This step-by-step article describes how to set up Secure Sockets Layer (SSL) in a Windows 2000 Internet Information Services (IIS) 5.0 development lab environment. Microsoft Certificate Server 2.0 can create many different certificates; this article only covers creation of a standard Web certificate.back to the top Create a Certificate Request
To create a Web server certificate, follow these steps:
- Open the Internet Service Manager Microsoft Management Console (MMC). To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Service Manager.
- Double-click the server name so that you see all the Web sites.
- Right-click the Web site where you want to install the certificate, and then click Properties.
- Click the Directory Security tab.
You see three security methods. The one you will use to create a certificate request is Secure Communications.
- Click Server Certificate. The Certificate Wizard starts. Click Next to continue.
- Select Create a new certificate, and then click Next.
- Select Prepare the request now, but send it later, and then click Next.
- Type a name for your certificate, and then select a bit length. Unless it is needed for your lab, do not select the SGC Certificate check box. (For more information about SGC certificates, see the note at the end of this section.) Click Next to continue.
- Type your organization name and the organizational unit (for example, company name and development department). Click Next.
- For Common Name, type either the fully qualified domain name (FQDN) or the server name. If you are creating a certificate that will be used over the Internet, it is better to use an FQDN. Click Next.
- Type your location information, and then click Next.
- Type the path and file name where you want to save the certificate information, and then click Next.
NOTE: If you type anything other than the default location and file name, make sure to note the name and location you select, because you must access this file in later steps.
- Verify the information that you have typed, and then click Next to complete the process and create the certificate request.
- In the Completing the Web Server Certificate Wizard dialog box, click Finish.
- Click OK to close the Web site properties.
Server Gated Cryptography (SGC) certificates are used most frequently by financial institutions that require high-encryption connections even when connecting with international users or browsers that are limited to 40-bit encryption. When connecting to an international browser (40-bit), an SGC certificate creates a 128-bit tunnel to allow 128-bit encryptionstrength. When the secured connection or session ends, the intermediate certificate tunnel is closed.
Also, the SGC certificate is strictly domain-specific. Typically, if the domain name of a certificate does not match the domain of the Web site, you receive a warning stating this fact and you can choose to continue or not. An SGC certificate does not give you a warning or offer choices. The connection is unsuccessful, but you do not receive an explanation.back to the top Submit a Certificate Request
To submit a certificate request, follow these steps:
- Open a browser, and then open http://YourWebServerName/certsrv/.
- Select Request a Certificate, and then click Next.
- Select Advanced Request, and then click Next.
- Select the center option, Submit a Certificate Request using a Base64, and then click Next.
- In Notepad, open the request document that you created in the first procedure section, "Create a Certificate Request".
- Copy the contents of the document.
The contents look similar to the following:
-----BEGIN NEW CERTIFICATE REQUEST-----MIICcjCCAhwCAQAwYjETMBEGA1UEAxMKcm9ic3NlcnZlcjELMAkGA1UECxMCTVMxCzAJBgNVBAoTAk1TMREwDwYDVQQHEwhCZWxsZXZ1ZTERMA8GA1UECBMIV2FzaGl0b24xCzAJBgNVBAYTAlVTMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALYK4sYDNQ7hLmSfL0qpIvUfY7Ddw7fNCvDp3rM7z4QqoLhA2c8TkyamqWTBsV0WRHIidf/J6mU4wN4wrUzJTLUCAwEAAaCCAVMwGgYKKwYBBAGCNw0CAzEMFgo1LjAuMjE5NS4yMDUGCisGAQQBgjcCAQ4xJzAlMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATCB/QYKKwYBBAGCNw0CAjGB7jCB6wIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEAIABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByA4GJAGKa0jzBn8fkxScrWsdnU2eUJOMUK5Ms87Q+fjP1/pWN3PJnH7x8MBc5isFCjww6YnIjD8c3OfYfjkmWc048ZuGoH7ZoD6YNfv/SfAvQmr90eGmKOFFiTD+hl1hM08gu2oxFU7mCvfTQ/2IbXP7KYFGEqaJ6wn0Z5yLOByPqblQZAAAAAAAAAAAwDQYJKoZIhvcNAQEFBQADQQCgRCWkaXlY2nVatbn6p5miPwWfrbViYo0B62wkuH0f7J0nSGcxMnn/6Q/iLEIsgHqFhox5PWCzIV0JtXKPWrBL-----END NEW CERTIFICATE REQUEST------- NOTE: If you save the document with the default name and location, it is located at C:\Certreq.txt.
NOTE: Make sure that you copy all the content just as shown here.
- Paste the contents of the document in the Base64 Encoded Certificate Request text box of the Web form. Click Submit.
