2_under_par
asked on
Securing communications between internal server application and client computers
I have an application on a Windows server that needs to communicate with our client PCs over HTTPS on our internal network (via IIS 7 port 443). So, I'm trying to use OpenSSL for Windows to create a self signed certificate to accomplish this. In terms of commands, how do I go about creating a server-side and client-side certificate?
Currently, I just created a simple self signed cert on the server and installed that on the Server (and its Trusted CA) and then on the client (and its Trusted CA). Though, I don't think that's best practice to use the same in both places.
Here are the certificate requirements from the documentation...
The server-side TLS/SSL certificate must comply with the following requirements:
The client-side CA certificate must comply with the following requirements:
Currently, I just created a simple self signed cert on the server and installed that on the Server (and its Trusted CA) and then on the client (and its Trusted CA). Though, I don't think that's best practice to use the same in both places.
Here are the certificate requirements from the documentation...
The server-side TLS/SSL certificate must comply with the following requirements:
It must be valid for IIS.
It must be valid during the period in which you use it.
You must enable it for server authentication.
It must contain a private key.
The common name (CN) must match the name of the server exactly.
The same certificate authority that issued the client-side CA certificate must also issue the server-side certificate.
You must install it in the local computer personal certificate store of the server.
The client-side CA certificate must comply with the following requirements:
It must be in the .CER file format.
It must be valid during the period in which you use it.
It must be the root certificate of the same certificate authority that issued your server-side TLS/SSL certificate
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you really need a certificate authority this way you only need to import 1 certificate into the root store. If you are using client certs it will use the common name as the user id with the proviso that the server trusts the client certificate.
ASKER