October 22, 2007, 12:50 PM PDT
Takeaway: SSL (Secure Sockets Layer) certificates are perhaps the most common way to protect information being transmitted between a visitor Web browser and your Web site. SSL provides encryption services to information flowing between systems and can protect Web traffic, e-mail, instant messages and a host of other kinds of data transmittals. Scott Lowe shows you how to obtain and install a third-party SSL certificate into Microsoft Internet Information Server 7.0 (IIS 7) running on Windows Server 2008.
SSL (Secure Sockets Layer) certificates are perhaps the most common way to protect information being transmitted between a visitor Web browser and your Web site. SSL provides encryption services to information flowing between systems and can protect Web traffic, e-mail, instant messages and a host of other kinds of data transmittals.
I’m not going to go into great detail about the inner workings of SSL except to say that it is a critical infrastructure component for any organization that has a desire to protect customer or other confidential information. SSL is widely used by banks, e-commerce companies, and other Web entities that require transmission of sensitive information, such as passwords, social security numbers, etc.
I will show you how to obtain and install a third-party SSL certificate into Microsoft Internet Information Server 7.0 (IIS 7) running on Windows Server 2008. I am running the RC0 version ofWindows Server 2008.
This blog post is also available as a TechRepublic gallery and TechRepublic download.
In the most simplistic view, there are four kinds of certificates to which you will be exposed during your SSL installation:
- Self-signed SSL certificates: These are certificates that you generate and use to encrypt information passing between a client and your server. These certificates are good insofar as they do allow you to encrypt data, but since they are created on-site, the certificates have not been verified by a third party entity, meaning that the site can’t necessarily be trusted.
- Third-party SSL certificate: A third-party SSL certificate provides the same encryption capabilities as a self-signed certificate. However, since the certificate is issued by a third party, it is considered a more trusted type of certificate, especially when the certificate chain extends to a trusted root certificate.
- Intermediate certificate: Not all SSL certificate vendors are created equal. In order to be fully trusted, any certificate you obtain needs to eventually link to a root certificate that is trusted by your Web browser. However, not all vendors’ SSL certificates are natively trusted by root certificates. As such, with these vendors, you need to complete the SSL trust chain by (in addition to installing your SSL certificate) installing an intermediate certificate between a root certificate and your new SSL certificate. If you skip this step, users will continue to get certificate errors until this trust chain is established. The use of an intermediate SSL certificate requires a bit of additional network communication at the initial establishment of an SSL-secure session but beyond that, there is no performance penalty.
- Trusted root certificate (or Trusted root certification authorities): A root certificate is the Grand PooBah of the certificate world. In order to complete the trust chain, your individual certificate must, in some way, link to a root certificate.
A third-party SSL certificate is generally considered more trusted than a self-signed certificate since the certificate information is verified by a third party and the certificate ultimately maps to what is called a trusted root certificate.
Note: I am assuming that you will be installing a brand new certificate that you do not yet own and not importing some kind of existing certificate. Further, I assume that you do not have a complex public key infrastructure in-house and that you need to get your certificate from a third party. Finally, I’m making the assumption that you have already installed IIS 7 on your Windows Server 2008 system.
Step 1: Prepare a Certificate Signing Request (CSR)
Regardless of the SSL vendor you use, you first step in the process is to create a Certificate Signing Request (CSR) that will be sent to the SSL vendor of your choice. The CSR is a Base-64 encoded PKCS#10 message (this basically means it’s a bunch of gobbledygook that is unreadable by humans) that contains all of the information necessary to identify the person or company applying for the certificate. The request also includes the applicant’s public key. This key is the public portion of a combined public key/private key structure that, together, is able to effectively and securely encrypt information.
Figure A
Open the properties page for the site you want to protect
Figure B
Click the Server Certificate button to begin the process
Figure C
Provide information about your site
Figure D
Choose a cryptography provider and key length
Figure E
Save the CSR
Here’s some of the CSR mumbo jumbo associate with this certificate request:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDdDCCAt0CAQAwgYExCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhNaXNzb3VyaTEP
MA0GA1UEBwwGRnVsdG9uMRwwGgYDVQQKDBNXZXN0bWluc3RlciBDb2xsZWdlMQsw
...
ax1eQoOeKGAGUu8yi6s93qaizGAEfQ49W3uSB0VoSg9IYbCXOefEauA2uApDt9ve
3zxQMwtCDFdDbbKCN9gKalJkEGzqXrx9
-----END NEW CERTIFICATE REQUEST-----
Step 2: Request a certificate from a certificate vendor
Now, with your CSR in hand, visit the Web site of your favorite SSL certificate provider and buy your new certificate. During the registration process, you need to provide the certificate company with information validating you or your company’s identity. Some consider this part a hassle, but it really is a vital part of the overall SSL chain. After all, you don’t want just anyone receiving a certificate that uses your company name!
The certificate request process varies by certificate company, so I can’t really provide the exact steps for the certificate request. What I can tell you is that, at some point, you’ll need to open up the text file that contains the certificate request in order to copy and paste the encrypted certificate request in the appropriate field on the order form.
Once you complete the vendor’s certificate request (Figure F) form and provide them with payment, you’ll need to wait for the SSL certificate to be delivered to you via e-mail.
Figure F
Provide the necessary information for the SSL certificate vendor
Step 3: Save the provided certificate somewhere accessible
What you get back from a certificate vendor depends on the vendor you choose. In the case of the company that I used to get my certificate, they sent back a zip file with three certificates. One of the certificates is named ssltest_westminster-mo_edu.crt. This is the certificate I need for the new Web site. The other two certificates are required if you need to chain the new certificate back to a root certificate. We will not be discussing them in this document.
The new certificate is nothing more than a text file, as was the case with the CSR. However, in this case, the information starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–. In the previous step, the terms were BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST. Extract the contents of this zip file to a location accessible from your Web server.
Step 4: Install the certificate
After making sure that your Web server can access the certificate files, you need to install the new certificate so that it can be used by your Web site.
Figure G
Tell the wizard where it can find the certificate file and provide a friendly name
The certificate is now installed and ready to be assigned to a Web site.
Step 5: Add an HTTPS binding to a Web site
Now, with the certificate installed, it’s time to put it to work. In IIS 7, you need to bind the HTTPS protocol to a Web site and then assign an installed certificate to be used to protect that Web site. Follow these steps:
Figure H
A look at a site to which HTTPS will be bound
Figure I
The Site Bindings window
Figure J
Provide the appropriate details for the Add Site Binding dialog box
Figure K
The results of the new binding
Step 6: Test your certificate
Now, test your certificate by browsing to the new site. You should not get any certificate errors. InFigure L note that I have successfully browsed to the new site and that there is a lock icon indicating that SSL is active. Figure M is a look at the certificate as detailed in the Web browser.
0 comments:
Post a Comment