Networking optimize

How do I... Request and install SSL certificates in IIS 6.0?


SSL (Secure Sockets Layer) certificates are perhaps the most common way to protect information being transmitted between a visitor Web browser and your Web site. SSL provides encryption services to information flowing between systems and can protect Web traffic, e-mail, instant messages and a host of other kinds of data transmittals.

I'm not going to go into great detail about the inner workings of SSL except to say that it is a critical infrastructure component for any organization that has a desire to protect customer or other confidential information. SSL is widely used by banks, e-commerce companies, and other Web entities that require transmission of sensitive information, such as passwords, social security numbers, etc.

In this article, I will show you how to obtain and install a third-party SSL certificate into Microsoft Internet Information Server 6.0 (IIS 6.0) running on Windows Server 2003.

Certificates

Before I get into the required steps, let me talk a little about the types of certificates you will encounter. In the most simplistic view, there are four kinds of certificates to which you will be exposed during your SSL adventure:

  • Self-signed SSL certificates: These are certificates that you generate and use to encrypt information passing between a client and your server. These certificates are good insofar as they do allow you to encrypt data, but since they are created on-site, the certificates have not been verified by a third party entity, meaning that the site can't necessarily be trusted.
  • Third-party SSL certificate: A third-party SSL certificate provides the same encryption capabilities as a self-signed certificate. However, since the certificate is issued by a third party, it is considered a more trusted type of certificate, especially when the certificate chain extends to a trusted root certificate.
  • Intermediate certificate: Not all SSL certificate vendors are created equal. In order to be fully trusted, any certificate you obtain needs to eventually link to a root certificate that is trusted by your Web browser. However, not all vendor's SSL certificates are natively trusted by root certificates. As such, with these vendors, you need to complete the SSL trust chain by, in addition to installing your SSL certificate, installing an intermediate certificate between a root certificate and your new SSL certificate. If you skip this step, users will continue to get certificate errors until this trust chain is established. The use of an intermediate SSL certificate requires a slight bit of additional network communication at the initial establishment of an SSL-secure session but beyond that, there is no performance penalty.
  • Trusted root certificate (or Trusted root certification authorities): A root certificate is the Grand PooBah of the certificate world. In order to complete the trust chain, your individual certificate must, in some way, link to a root certificate.

A third-party SSL certificate is generally considered more trusted than a self-signed certificate since the certificate information is verified by a third party and the certificate ultimate maps to what is called a trusted root certificate.

Note: For this document, I am assuming that you will be installing a brand new certificate that you do not yet own and not importing some kind of existing certificate. Further, I assume that you do not have a complex public key infrastructure in-house and that you need to get your certificate from a third party.

Step 1: Prepare a Certificate Signing Request (CSR)

Regardless of the SSL vendor you use, you first step in the process is to create a Certificate Signing Request -- or CSR -- that will be sent to the SSL vendor of your choice. The CSR is a Base-64 encoded PKCS#10 message (this basically means it's a bunch of gobbledygook that is unreadable by humans) that contains all of the information necessary to identify the person or company applying for the certificate. The request also includes the applicant's public key. The public key is the public (or, non-private) portion of a combined public key/private key structure that, together, is able to effectively and securely encrypt information.

1. Choose Start | Administrative Tools | Internet Information Services (IIS) Manager.

2. In the IIS Manager, expand server (local computer) | Web Sites.

3. Right-click the Web site to which you want to install the new certificate and, from the shortcut menu, choose Properties. (Figure A)

Figure A

Properties

Open the properties page for the site you want to protect.

1. From the Properties window, select the Directory Security tab.

2. Click the button labeled Server Certificate to start the Web Server Certificate Wizard (Figure B). Note that if the button marked View Certificate is available (that is, not grayed out), you already have a certificate protecting this site. However, the certificate may be expired.

Figure B

Wizard

Click the Server Certificate button to begin the process.

1. The first screen of the wizard asks you to select from a number of options (Figure C). In this case, we want to create a new certificate.

Figure C

Choose the option to create a new certificate.

2. Next, choose the option next to "Prepare the request now, but send it later."

Here's some of the CSR mumbo jumbo associate with this certificate request:

-----BEGIN NEW CERTIFICATE REQUEST-----
MJIDdDCCBt0CAQAwgZgxCzAJBgNVBAYTAlVTMRFwDwYDVQQIEwhNaXNzb3VyaTEP
MA0GA1UEBxMGRnVsdG9uMRwwGgYDVQQKExNXZXN0bWluc3RlciBDb2xsZWdlMR8w
...
HQADVQQLEyZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSYwJAYDVQQDEx1zc2xzYW5k
Ym94Lndlc3RtaW5zdGVyLW1vLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
-----END NEW CERTIFICATE REQUEST-----

Step 2: Request a certificate from a certificate vendor

I'm using a company named ipsCA, which provides free two-year certificates to colleges and universities. During the registration process, you need to provide the certificate company with information validating you or your company's identity. Some consider this part a hassle, but it really is a vital part of the overall SSL chain. After all, you don't want just anyone receiving a certificate that uses your company name!

The certificate request process varies by certificate company, so I can't really provide the exact steps for the certificate request. What I can tell you is that, at some point, you'll need to open up the text file that contains the certificate request in order to copy and paste the encrypted certificate request in the appropriate field on the order form. (Figure D)

Once you complete the vendor's certificate request form and provide them with payment, you'll need to wait for the SSL certificate to be delivered to your inbox.

