Solved

Setting up SSL on IIS

Posted on 2015-02-05
4
106 Views
Last Modified: 2015-02-12
Hi,
one of my clients has been working with an ecommerce integration group to get their website up and running which is
already working as of now but now they wanted to use SSL for the website so they want me to handle the install of the certificate on the webserver.  I'm trying to get an overall understanding of all the components that go into doing this.
I already am in the process of downloading the intermediate certificate from godaddy and it looks pretty straightforward per their instructions.  They also wanted me to open up port 443 on the firewall which i did already but when i tested the port using canyouseeme.org it reported that the connection was refused.  Does there have to be another step for 443 traffic to be accepted on the webserver?  Port 80 i was able to successfully test as not being blocked.  What i was really confused about was that they said i had to create another name for the website  to handle the SSL.  In other words, if the current website is accessible as www.xyz.com they wanted me to use www.test.xyz.com when i applied for the certificate.  Then they said i would have to add a dns record for that xyz.test.com pointing to the same public ip as www.xyz.com.  They said they could add  the record to their local overrides but preferred not to unless i really had problems with the dns.  Thanks.
0
Comment
Question by:dankyle67
  • 2
  • 2
4 Comments
 
LVL 17

Accepted Solution

by:
OriNetworks earned 500 total points
ID: 40591961
Wow I think I'm just as lost as you... I will try to explain using IIS7 but if you have 6 it should be easy to follow or search for the same directions.

Traditionally enabling SSL is pretty simple.
1. Get a cert for the name or names users will be using to access your site (e.g.  mysite.com) If you want to enable multiple names such as www.mysite.com, mail.mysite.com,etc a UCC or wildcard cert is required to list all possible names users will access your site with
2. In IIS, install the server certificate by opening the IIS manager, click on the server, then click Certificates. Import your certificate, or create a new certificate request to submit to your SSL provider. You probably want Import.
3. Add bindings to your website. Bindings tell your site which ports and names to listen on. Expand sites, right-click and select Edit Bindings.
4. Click Add, select https as the type, the ip address it will listen on (or leave All Unassigned), port 443, and select the certificate you just installed. This will use whatever names you registered when creating the ssl cert.

Browse to https://internal_server_ip to make sure you can get to the site using SSL. This will show a certificate warning because you are using an internal ip rather than the name you created the certificate for but that's ok for now. If this does not work, you have a server configuration problem, maybe windows firewall is enabled or a different firewall software directly on the host is blocking the connection.

5. Setup your firewall to allow inbound 443 to be directed to your internal server ip address.

If you still have issues, you can try going to https://[external ip address]  by using external ip address you will get a warning about invalid cert but it will verify your server is now exposed to the internet to handle requests

If it works using ip address but not domain, you have a dns issue. if https://external_ip does not work, your firewall is not configured correctly.
0
 

Author Comment

by:dankyle67
ID: 40592022
Thanks for the good instructions so far.  I actually went thru most of the process with godaddy support and it was really confusing at first since the generating,installing and requesting of certificates all look similar at first glance but as i went thru it i got a better handle on it.  I had to delete the original csr on iis and generated a new one which i then pasted into the godaddy site so it would generate a request again.  I had to do all this because i found out since the webserver is running on 2003 server, it would require a hotfix for sha2.   However if we selected the 1yr subscription, we could select sha2 as algorithm and would not have to worry about hotfix.  We plan on moving all this to a new 2012 server in about 2mos so at least I have some understanding of the process when having to do the certificate drill again.  I will test if i can access using https now and get back to you.
0
 

Author Comment

by:dankyle67
ID: 40593486
ok i tested it by trying to get to site externally using https://public ip and it came back as you mentioned with the site warning since i'm not using the name of the certificate so this looks good so far.  Im waiting now for the ecommerce integration group to add the host record of our internal server name to their end on dns so that site can be accessed using the xyz.test.com which matches the certificate name.  This is the part i don't understand.  Why did they ask us to make the name different for the internal server when applying for the certificate?  In other words, prior to the ssl certificate, a person could access www.xyz.com using http and if they wanted to use https of course they would use the same name except now they would use https://www.xyz.com but i'm assuming this what the ecommerce group is working on now with the different name.  They are probably adding host xyz.test.com to their dns so that it has same ip as xyz.com.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40594466
As an added note, you may want to check IIS to make sure Require SSL is selected for at minimum the ecommerce site or virtual directory. This will prevent users from accidently putting sensitive information into an unencrypted form. It should also be required for any portion of the site where the user may enter login credentials.

I don't know the answer to that but it should be a simple question to ask them and you should ask them to understand why the directed to do so anyway. One example might be if you are trying to serve a mix of encrypted content and unencrypted content under the same site, which is a bad practice anyway, using a different subdomain for the encrypted site will allow you to setup a different site in IIS specifically for that binding e.g. (store.xyz.com), that was the server wont try to run everything through SSL. SSL does have a slight performance impact but its only noticeable with many users.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now