure transactions with your clients. You can generate your own server certificate using Microsoft Certificate Server (which is part of the Windows NT Option Pack), but your clients may be hesitant to trust certificates created by unknown authorities.

Optionally, you may obtain an endorsed certificate from a mutually trusted, third-party organization known as a certification authority (CA). A CA’s primary responsibility is confirming the identity of organizations requesting a certificate before issuing a valid server certificate. For the latest list of certification authorities supporting Internet Information Services, visit the Microsoft Security Partners Program Web site. In the By Category list, select Certification Authority Services. You can also enroll for SSL certificates, for testing purposes only, at the Microsoft Interop Test Certificate Authorities site.

There are four main steps to enabling SSL on an IIS Web server:
  • Generating a key pair file and a request file
  • Submitting the request file to a CA
  • Installing the issued server certificate on the IIS Web server
  • Activating SSL on WWW resources

Let’s take a quick look at these four steps.

Generating a key pair file and a request file
There are several steps to generating a key pair file and a request file. First, open the Internet Service Manager (ISM). This utility installs with Windows NT Option Pack as an IIS plug-in for Microsoft Management Console (MMC) and can be accessed through Start | Programs | Windows NT 4.0 Option Pack | Microsoft Internet Information Server | Internet Service Manager.

Once you are in the ISM, expand the Internet Information Server folder by clicking the plus sign (+), and then expand your server’s folder by clicking the plus sign next to your server’s name. Right-click on the Default Web Site and choose Properties. This will open the Default Web Site Properties sheet, as shown in Figure A. Choose the Directory Security tab and click the Key Manager button.

Figure A
You must go to the Default Web Site Properties sheet to generate a key pair.

In Key Manager, you must right-click the WWW icon and select Create New Key, which will launch the Create New Key Wizard. If Microsoft Certificate Server is installed, you will have the option to send your key request directly to the Certificate Server. Usually, though, you will instead send your certificate to an online CA by choosing Put The Request In A File That You Will Send To An Authority.

The default filename for the certificate request is C:\NewKeyRq.txt. You can either accept the default name or create a new one. Once you’ve named the file, choose Save and then click Next. The wizard will lead you through the process prompting you for information, such as a key name. You’ll also have to enter and confirm a password. Remember this password, because you’ll need it to install the certificate later.

The value for Key Length will depend on your server’s level of encryption. The value for Common Name should be either your server’s machine name or its registered domain name for the Internet. After you’ve filled in the required information, click Finish.

A Key icon will appear under the WWW icon, as shown in Figure B. The orange slash through the key icon indicates that the certificate is not yet complete, since it needs signing and installation. Choose the Key menu and select Exit. When prompted, select Yes to confirm the changes.

Figure B
When you create a key, you’ll see it in the Key Manager window.

Requesting a signed certificate from a certificate authority
The request file that you have created (C:\NewKeyRq.txt) will be used by a CA to generate a signed server certificate. Each CA may have specific instructions on how to request a signed server certificate, so consult your CA for guidance. Usually, your CA will have a Web site where you can submit your request file (NewKeyRq.txt). After the CA proves your identity, you may be notified to download your signed certificate. You’ll receive your signed certificate in the form of a text file.
You may have to open the issued certificate file in Notepad and copy the key text, including the BEGIN CERTIFICATE and END CERTIFICATE labels. Paste this data into a new file and save it with a .crt extension. The certificate may look something similar to the following when viewed in a text editor. This is not a valid certificate and is shown only as an example.——-BEGIN CERTIFICATE——-MTIDUzCCArwgAyIBAgIYC1kwDQJTKoHIhvcNAQEFBQ
Installing the signed certificate
Installing a signed certificate involves a number of steps. You’ll have to open Key Manager (see the section “Generate a key pair file and a request file”). To install the certificate, right-click the Partial Key icon and choose Install Key Certificate. Next, you’ll need to locate the file downloaded from your CA. Or, as I mentioned earlier, you may have to create a .crt file from your CA’s file.

