daryn
asked on
how to install ssl on a w2003 IIS6 server
hi there.
newbie with ssl here. I have a fresh windows 2003 server with basic iis installed and a default web site running.
how do i install ssl on it?
browsing through web site properties, moving to directory security, clicking on Server Certificate in "Secure Communications" brings me to the wizard to create an iis certificate then selecting "to prepare the request but send it later", then asked to type a name for the new certificate and assign a bit length to the encryption, 1024, 2048 etc. At this point I stop, somewhat perplexed.
I could probably blunder my way through but I'd like confirmation of the method first, please?
I'm assuming I create a certificate using the creation wizard, then apply for a digital certificate from verisign and install the certificate i receive into the iis server using the wizard?
thanks in advance
Daryn
newbie with ssl here. I have a fresh windows 2003 server with basic iis installed and a default web site running.
how do i install ssl on it?
browsing through web site properties, moving to directory security, clicking on Server Certificate in "Secure Communications" brings me to the wizard to create an iis certificate then selecting "to prepare the request but send it later", then asked to type a name for the new certificate and assign a bit length to the encryption, 1024, 2048 etc. At this point I stop, somewhat perplexed.
I could probably blunder my way through but I'd like confirmation of the method first, please?
I'm assuming I create a certificate using the creation wizard, then apply for a digital certificate from verisign and install the certificate i receive into the iis server using the wizard?
thanks in advance
Daryn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
re: previous comment, is that what "Certificate Server 2.0" is for, i'm guessin?
and if i install CS2 onto win 2003, do i install it as an enterprise CA or a Stand Alone CA?
thanks
and if i install CS2 onto win 2003, do i install it as an enterprise CA or a Stand Alone CA?
thanks
yes, MS cert server will let you sign your own certs. if you install it on the same server as iis, then when you do the cert setup in the iis wizard, you can sign it in one online process.
make it a stand alone for most purposes.
note that when you access the self-signed cert site, IE will throw a warnign that the cert is signed by an unknown/untrusted organisation. you can't get rid of that unless every client chooses to trust your cert server.
cheers.
make it a stand alone for most purposes.
note that when you access the self-signed cert site, IE will throw a warnign that the cert is signed by an unknown/untrusted organisation. you can't get rid of that unless every client chooses to trust your cert server.
cheers.
Certificate Services 2.0 is a Certificate Authority. There are several available, some open source, but CS 2.0 is a good solid certificate server.
It is not required that you install it on a server with IIS though it does have a web based interface that is very convenient if you do install it on an IIS server.
Enterprise CAs integrate into an Active Directory and can be used for a number of domain PKI functions automatically. A standalone CA can be used for many of the same functions but doesn't havethe same level of domain integration.
For your purpose I would suggest installing as a Standalone CA.
As far as using a network firewall and IP restrictions you don't have to have a certificate for either of these functions. Server certificates are for use with SSL encryption which can be used in conjunction with either of the previously mentioned technologies.
Any certificate you generate using a Certificate Server is "signed". The issue at hand os that for a client to trust the certificate they have to trust the issuing Certificate Authority. Verisign is included by default in the Root CA listing with most browsers.
If you are interested in arranging to let clients trust your CA there is a good article on how to set up an easy method of getting your Root CA Certificate into client browsers:
http://support.microsoft.com/default.aspx?scid=kb;en-us;297681
I have used this method myself to good effect.
Side note: just because youdon't trust a CA doesn't mean that SSL using a certificate from it works any less effectivley than from one you do trust. Encryption is encryption and a 128 bit certificate from my CA will encrypt SSL communications as well as a 128 bit certificate from any major CA (like Verisign). The trust issue only makes a difference in whether the client will automatically accept the certificate or not.
Hope this clears things up. If not let us know and we'll set youon the right path..... :-)
Dave Dietz
It is not required that you install it on a server with IIS though it does have a web based interface that is very convenient if you do install it on an IIS server.
Enterprise CAs integrate into an Active Directory and can be used for a number of domain PKI functions automatically. A standalone CA can be used for many of the same functions but doesn't havethe same level of domain integration.
For your purpose I would suggest installing as a Standalone CA.
As far as using a network firewall and IP restrictions you don't have to have a certificate for either of these functions. Server certificates are for use with SSL encryption which can be used in conjunction with either of the previously mentioned technologies.
Any certificate you generate using a Certificate Server is "signed". The issue at hand os that for a client to trust the certificate they have to trust the issuing Certificate Authority. Verisign is included by default in the Root CA listing with most browsers.
If you are interested in arranging to let clients trust your CA there is a good article on how to set up an easy method of getting your Root CA Certificate into client browsers:
http://support.microsoft.com/default.aspx?scid=kb;en-us;297681
I have used this method myself to good effect.
Side note: just because youdon't trust a CA doesn't mean that SSL using a certificate from it works any less effectivley than from one you do trust. Encryption is encryption and a 128 bit certificate from my CA will encrypt SSL communications as well as a 128 bit certificate from any major CA (like Verisign). The trust issue only makes a difference in whether the client will automatically accept the certificate or not.
