Solved

how to install ssl on a w2003 IIS6 server

Posted on 2004-08-16
14
367 Views
Last Modified: 2008-02-01
hi there.

newbie with ssl here. I have a fresh windows 2003 server with basic iis installed and a default web site running.

how do i install ssl on it?

browsing through web site properties, moving to directory security, clicking on Server Certificate in "Secure Communications" brings me to the wizard to create an iis certificate then selecting "to prepare the request but send it later", then asked to type a name for the new certificate and assign a bit length to the encryption, 1024, 2048 etc. At this point I stop, somewhat perplexed.

I could probably blunder my way through but I'd like confirmation of the method first, please?

I'm assuming I create a certificate using the creation wizard, then apply for a digital certificate from verisign and install the certificate i receive into the iis server using the wizard?

thanks in advance

Daryn
0
Comment
Question by:daryn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
14 Comments
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 250 total points
ID: 11809874
See the following article:

299875 HOW TO: Implement SSL on a Windows 2000 IIS 5.0 Computer
http://support.microsoft.com/?id=299875

(It applies to Windows 203/IIS 6.0 as well)

If you have any questions after looking this over let me know.....  :-)

Dave Dietz
0
 

Author Comment

by:daryn
ID: 11818998
I've seen a number of sites with secure certificates that arent digitally signed (presumably by verisign).

If I want to basically let 1) the network firewall and 2) the ip restrictions on IIS allow only one trusted ip address through to the web server, and I dont
want to spend the cash out to verisign (or freessl.com) to digitally sign a certificate, can I arrange for myself a certificate that the other person will just click "yes" when their browser states that it is unsigned and a little unsafe?

thanks

Daryn
0
 

Author Comment

by:daryn
ID: 11819063
re: previous comment, is that what "Certificate Server 2.0" is for, i'm guessin?

and if i install CS2 onto win 2003, do i install it as an enterprise CA or a Stand Alone CA?

thanks
0
Myth Busting: MongoDB Scalability (it scales!)

I was talking with one of my colleagues from our Technical Account Manager team about MongoDB’s scalability. He mentioned to me that several customers have been telling him that “MongoDB doesn’t scale!” MongoDB’s scalability was in question?

My response was, “Is that a joke?"

 
LVL 37

Expert Comment

by:meverest
ID: 11820973
yes, MS cert server will let you sign your own certs.  if you install it on the same server as iis, then when you do the cert setup in the iis wizard, you can sign it in one online process.

make it a stand alone for most purposes.

note that when you access the self-signed cert site, IE will throw a warnign that the cert is signed by an unknown/untrusted organisation.  you can't get rid of that unless every client chooses to trust your cert server.

cheers.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 11822704
Certificate Services 2.0 is a Certificate Authority.  There are several available, some open source, but CS 2.0 is a good solid certificate server.

It is not required that you install it on a server with IIS though it does have a web based interface that is very convenient if you do install it on an IIS server.

Enterprise CAs integrate into an Active Directory and can be used for a number of domain PKI functions automatically.  A standalone CA can be used for many of the same functions but doesn't havethe same level of domain integration.

For your purpose I would suggest installing as a Standalone CA.

As far as using a network firewall and IP restrictions you don't have to have a certificate for either of these functions.  Server certificates are for use with SSL encryption which can be used in conjunction with either of the previously mentioned technologies.

Any certificate you generate using a Certificate Server is "signed".  The issue at hand os that for a client to trust the certificate they have to trust the issuing Certificate Authority.  Verisign is included by default in the Root CA listing with most browsers.

If you are interested in arranging to let clients trust your CA there is a good article on how to set up an easy method of getting your Root CA Certificate into client browsers:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;297681

I have used this method myself to good effect.

Side note:  just because youdon't trust a CA doesn't mean that SSL using a certificate from it works any less effectivley than from one you do trust.  Encryption is encryption and a 128 bit certificate from my CA will encrypt SSL communications as well as a 128 bit certificate from any major CA (like Verisign).  The trust issue only makes a difference in whether the client will automatically accept the certificate or not.

