To help improve security, we recommend that you run the Administration Website in Microsoft Virtual Server 2005 over a Secure Sockets Layer (SSL) connection. This article describes the steps for setting up an SSL connection in an environment where the server certificates are based on a stand-alone root. If you use a third-party certificate root authority or an enterprise certificate root authority, you can still follow these steps because no assumptions are made in this process about the location or the ownership of each component that is used for setting up SSL for Virtual Server 2005.
You can use this process to set up SSL for Virtual Server 2005 on a Microsoft Windows XP-based host or on a Microsoft Windows Server 2003-based host. On a Windows Server 2003-based host, you set up a certificate for the site that you use. In this case, that is the Virtual Server site, not the default Web site. In Windows XP, there is only one site. That site is the default Web site.
If there is a certification authority available to issue certificates on your network, the following procedure may be optional. You can use any current Microsoft server product to install your certification authority. Follow these steps to install Certificate Services on a Windows Server 2003-based computer:
In Control Panel, double-click Add or Remove Programs, and then click Add/Remove Windows components.
Click to select the Certificate Services check box, and then click Next.
Click Stand-alone root CA, and then click Next.
Type the name that you want to use in the Common name for this CA box. Typically, this is the computer name. This computer name could be different from the computer that you are running Virtual Server 2005 on. Also, you may need only one certificate server for multiple Virtual Server hosts.
Click Next to accept the default settings for the share that is created and for the log files.
Insert the Windows installation media when you are prompted.
Click Yes when you receive the Active Server Pages (ASP) warning message.
Note When you perform this procedure, Microsoft Internet Information Services (IIS) stops, and ASP pages are installed. Then, IIS restarts to complete the installation. You do not have to restart the computer.
What to consider when you install a certification authority
Certification authority (CA) issues can cause you to have to reinstall the operating system on the CA computer and to issue new certificates for all your Web sites. Think about this when you select a server for the root CA installation. This may be a different computer than the Virtual Server host computer.
Restoring an outdated system state may cause CA issues.
Removing the computer from the domain breaks the CA.
The CA is linked to your user name. This is not typically an issue, except during installation if the Distinguished Name box is blank. However, it can be an issue if you log on to the network by using your domain user name even though the Virtual Server host computer is already in the domain. The distinguished name must be a Domain Name System (DNS) resolvable name that is in distinguished name syntax. For example: CN=Concours88,DN=northamerica,DN=corp,DC=Microsoft,DC=com.
You can manually type the required information in a blank field when you request a certificate.
Prepare a certificate request for the Virtual Server site in the Internet Information Service (IIS) Manager snap-in:
On the Virtual Server host computer, start the Internet Information Service (IIS) Manager snap-in
In the navigation pane, expand Server_Name, right-click Default Web Site or Virtual Server, and then click Properties.
On the Directory Security tab, click Server Certificates under Secure communications.
In the IIS Certificate Wizard, click Next.
Click Create a new certificate, and then click Next.
Click Prepare the request now, but send it later, and then click Next.
Type the name that you want to use, or use the default name. The default name of the certificate is the same as the site name, for example, Virtual Server.
In the Bit length box, click a key length, and then click Next. Typically, you can use the default bit length value.
For an internal certificate, type the name that you want to use in the Organization box and in the Organizational Unit box.
For example, type the name of your organization in the Organization box, and then type the name of your department in the Organizational Unit box. Third-party certificates have specific data requirements for these fields. This information is supplied by the third-party CA.
In the Common name field, type the NetBIOS name or the DNS name.
Note The common name is important because you have to decide the complete name of your site. You can choose either a NetBIOS name or the DNS name. Selecting one lets you issue a connection from Microsoft Internet Explorer by using either name. However, if you use a name that is different from the common name that was discussed earlier, you receive a warning message about the name mismatch. Use the most frequently used syntax in your environment to avoid the warning message. This warning message appears in a window, but the message does not block your access to the site. It is not important whether you choose the NetBIOS name or the DNS name.
Type the correct country, state, and city.
Type a file name for the certificate request that you are exporting.
Under Request a certificate, click advanced certificate request, and then click submit a saved request.
Security settings may prevent you from using the Web page links from here.
Alternatively, copy all the text from the C:\Certreq.txt file. Then, paste the text into the Saved Request box on the Submit a Certificate Request or Renewal Request page. The certificate request is a text file that contains the information that you entered in step 1. The certificate request is encoded the same as the following sample.
Important If you want to make multiple submissions, it is a good idea to document the exact order that you submitted the requests in. There may be no way to identify the certificates from the certificate export page when you export the certificate later in this procedure. This is because the display name is not available in any IIS Certificate Services Web page or in the Certificate Authority snap-in.
Leave the Certificate Services site open for part 5.
Return to the Certification Authority Web page, and then export the certificate.
Under Select a task, click View the status of a pending certificate request.
Note You only have one chance to do this. If you click Download a CA certificate, you can choose from the certificates that are installed on the computer, typically from the root CA. You cannot choose from the certificates that are approved and that are requested. Also, if multiple certificates are available, you may not be able to identify a certificate. Even the Certificate Authority snap-in may not display useful information that lets you determine the certificate that belongs to a request.
Under Certificate Issued, click Base 64 encoded.
Click Download certificate, and then save the certificate locally.
If you cannot complete these procedures, start again. Open the Virtual Server site properties or the default Web site properties in the Internet Information Service (IIS) Manager snap-in, click the Directory Security tab, and start the wizard again. One of two pages appears. One page states that a certificate is already installed. This page provides options for removing or replacing the certificate. The other page lets you import a certificate from a pending request. This page also lets you cancel the request. You can cancel the request and start over.
If you receive an error message that states that the certificate does not match the request, this may indicate that you forgot to click the Base 64 encoded option when you exported the certificate from the Certificate Authority Web page. Cancel the request, and then resubmit the request.
If you receive an error message that states that the certificate is already installed, you may have clicked Download a CA certificate instead of View the status of a pending certificate request.