Hope this clears things up. If not let us know and we'll set youon the right path..... :-)
Dave Dietz
ASKER
lookin good so far but.. LO!! life has found yet another way to stop me doin my (underpaid) job!
this web server is on a network that is all 192.168.0 class (I'm accessing the web server using port forwarding from their adsl modem/router with the 1 public ip address for the NAT of the private ip network) and thus, i reckon, the certificate is getting annoyed since I'm getting this error message (when using netscape since IE is useless with displaying any error message except "cant find server or dns error" !!):
Could not establish an encrypted connection because certificate provided by <the public ip address assigned to their router> is invalid or corrupted. Error code: -8102
am I correct in my guess that a web server with ssl installed needs a public ip addy or am i barking up the wrong tree?
thanks
Daryn
this web server is on a network that is all 192.168.0 class (I'm accessing the web server using port forwarding from their adsl modem/router with the 1 public ip address for the NAT of the private ip network) and thus, i reckon, the certificate is getting annoyed since I'm getting this error message (when using netscape since IE is useless with displaying any error message except "cant find server or dns error" !!):
Could not establish an encrypted connection because certificate provided by <the public ip address assigned to their router> is invalid or corrupted. Error code: -8102
am I correct in my guess that a web server with ssl installed needs a public ip addy or am i barking up the wrong tree?
thanks
Daryn
hi,
the browser needs to contact the certificate server to validate the certificate. the ip address of the cert server is contained in in the certificate public key file issued by the web server. the browser will then contact the cert server on (i think) port 4433.
i figure that the cert installed in the web server probably points to the private address of the server, and thus the client browser cannot verify the cert authenticity. first problem is to generate the certificate with the correct ip address - you can probably swing that by temporarily changing the cert server ip address to the public address of your dsl router, generate the cert, then change it back (this may not work if the ip address is defined when you install the cert server - in which case you can probably think of the rigmarole needed to do it then)
once you get *that* sorted out, then you will need to forward port 4433 at the router to the private address of the cert server.
cheers.
the browser needs to contact the certificate server to validate the certificate. the ip address of the cert server is contained in in the certificate public key file issued by the web server. the browser will then contact the cert server on (i think) port 4433.
i figure that the cert installed in the web server probably points to the private address of the server, and thus the client browser cannot verify the cert authenticity. first problem is to generate the certificate with the correct ip address - you can probably swing that by temporarily changing the cert server ip address to the public address of your dsl router, generate the cert, then change it back (this may not work if the ip address is defined when you install the cert server - in which case you can probably think of the rigmarole needed to do it then)
once you get *that* sorted out, then you will need to forward port 4433 at the router to the private address of the cert server.
cheers.
ASKER
hrmfle. tricky one.
will test yer theory at the client site on monday. if it dont work, will be right back here on monday afternoon. :)
will test yer theory at the client site on monday. if it dont work, will be right back here on monday afternoon. :)
i guess that the simplest way to test that theory is to test that it does work ok from inside the private lan.
cheers.
cheers.
The only reason you would need a public IP is if you have server certificate revocation checking turned on in your browser settings. If this is turned on the browser will try to contact the CA as specified in the CDP entry of the certificate (CRL (Certificate Revocation Listing) Distribution Point). If this is not turned on the browser will assume the certificate is good as long as it is within its validity period.
As far as changing the CDP (and possibly AIA though this isn't used much) it is a simple matter to modify this entry through the CA Management Console. I doubt this is necessary but I can give further details if it proves needed.
The error actually sounds more like you are missing the private key for the certificate. If you select View Certificate from the Directory Security settings does it say you have a private key that corresponds to the certificate?
Is this server accessible from the Internet? If so there may be some testing we can do from the outside to see what's going on.
Dave Dietz
As far as changing the CDP (and possibly AIA though this isn't used much) it is a simple matter to modify this entry through the CA Management Console. I doubt this is necessary but I can give further details if it proves needed.
The error actually sounds more like you are missing the private key for the certificate. If you select View Certificate from the Directory Security settings does it say you have a private key that corresponds to the certificate?
Is this server accessible from the Internet? If so there may be some testing we can do from the outside to see what's going on.
Dave Dietz
ASKER
i've definitely got the private key. it's telling me "You have a private key that corresponds to this certificate" when i go to the web site properties.
when it tells me that I am now unable to change the name of the pc, how does the certifice I generate relate to that? do i have to mention the name of the certificate server when generating the certificate?
when it tells me that I am now unable to change the name of the pc, how does the certifice I generate relate to that? do i have to mention the name of the certificate server when generating the certificate?
Once you install Certificate Services you cannot change the machine name since it is used by the CA - it doesn't have anything to do with any SSL certificates you have generated.
You will need to set the Common name of the certificate to the FQDN used by your clients to get to the server or else you will reeive a security warning when trying to browse the site.
If you follow the steps in the article I originally mentioned it should explain how to do this properly.
I will be out of town for a few days but I check back in on this when I return..... :)
Dave Dietz
You will need to set the Common name of the certificate to the FQDN used by your clients to get to the server or else you will reeive a security warning when trying to browse the site.
If you follow the steps in the article I originally mentioned it should explain how to do this properly.
I will be out of town for a few days but I check back in on this when I return..... :)
Dave Dietz
ASKER
tar v. much. will try again.
Daryn
Daryn
ASKER
got it working. thanks v. much all!
ASKER
If I want to basically let 1) the network firewall and 2) the ip restrictions on IIS allow only one trusted ip address through to the web server, and I dont
want to spend the cash out to verisign (or freessl.com) to digitally sign a certificate, can I arrange for myself a certificate that the other person will just click "yes" when their browser states that it is unsigned and a little unsafe?
thanks
Daryn