Hope this clears things up.  If not let us know and we'll set youon the right path..... :-)

Dave Dietz
0
 

Author Comment

by:daryn
ID: 11840804
lookin good so far but.. LO!! life has found yet another way to stop me doin my (underpaid) job!

this web server is on a network that is all 192.168.0 class (I'm accessing the web server using port forwarding from their adsl modem/router with the 1 public ip address for the NAT of the private ip network) and thus, i reckon, the certificate is getting annoyed since I'm getting this error message (when using netscape since IE is useless with displaying any error message except "cant find server or dns error" !!):

Could not establish an encrypted connection because certificate provided by <the public ip address assigned to their router> is invalid or corrupted. Error code: -8102

am I correct in my guess that a web server with ssl installed needs a public ip addy or am i barking up the wrong tree?

thanks

Daryn
0
 
LVL 37

Expert Comment

by:meverest
ID: 11841236
hi,

the browser needs to contact the certificate server to validate the certificate.  the ip address of the cert server is contained in in the certificate public key file issued by the web server.  the browser will then contact the cert server on (i think) port 4433.

i figure that the cert installed in the web server probably points to the private address of the server, and thus the client browser cannot verify the cert authenticity.  first problem is to generate the certificate with the correct ip address - you can probably swing that by temporarily changing the cert server ip address to the public address of your dsl router, generate the cert, then change it back (this may not work if the ip address is defined when you install the cert server - in which case you can probably think of the rigmarole needed to do it then)

once you get *that* sorted out, then you will need to forward port 4433 at the router to the private address of the cert server.

cheers.
0
 

Author Comment

by:daryn
ID: 11842398
hrmfle. tricky one.

will test yer theory at the client site on monday. if it dont work, will be right back here on monday afternoon. :)

0
 
LVL 37

Expert Comment

by:meverest
ID: 11846746
i guess that the simplest way to test that theory is to test that it does work ok from inside the private lan.

cheers.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 11849127
The only reason you would need a public IP is if you have server certificate revocation checking turned on in your browser settings.  If this is turned on the browser will try to contact the CA as specified in the CDP entry of the certificate (CRL (Certificate Revocation Listing) Distribution Point).  If this is not turned on the browser will assume the certificate is good as long as it is within its validity period.

As far as changing the CDP (and possibly AIA though this isn't used much) it is a simple matter to modify this entry through the CA Management Console.  I doubt this is necessary but I can give further details if it proves needed.

The error actually sounds more like you are missing the private key for the certificate.  If you select View Certificate from the Directory Security settings does it say you have a private key that corresponds to the certificate?

Is this server accessible from the Internet?  If so there may be some testing we can do from the outside to see what's going on.

Dave Dietz
0
 

Author Comment

by:daryn
ID: 11997195
i've definitely got the private key. it's telling me "You have a private key that corresponds to this certificate" when i go to the web site properties.

when it tells me that I am now unable to change the name of the pc, how does the certifice I generate relate to that? do i have to mention the name of the certificate server when generating the certificate?
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 11998014
Once you install Certificate Services you cannot change the machine name since it is used by the CA - it doesn't have anything to do with any SSL certificates you have generated.

You will need to set the Common name of the certificate to the FQDN used by your clients to get to the server or else you will reeive a security warning when trying to browse the site.

If you follow the steps in the article I originally mentioned it should explain how to do this properly.

I will be out of town for a few days but I check back in on this when I return.....  :)

Dave Dietz
0
 

Author Comment

by:daryn
ID: 12004966
tar v. much. will try again.

Daryn
0
 

Author Comment

by:daryn
ID: 12005176
got it working. thanks v. much all!

0

Featured Post

ClickHouse in a General Analytical Workload

We have mentioned ClickHouse in some recent posts, where it showed excellent results.

In this article on Experts Exchange, we’ll look at how ClickHouse performs in a general analytical workload using the star schema benchmark test.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question