Solved

how to install ssl on a w2003 IIS6 server

Posted on 2004-08-16
14
356 Views
Last Modified: 2008-02-01
hi there.

newbie with ssl here. I have a fresh windows 2003 server with basic iis installed and a default web site running.

how do i install ssl on it?

browsing through web site properties, moving to directory security, clicking on Server Certificate in "Secure Communications" brings me to the wizard to create an iis certificate then selecting "to prepare the request but send it later", then asked to type a name for the new certificate and assign a bit length to the encryption, 1024, 2048 etc. At this point I stop, somewhat perplexed.

I could probably blunder my way through but I'd like confirmation of the method first, please?

I'm assuming I create a certificate using the creation wizard, then apply for a digital certificate from verisign and install the certificate i receive into the iis server using the wizard?

thanks in advance

Daryn
0
Comment
Question by:daryn
  • 7
  • 4
  • 3
14 Comments
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 250 total points
Comment Utility
See the following article:

299875 HOW TO: Implement SSL on a Windows 2000 IIS 5.0 Computer
http://support.microsoft.com/?id=299875

(It applies to Windows 203/IIS 6.0 as well)

If you have any questions after looking this over let me know.....  :-)

Dave Dietz
0
 

Author Comment

by:daryn
Comment Utility
I've seen a number of sites with secure certificates that arent digitally signed (presumably by verisign).

If I want to basically let 1) the network firewall and 2) the ip restrictions on IIS allow only one trusted ip address through to the web server, and I dont
want to spend the cash out to verisign (or freessl.com) to digitally sign a certificate, can I arrange for myself a certificate that the other person will just click "yes" when their browser states that it is unsigned and a little unsafe?

thanks

Daryn
0
 

Author Comment

by:daryn
Comment Utility
re: previous comment, is that what "Certificate Server 2.0" is for, i'm guessin?

and if i install CS2 onto win 2003, do i install it as an enterprise CA or a Stand Alone CA?

thanks
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
yes, MS cert server will let you sign your own certs.  if you install it on the same server as iis, then when you do the cert setup in the iis wizard, you can sign it in one online process.

make it a stand alone for most purposes.

note that when you access the self-signed cert site, IE will throw a warnign that the cert is signed by an unknown/untrusted organisation.  you can't get rid of that unless every client chooses to trust your cert server.

cheers.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
Comment Utility
Certificate Services 2.0 is a Certificate Authority.  There are several available, some open source, but CS 2.0 is a good solid certificate server.

It is not required that you install it on a server with IIS though it does have a web based interface that is very convenient if you do install it on an IIS server.

Enterprise CAs integrate into an Active Directory and can be used for a number of domain PKI functions automatically.  A standalone CA can be used for many of the same functions but doesn't havethe same level of domain integration.

For your purpose I would suggest installing as a Standalone CA.

As far as using a network firewall and IP restrictions you don't have to have a certificate for either of these functions.  Server certificates are for use with SSL encryption which can be used in conjunction with either of the previously mentioned technologies.

Any certificate you generate using a Certificate Server is "signed".  The issue at hand os that for a client to trust the certificate they have to trust the issuing Certificate Authority.  Verisign is included by default in the Root CA listing with most browsers.

If you are interested in arranging to let clients trust your CA there is a good article on how to set up an easy method of getting your Root CA Certificate into client browsers:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;297681

I have used this method myself to good effect.

Side note:  just because youdon't trust a CA doesn't mean that SSL using a certificate from it works any less effectivley than from one you do trust.  Encryption is encryption and a 128 bit certificate from my CA will encrypt SSL communications as well as a 128 bit certificate from any major CA (like Verisign).  The trust issue only makes a difference in whether the client will automatically accept the certificate or not.

Hope this clears things up.  If not let us know and we'll set youon the right path..... :-)

Dave Dietz
0
 

Author Comment

by:daryn
Comment Utility
lookin good so far but.. LO!! life has found yet another way to stop me doin my (underpaid) job!

this web server is on a network that is all 192.168.0 class (I'm accessing the web server using port forwarding from their adsl modem/router with the 1 public ip address for the NAT of the private ip network) and thus, i reckon, the certificate is getting annoyed since I'm getting this error message (when using netscape since IE is useless with displaying any error message except "cant find server or dns error" !!):

Could not establish an encrypted connection because certificate provided by <the public ip address assigned to their router> is invalid or corrupted. Error code: -8102

am I correct in my guess that a web server with ssl installed needs a public ip addy or am i barking up the wrong tree?

thanks

Daryn
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
hi,

the browser needs to contact the certificate server to validate the certificate.  the ip address of the cert server is contained in in the certificate public key file issued by the web server.  the browser will then contact the cert server on (i think) port 4433.

i figure that the cert installed in the web server probably points to the private address of the server, and thus the client browser cannot verify the cert authenticity.  first problem is to generate the certificate with the correct ip address - you can probably swing that by temporarily changing the cert server ip address to the public address of your dsl router, generate the cert, then change it back (this may not work if the ip address is defined when you install the cert server - in which case you can probably think of the rigmarole needed to do it then)

once you get *that* sorted out, then you will need to forward port 4433 at the router to the private address of the cert server.

cheers.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:daryn
Comment Utility
hrmfle. tricky one.

will test yer theory at the client site on monday. if it dont work, will be right back here on monday afternoon. :)

0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
i guess that the simplest way to test that theory is to test that it does work ok from inside the private lan.

cheers.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
Comment Utility
The only reason you would need a public IP is if you have server certificate revocation checking turned on in your browser settings.  If this is turned on the browser will try to contact the CA as specified in the CDP entry of the certificate (CRL (Certificate Revocation Listing) Distribution Point).  If this is not turned on the browser will assume the certificate is good as long as it is within its validity period.

As far as changing the CDP (and possibly AIA though this isn't used much) it is a simple matter to modify this entry through the CA Management Console.  I doubt this is necessary but I can give further details if it proves needed.

The error actually sounds more like you are missing the private key for the certificate.  If you select View Certificate from the Directory Security settings does it say you have a private key that corresponds to the certificate?

Is this server accessible from the Internet?  If so there may be some testing we can do from the outside to see what's going on.

Dave Dietz
0
 

Author Comment

by:daryn
Comment Utility
i've definitely got the private key. it's telling me "You have a private key that corresponds to this certificate" when i go to the web site properties.

when it tells me that I am now unable to change the name of the pc, how does the certifice I generate relate to that? do i have to mention the name of the certificate server when generating the certificate?
0
 
LVL 34

Expert Comment

by:Dave_Dietz
Comment Utility
Once you install Certificate Services you cannot change the machine name since it is used by the CA - it doesn't have anything to do with any SSL certificates you have generated.

You will need to set the Common name of the certificate to the FQDN used by your clients to get to the server or else you will reeive a security warning when trying to browse the site.

If you follow the steps in the article I originally mentioned it should explain how to do this properly.

I will be out of town for a few days but I check back in on this when I return.....  :)

Dave Dietz
0
 

Author Comment

by:daryn
Comment Utility
tar v. much. will try again.

Daryn
0
 

Author Comment

by:daryn
Comment Utility
got it working. thanks v. much all!

0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now