Go Premium for a chance to win a PS4. Enter to Win


Setting up SSL on IIS

Posted on 2015-02-05
Medium Priority
Last Modified: 2015-02-12
one of my clients has been working with an ecommerce integration group to get their website up and running which is
already working as of now but now they wanted to use SSL for the website so they want me to handle the install of the certificate on the webserver.  I'm trying to get an overall understanding of all the components that go into doing this.
I already am in the process of downloading the intermediate certificate from godaddy and it looks pretty straightforward per their instructions.  They also wanted me to open up port 443 on the firewall which i did already but when i tested the port using canyouseeme.org it reported that the connection was refused.  Does there have to be another step for 443 traffic to be accepted on the webserver?  Port 80 i was able to successfully test as not being blocked.  What i was really confused about was that they said i had to create another name for the website  to handle the SSL.  In other words, if the current website is accessible as www.xyz.com they wanted me to use www.test.xyz.com when i applied for the certificate.  Then they said i would have to add a dns record for that xyz.test.com pointing to the same public ip as www.xyz.com.  They said they could add  the record to their local overrides but preferred not to unless i really had problems with the dns.  Thanks.
Question by:dankyle67
  • 2
  • 2
LVL 17

Accepted Solution

OriNetworks earned 2000 total points
ID: 40591961
Wow I think I'm just as lost as you... I will try to explain using IIS7 but if you have 6 it should be easy to follow or search for the same directions.

Traditionally enabling SSL is pretty simple.
1. Get a cert for the name or names users will be using to access your site (e.g.  mysite.com) If you want to enable multiple names such as www.mysite.com, mail.mysite.com,etc a UCC or wildcard cert is required to list all possible names users will access your site with
2. In IIS, install the server certificate by opening the IIS manager, click on the server, then click Certificates. Import your certificate, or create a new certificate request to submit to your SSL provider. You probably want Import.
3. Add bindings to your website. Bindings tell your site which ports and names to listen on. Expand sites, right-click and select Edit Bindings.
4. Click Add, select https as the type, the ip address it will listen on (or leave All Unassigned), port 443, and select the certificate you just installed. This will use whatever names you registered when creating the ssl cert.

Browse to https://internal_server_ip to make sure you can get to the site using SSL. This will show a certificate warning because you are using an internal ip rather than the name you created the certificate for but that's ok for now. If this does not work, you have a server configuration problem, maybe windows firewall is enabled or a different firewall software directly on the host is blocking the connection.

5. Setup your firewall to allow inbound 443 to be directed to your internal server ip address.

If you still have issues, you can try going to https://[external ip address]  by using external ip address you will get a warning about invalid cert but it will verify your server is now exposed to the internet to handle requests

If it works using ip address but not domain, you have a dns issue. if https://external_ip does not work, your firewall is not configured correctly.

Author Comment

ID: 40592022
Thanks for the good instructions so far.  I actually went thru most of the process with godaddy support and it was really confusing at first since the generating,installing and requesting of certificates all look similar at first glance but as i went thru it i got a better handle on it.  I had to delete the original csr on iis and generated a new one which i then pasted into the godaddy site so it would generate a request again.  I had to do all this because i found out since the webserver is running on 2003 server, it would require a hotfix for sha2.   However if we selected the 1yr subscription, we could select sha2 as algorithm and would not have to worry about hotfix.  We plan on moving all this to a new 2012 server in about 2mos so at least I have some understanding of the process when having to do the certificate drill again.  I will test if i can access using https now and get back to you.

Author Comment

ID: 40593486
ok i tested it by trying to get to site externally using https://public ip and it came back as you mentioned with the site warning since i'm not using the name of the certificate so this looks good so far.  Im waiting now for the ecommerce integration group to add the host record of our internal server name to their end on dns so that site can be accessed using the xyz.test.com which matches the certificate name.  This is the part i don't understand.  Why did they ask us to make the name different for the internal server when applying for the certificate?  In other words, prior to the ssl certificate, a person could access www.xyz.com using http and if they wanted to use https of course they would use the same name except now they would use https://www.xyz.com but i'm assuming this what the ecommerce group is working on now with the different name.  They are probably adding host xyz.test.com to their dns so that it has same ip as xyz.com.
LVL 17

Expert Comment

ID: 40594466
As an added note, you may want to check IIS to make sure Require SSL is selected for at minimum the ecommerce site or virtual directory. This will prevent users from accidently putting sensitive information into an unencrypted form. It should also be required for any portion of the site where the user may enter login credentials.

I don't know the answer to that but it should be a simple question to ask them and you should ask them to understand why the directed to do so anyway. One example might be if you are trying to serve a mix of encrypted content and unencrypted content under the same site, which is a bad practice anyway, using a different subdomain for the encrypted site will allow you to setup a different site in IIS specifically for that binding e.g. (store.xyz.com), that was the server wont try to run everything through SSL. SSL does have a slight performance impact but its only noticeable with many users.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question