- If Certificate Server is set to Always Issue the Certificate, you are immediately directed to the Certificate Issued page. The address bar reads:
http://YourWebServerName/certsrv/certfnsh.asp On this page, you can download the Web server certificate immediately. To do so, follow these steps on the Certificate Issued page:
- Click the top link, Download Certification Authority Certificate (do not click Download Certification Authority Certificate path).
- When you are prompted, select Save this file to disk and save the certificate to your desktop or another location that you will remember.
- Now, go straight to the "Install the Certificate" section.
- If Certificate Server is set to Set the certificate request status to pending, you will receive the following "Certificate Pending" message:
Certificate Pending.Your certificate request has been received. However, you must wait for an administrator to issue the certificate you requested. Please return to this web site in a day or two to retrieve your certificate.Note: You must return with this web browser within 10 days to retrieve your certificate. To continue, move on to the "Issue a Certificate" section.
For more information about configuring certificate issuing policies, see Appendix A. back to the top Issue a Certificate
To issue (that is, authorize) a certificate in Certificate Server, follow these steps:
back to the top Download a Certificate
- Open the certification authority Microsoft Management Console (MMC) snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
- Expand Certification Authority.
- Click the Pending Requests folder. Your pending certificate requests appear in the right pane.
- Right-click the pending certificate request (that is, the request that you submitted in the third procedure in this article), select All Tasks, and then click Issue.
NOTE: After you select Issue, the certificate is not displayed in this window and folder. It now resides in the Issued Certificate folder.NOTE: For more information about configuring certificate issuing policies, see Appendix A.
After you have issued and authorized the certificate, you can return to the Certificate Server Web interface to select and download the certificate:
- Open http://YourWebServerName/certsrv/.NOTE: You must use lowercase letters when you type certsrv. If you do not, you cannot see pending requests.
- On the default page, select Check on a pending certificate, and then click Next.NOTE: If you select Retrieve the certification authority certificate or certificate revocation list from the default Welcome page, you will download the root certification authority certificate and not the Web server certificate. If you try to install a root certification authority certificate to a Web site, you will receive the following error message:
Selected certificate was already installed to another server. Please, choose another response file.
- Select your pending certificate, and then click Next to open the download page.
- On the download page, click the top hyperlink, Download Certification Authority Certificate (do not click Download Certification Authority Certificate path).
- When you are prompted, select Save this file to disk and save the certificate to your desktop or another location that you will remember.
You have issued and downloaded your certificate.
The next step is to install the certificate and set up an SSL-encrypted Web site. back to the top Install the Certificate
There are several ways to install and set up an SSL certificate: for example, you can double-click the certificate and use the Certificate Installation Wizard to preinstall the certificate, then bind it to the site. This article describes how to install the certificate by using the Internet Service Manager MMC through the Web Server Certificate Wizard.
To install a certificate in Certificate Server, follow these steps:
back to the top Configure and Test the Certificate
- Open the Internet Services Manager, and then expand the server name so that you can view the Web sites.
- Right-click the Web site that you created the certificate request for, and then click Properties.
- Click the Directory Security tab. Under Secure Communications, click Server Certificate.
This opens the Certificate Installation Wizard. Click Next to continue.
- Select Process the pending request and install the certificate, and then click Next.
- Type the location of the certificate that you downloaded in the "Download a Certificate" section, and then click Next.
- When the Wizard displays the certificate summary, verify that the information is correct, and then click Next to continue.
- Click Finish to complete the process.
To configure and test the certificate, follow these steps:
- On the Directory Security tab, under Secure Communications, note that you now have three available options. To set the Web site to require secure connections, click Edit. The Secure Communications dialog box appears.
- Select Require Secure Channel (SSL), and then click OK.
- Click Apply and then OK to close the Properties window.
- Locate the site and verify that it works:
- Access the site through http by typing http://localhost/Postinfo.html in the browser. You receive an error message that resembles the following:
HTTP 403.4 - Forbidden: SSL required.
- Try to access the same Web page with a secured connection (https) by typing https://localhost/postinfo.html in the browser.NOTE: The Postinfo.html page is a standard HTML page that is found in the root of the default Web site.
- If you receive a security message that states that the certificate is not from a trusted root certification authority, click Yes to continue to the Web page.
NOTE: To learn how to add your root certification authority to the Trusted Root Certification Authorities list in your browser, see Appendix B.
