We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
This article discusses the creation and installation of an encryption key for Secure Sockets Layer (SSL) encryption on Internet Information Server (IIS) version 4.0. This article also assumes that there are no existing keys installed in IIS 4.0.
Creating a key
- Open the Microsoft Management Console (MMC) for IIS.
- In the MMC, expand the Internet Information Server folder by clicking the plus sign (+).
- Click the plus sign (+) sign next to the computer name.
- The Default Web Site should be available now. Right-click on the icon and choose Properties.
- In the Default Web Site Properties, choose Directory Security.
- In the Secure Communications area of this property sheet, click the Key Manager button.NOTE: If the button reads Edit instead of Key Manager, you already have an encryption certificate for the WWW Service installed.
In Key Manager
- Right-click the WWW icon and select Create New Key..
- The Create New Key dialog appears. You will see two configuration options in this dialog. If Microsoft Certificate Server is installed, you will have the option to send your key request directly to the Certificate Server. If you want to send your Certificate to an online Certificate Authority (CA), choose Put the request in a file that you will send to an authority. This example assumes that an online CA will be used for Certificate signing. Select an appropriate name and location.
- Fill out the next dialog. Key length available will depend on the level of encryption on your version of Windows NT Server. Normally, domestic (US and Canadian) versions of Windows NT will have 128 bit encryption available and export versions of Windows NT will have 40 bit. The installation of Windows NT Service Packs may effect this as service packs come in both 128 and 40 bit versions.
- Continue filling out the dialog. The Common Name of the certificate MUST be either the name of the Windows NT Server (if using WINS) or the Domain Name of the server if on the Internet.NOTE: For every Web site that has a distinct DNS name, there must be an encryption key installed. However, each Web site for SSL MUST have a distinct IP address as well. SSL DOES NOT SUPPORT THE USE OF HOST HEADERS.
- Continue form completion with country, state and locality.
- Fill out the appropriate contact information and click Finish.
- Key Manager will display a key icon under the WWW icon. The key will have an orange slash through it indicating it is not complete.
- Choose the Key menu and select Exit. Choose YES when asked to commit changes.NOTE:If you close Key Manager and do not commit the changes, the key will not function properly. If this occurs, delete the partial key in Key Manager and create the request again.
- Retrieve the text file created in Step 2 of the Key Manager section above. This file contains the unsigned Public Key of your keyset. To enable encryption, this key must be signed by a Certificate Authority.
- Depending on your Certificate Authority, you will have particular steps to follow for signing of this file. Consult your Certificate Authority for details.
- A text file will be created as the "signed" certificate.
- Follow the steps above to open Key Manager.
- Right-click the Partial Key icon and choose Install Key Certificate.
- Input the appropriate password.
- In the Server Bindings dialog, choose the appropriate settings. Any Unassigned is fine if there is only one secure server. For multiples, configure the appropriate IP address and/or port assignment.
- Close Key Manager and choose Commit Changes. SSL should now be functional on the Web server. When you access the Secure Communications area of IIS in the MMC, encryption settings will now be available. See the online documentation for details on configuration options.
Points to be aware of
- There were many fixes for encryption in the Service Pack 3 time-frame. It is recommended that Service Pack 6a be used on a computer that is used for SSL communications.
- When you create new sites in the MMC for IIS, the SSL port is not automatically configured. To do this, configure the Advanced area of the Web site properties with Port 443. This is the default SSL protocol port.