Figure D

Provide the necessary information for the vendor

Step 3: Save the provided certificate somewhere accessible

What you get back from a certificate vendor depends on the vendor you choose. In the case of ipSCA, the company that I used to get my certificate, they sent back a text file whose contents look a lot like the certificate request string from the previous step. However, in this case, the information starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. In the previous step, the terms were BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST.

Save this file to a location accessible from your Web server. When you save the file, make sure that it has a .cer extension. I've saved my certificate file as sslsandbox.westminster-mo.edu.cer. You may get back an actual .cer file in which case you just need to save the file somewhere accessible by the Web server.

Step 4: Install the certificate

After making sure that your Web server can access the certificate file, you need to install the new certificate by completing the certificate process started back in step 1.

1. Choose Start | Administrative Tools | Internet Information Services (IIS) Manager.

2. In the IIS Manager, expand server (local computer) | Web Sites.

3. Right-click the Web site to which you want to install the received certificate and, from the shortcut menu, choose Properties.

4. From the Properties window, select the Directory Security tab.

5. Click the Server Certificate button.

6. From the first wizard screen, choose "Process the pending request and install the certificate." (Figure E)

Figure E

Choose to process the pending request
7. Provide the path to and the file name of the certificate file you saved in Step 3. (Figure F)

Figure F

Tell the wizard where it can find the certificate file
8. Decide which port the Web site will use for SSL traffic (Figure G). The default is 443.

Figure G

Tell the wizard the SSL port that should be used
The summary screen (Figure H) will display the information found in the certificate.

Figure H

The summary screen provides summary information about the certificate

Step 5: Install necessary intermediate certificates

Unless you're working with one of the big SSL players, it's likely that you will need to install an intermediate certificate that completes the verification chain from your individual certificate up to a trusted root certificate. I explained intermediate certificates earlier in this document. You can tell if you're server is ready to go by clicking the View Certificate button shown back in Figure B. The results are shown in Figure I.

Figure I

The certificate chain is not complete

In order to complete the certificate chain, you need to download and install an intermediary certificate that sits between a root certificate and the certificate you just installed. In the case of ipSCA, this certificate is named IPSCACLASEA1.cer. I have saved this intermediate certificate to the same location as the site certificate.

1. Choose Start | Run and type "mmc". This starts the Microsoft Management Console (MMC).

2. From the Management Console, select File | Add/Remove Snap In.

3. In the Add/Remove Snap-In window, click the Add button.

4. In the Add Standalone Snap-in window, select Certificates

5. Click the Add button.

6. Choose Computer Account

7. Click Next.

8. Make sure the "Local computer" option is selected.

9. Click Finish.

10. Close the Add Standalone Snap-in window.

11. Click the OK button in the Add/Remove Snap-in dialog to return to the MMC window.

12. Expand the Certificates option (click the + icon) until you see "Intermediate Certification Authorities."

13. Right-click on Intermediate Certification Authorities and, from the shortcut menu, choose All Tasks | Import. This starts the SSL certificate import wizard.

14. Click the Browse button and locate the intermediate certificate file that you downloaded from the certificate provider. (Figure J)

Figure J

Provide the path to and name of the intermediate certificate file

15. Click Next.

16. Choose "Place all certificates in the following store," making sure that "Intermediate Certification Authorities" is the selected store. (Figure K)

Figure K

Place the certificate into the Intermediate Certification Authorities folder

17. Click Next.

18. Click Finish. If everything goes as planned Windows will indicate that the import was successful.

To see if the intermediate certificate solved the "not verified" problem you saw in Figure P, go back to the IIS manager and click the View Certificate button again. Figure L shows you the General information tab while Figure M gives you a look at the full certification chain.

Figure L

The General tab for the View Certificate window

Figure M

The General tab for the View Certificate window

Step 6: Test

Once complete, browse to the new site using https and make sure that you get a lock icon and that the details for the certificate match what you provided. In Figure N below, note that the certificate details do match.

Figure N

Check the details

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

9 comments
anita.mundhe
anita.mundhe

I m converting website from http to https i have installed certificate but when testing it i should get error when i use http

srg
srg

ONe of the best I've read Would like you to go into more detail if possible, but excellent Stephen R Goodwin Cartwright & Goodwin, Inc

mujib.syed
mujib.syed

how to installed ssl certificate in win-xp proffessional O/S

rb4711
rb4711

This is one of the most important items that any website owner should install. If you tranmit any communication over your web site such as contact forms, request forms, emails as well as upload of information, you will need to do it securely. I tell my clients that all their web site data transmission need to be secure and I provide the option to purchase third party certificates. I have used Verisign and Comodo for most of my clients website projects. I know of others but these two are the best in my opinion. Comodo is not as well known as Verisign is but they provide a great alternative to Verisign for website owners that what SSL certificates. Verisign process is much easier to implement but cost more for the similar certification of SSL. Which one would you choose as the best Verisign or Comodo?

srg
srg

ONe of the best I've read Would like you to go into more detail if possible, but excellent Stephen R Goodwin Cartwright & Goodwin, Inc

anita.mundhe
anita.mundhe

i m facing problem in testing after installation of certificate

nath.satyendra
nath.satyendra

u need to verify the source and I.P address of the signatory.