If you can view the page, you have successfully installed your certificate.back to the top Appendix A: How to Change Certificate Issuing Policies
You can select whether you want to issue a certificate upon request (no authorization) or whether you want all requests to be submitted for pre-authorization through the certification authority MMC snap-in. To do this, follow these steps:
back to the top Appendix B: Install a Root Certification Authority Certificate in the Trusted Root Certification Authority List in Internet Explorer 5.x
- Open the Certification Authority tool. To do this, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
- Right-click your certification authority name, and then click Properties.
- In the Properties window, click the Policy Module tab, and then click Configure.
- On the Default Action tab, select either of the following:
- Set the certificate request status to pending: The administrator must explicitly issue the certificate.
- Always issue the certificate: This issues the certificate immediately, with no authorization required.NOTE: If a certificate is recognized on the network, select the second option.
You can deliver the root certification authority certificate to the Web site users in several ways. One way is to e-mail it and have the users install it from the e-mail. Another way is to include a download page on your Web site with a link to the certificate. A corporate-wide solution is to use the Internet Explorer Administration Kit (IEAK) to push a customer Internet Explorer browser with the root certification authority certificate already installed into the Trusted Root Certification Authorities
list. However you make the certificate available, one thing stays the same: the way you install the certificate in the Trusted Root Certification Authorities
list in Internet Explorer, as this appendix demonstrates.NOTE:
The certificate must be installed for Internet Explorer to trust that your site certificate is not the certificate that you just created but instead the root certification authority certificate, which was created when you installed Certificate Server.
For the purposes of this document, download the certificate by using the Certificate Servers Web
interface, which is located at http://<YourServerName>
/certsrv/. After you have arrived at the Welcome page, select Retrieve the certification authority certificate or certificate revocation list
, and then click Next
You now have two choices:
back to the top
- Install this certification authority certification path. If you are installing the root certification authority certificate into the browser that you are currently connected with, click the Install this certification authority certification path link, and the root certification authority certificate is automatically installed in the Trusted Root Certification Authorities list in your Internet Explorer browser.
After the installation is complete, you receive a confirmation page.-or-
- Download certification authority certificate. If you must install the root certification authority certificate in the root certification authorities list in any other Internet Explorer browser, you can download it and install it as follows:
To see if you receive the trusted root certification authority warning again, close and reopen your browser, and then open the following Web site:
- Click Download certification authority certificate.
- Select Save the file to disk.
- Access the location where you saved the root certification authority certificate, and then double-click the certificate to open the Properties window for that certificate.
- Click Install Certificate to start the Certificate Import Wizard. Click Next to continue.
- Select Place all certificates in the following store.
- Click Browse, select Trusted Root Certification Authorities, and then click Next.
- Verify the settings, and then click Finish.
You receive the following message:
The import was successful.
- Click OK to dismiss this message, and then click OK to close the Properties window.
https://<MySecureWebsite>/Postinfo.htmlNOTE: The Postinfo.html page is a standard HTML page that is found in the root of the default Web site.
If you can open this site, you have successfully added your root certification authority to the Trusted Root Certification Authorities list in your Internet Explorer browser.
For additional information about using certificates with IIS 5.0, click the article numbers below to view the articles in the Microsoft Knowledge Base:
How To Back Up a Server Certificate in Internet Information Services 5.0
When you use IIS 5.0, you may want to back up your server certificates. Windows 2000 makes this process easy with the new Certificates snap-in.
How to Import a Server Certificate for Use in Internet Information Services 5.0
When you use IIS version 5.0, you may want to restore a server certificate (for example, if you are migrating one Web site to another server in a Web farm). This task is very easy to do with the Web Site Certificate Wizard and the Certificate Manager Import Wizard that is included with Windows 2000 and IIS 5.0.
Creating Server Certificates Using Certificate Services Web Forms
When you enable secure communications such as SSL and Transport Layer Security (TLS) on an IIS 5.0 computer, you must first obtain a server certificate. The integration of certificates in Windows 2000 and the new additions to IIS 5.0 provide several ways to obtain a server certificate.
Importing a Key Backup File to Use in Internet Information Services 5.0
After you install IIS 5.0, you may want to import a backup key file from an older version of Internet Information Server (IIS). When you do this, you can use the SSL capabilities on your new server (and replace the old one).
INFO: IIS 5: What Does Check on Pending Requests Do?
This article briefly describes what occurs when a certificate request is submitted to Certificate Services 2.0 through the Certificate Services Web pages and what occurs when you view your pending request on the Certificate Services Web pages.
How To Create a Secure WebDAV Publishing Directory
This step-by-step article describes how to create a secure Web Distributed Authoring and Versioning (WebDAV) publishing directory.
How To Configure Certificate Trust Lists in Internet Information Services 5.0
This step-by-step article describes how to create and configure Certificate Trust Lists (CTLs) by using the Certificate Trust List Wizard in IIS version 5.0.back to the top