Enter the password you used when creating the request file. Then, choose Any Unassigned in the Server Bindings dialog box if you’re running only one secure Web site on this server. If you’re running multiple Web sites on your server, you’ll have to enter the appropriate IP address and/or port assignment for the Web site on which you want to enable SSL.
SSL does not support the use of host headers. If you have multiple Web sites on your server, each must have a unique IP address. The default port assignment for SSL is 443. Once you’ve entered the password, choose the Key menu and select Exit; click Yes to confirm the changes.
SSL is now enabled on your Web server. If you reopen Key Manager, you’ll notice that the orange slash through the key icon has disappeared. When selecting the key icon, details about the server certificate will appear in the right-hand side of Key Manager. Also, encryption settings will now be available in the Secure Communications area of the Internet Service Manager.

Activating SSL on a WWW service
At this point, you’ve generated a key pair, requested a signed certificate, and installed the certificate. Now you must active SSL on a WWW service. To do that, open the Internet Service Manager and do one of the following:
  • Select Default Web Site if you want the entire Web site to be secure.
  • Select a specific directory if you want a secured directory only.
  • Select a specific file if you want a single secured Web page only.

Right-click your choice and select Properties. When the Properties sheet appears, choose the Directory Security tab. Select Edit from the Secure Communications area and select the Require Secure Channel When Accessing This Resource option, as shown in Figure C.

Figure C
After you obtain the certificate, you must enable it here.

Next, choose a Client Certificate Authentication option, usually Do Not Accept Client Certificates. For more information about Client Certificate Authentication, you can click the Help button on the Secure Communications screen. Select OK to apply your changes and exit. You must stop and restart the World Wide Web Publishing Service using your Services applet in Control Panel in order for the changes to take effect.

Backing up the server certificate
You should keep a backup copy of your server certificate on a floppy disk and store the disk in a safe location. Don’t forget the password for your certificate. To back up the server certificate, open Key Manager and select Key | Export | Backup File. You will receive this message: WARNING! This operation places sensitive information in a file on your hard drive.

While you’ll be required to enter a password to use the file again, losing or copying this file may compromise your security. That’s why you should save the backup file to a floppy disk (instead of the hard drive) and then store it in a safe location.

Select OK to continue past the warning and enter the filename you want to use for saving your key. It will save with a .req extension (i.e., A:\MyServer-key.req). Select Save to complete the backup process.

More information
We’ll cover SSL more in-depth in future Daily Drill Downs. In the meantime, keep the following in mind:
  • Microsoft released several fixes for encryption after Service Pack 3 for Windows NT. Microsoft recommends that you install the most recent service pack before enabling SSL.
  • If you experience problems with SSL, refer to the Microsoft Knowledgebase Article “How to Troubleshoot SSL in Internet Information Server 4.0” (Article ID: Q197306).
  • Clients will need a browser that is capable of the level of encryption offered by your Web server.
  • As I noted earlier, SSL does not support the use of host headers. If you have multiple Web sites on your server, each must have a unique IP address.
  • The default port assignment for SSL is 443. When you’re creating new Web sites, SSL is not automatically configured. Port assignment needs to be specified manually in the Advanced area of the new Web site’s properties sheet.
  • The http:// prefix that clients are accustomed to will change to https:// when accessing secure Web pages.

SSL offers the confidence that customers need to perform confidential transactions with your Web server. Whether it’s logging on to use Web-based e-mail, making online purchases via credit card, or viewing confidential Web pages, IIS 4.0 provides an easy-to-administer solution that employs the security features of SSL.

Troy Thompson, MCSE+I, has worked in the automation field for 15 years, and he has dealt with a variety of systems, including Wang OIS, Unisys BTOS, UNIX, Windows 3.11, Novell NetWare, Windows NT 3.51, and Windows NT 4.0. He’s worked as an administrator of a Novell and an NT network and as a systems analyst for an IBM mainframe. Currently, Troy is the Information System Security Officer at the Information Management shop at Fort Knox. If you’d like to contact Troy, send him an e-mail.

The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks