2012-01-13

IIS 7.5 HTTPS Configuration and Certificate Installation





How to Generate a Server Certificate for the IIS server 7.5?
============================================================


Background
----------


There're different ways to generate server certificate for IIS server 7.5. Here's 
a way to use a private CA to sign the server certificate. 


The private CA here is a openssl based CA. To set up the CA, you have to run a Linux
with openssl installed. There're couple of shell scripts to help create the CA and 
sign certificate request. 


For this testing, the private CA is running on Aric's Ubuntu Linux. The certificate
of the CA is included below.


-----BEGIN CERTIFICATE-----
MIIDcjCCAtugAwIBAgIJAI1vSteGwmBkMA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD
VQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZTeWRuZXkxEDAOBgNVBAoT
B1NpZW1lbnMxCzAJBgNVBAsTAlNQMRAwDgYDVQQDEwdPcGVuU1NMMSQwIgYJKoZI
hvcNAQkBFhVhcmljLndhbmdAc2llbWVucy5jb20wHhcNMTExMjAyMDMwNzMzWhcN
MTQxMjAxMDMwNzMzWjCBgzELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0G
A1UEBxMGU3lkbmV5MRAwDgYDVQQKEwdTaWVtZW5zMQswCQYDVQQLEwJTUDEQMA4G
A1UEAxMHT3BlblNTTDEkMCIGCSqGSIb3DQEJARYVYXJpYy53YW5nQHNpZW1lbnMu
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnacafZQPmnyVhtP+LLaxY
WM3sSJJ0msivxcyPCfD9nLNK3P34aQyeNlUgqZc5mAp0Je/zURXAsi+t2WjUA8pF
wFsxxKC10TE/qobhXsT+RwfkkvDUh5poCN9jdWgzg1Zs3uKNbCuj/AgT/dWr+cry
yYZTryMuX4jIyAA4ca3ggQIDAQABo4HrMIHoMB0GA1UdDgQWBBQjct00RwGzBIR1
WXEPTdH1DHHRETCBuAYDVR0jBIGwMIGtgBQjct00RwGzBIR1WXEPTdH1DHHREaGB
iaSBhjCBgzELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lk
bmV5MRAwDgYDVQQKEwdTaWVtZW5zMQswCQYDVQQLEwJTUDEQMA4GA1UEAxMHT3Bl
blNTTDEkMCIGCSqGSIb3DQEJARYVYXJpYy53YW5nQHNpZW1lbnMuY29tggkAjW9K
14bCYGQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCS8DsJnkgFHPBt
Q+dhFLDvnu3ZwgU0iSaZVmEzyclDAbgnrde3rzofHoFX/c/4MZJf2NYg992REiOO
TNp9wuN/yxlRcCxZQYRzLoqkBoYGQwFj705Um83DX7jOGVwdFF2o7GVN0QnvXHBY
2JsGjKthN6VDWi2jZjzaLPBot9hilA==
-----END CERTIFICATE-----


The CA certificate might be needed on the client side in order to verify the certificates
signed by this CA. If needed, just copy above CA contents (including begin and end lines)
to a text file, and import it into the client system. It might be different about how to 
import the CA certificate on different systems.


Steps to Create Server Certificate for IIS 7.5
----------------------------------------------


1. Create certificate request on IIS 7.5




   a. Open IIS Manager;


   b. Select the server you are going to create certificate;


   c. In the 'Features View', double click 'Server Certificates'. It shows a list of the 
      certificates installed for this server;


   d. In the 'Actions' panel, click 'Create Certificate Request...';


   e. In the new dialog box, enter the information required. Could use the server name as the
      'Common Name'. Click 'Next';


   f. Choose 'Microsoft RSA SChannel Cryptographic Provider' and '1024' bit length. Click
      'Next';


   g. Click the browse button to select a folder and file name to save the certificate request.
      Click 'Finish'.


2. Send the certificate request to the CA to sign it


   Just copy the file you saved above and send to Aric.


3. The CA signs the certificate


   Aric will sign this certificate request and send back the certificate.


4. Install the certificate on IIS 7.5


   a. Save the signed certificate into a folder on the server;


   b. Open IIS Manager, select the server you are going to create certificate;


   c. In the 'Features View', double click 'Server Certificates'. It shows a list of the 
      certificates installed for this server;


   d. In the 'Actions' panel, click 'Complete Certificate Request...';


   e. In the new dialog box, click the browse button to find the certificate file just saved;
      Note you may need to set the filter to '*.*' rather than '*.cer' if the certificate is 
      saved with a different suffix from '.cer'.


   f. In 'Friendly name' field, enter something, i.e. Aric signed certificate. Click 'OK'.


   g. If everything is ok, now you have installed the certificate on IIS 7.5;


5. Enable HTTPS for the web site


   a. Open IIS Manager;


   b. Select the server you are going to create certificate;


   c. Navigate to the web site you want to enable HTTPS;


   d. In 'Features View', under 'Actions' panel, click 'Bindings...';


   e. If there's no https binding enabled, you click 'Add...' to add it. If it already exists, 
      click 'Edit...' to modify it;


   f. In the new dialog box, choose the 'https' Type, enter your port number in 'Port'. Under
      'SSL certificate:', select the certificate you just installed in step 4. Click 'OK' to 
      finish. There might come up with some warnings, just click OK to finish it.


   g. Now back to 'Site Bindings' dialog, click 'Close';


   h. Restart the web site by clicking 'Restart' under the 'Actions' panel.


6. Now your web site should work with HTTPS. You can open a browser to test it.
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)