Link to home
Start Free TrialLog in
Avatar of 2_under_par
2_under_parFlag for United States of America

asked on

Securing communications between internal server application and client computers

I have an application on a Windows server that needs to communicate with our client PCs over HTTPS on our internal network (via IIS 7 port 443). So, I'm trying to use OpenSSL for Windows to create a self signed certificate to accomplish this. In terms of commands, how do I go about creating a server-side and client-side certificate?

Currently, I just created a simple self signed cert on the server and installed that on the Server (and its Trusted CA) and then on the client (and its Trusted CA). Though, I don't think that's best practice to use the same in both places.

Here are the certificate requirements from the documentation...

The server-side TLS/SSL certificate must comply with the following requirements:
It must be valid for IIS.
It must be valid during the period in which you use it.
You must enable it for server authentication.
It must contain a private key.
The common name (CN) must match the name of the server exactly.
The same certificate authority that issued the client-side CA certificate must also issue the server-side certificate.
You must install it in the local computer personal certificate store of the server.

The client-side CA certificate must comply with the following requirements:
It must be in the .CER file format.
It must be valid during the period in which you use it.
It must be the root certificate of the same certificate authority that issued your server-side TLS/SSL certificate
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of 2_under_par
2_under_par
Flag of United States of America image

ASKER

Yes, I initially followed Microsoft's documentation on that, https://technet.microsoft.com/en-us/library/ff710475(v=ws.10).aspx. I then took that cert and installed it on both the Server's and Client's "Personal" and "Trusted Root..." folders in the Cert MMC snapin. Then, I binded it to the site in IIS 7 console on HTTPS. Again, I'm kinda ignorant to what's best practice here, so I kinda figured that procedure was ok for testing, but not for deploying to production. I was under the impression (perhaps misguided) that there needed to be some sort of difference (hash???...fingerprint???) between the server cert and the client cert.
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image
you really need a certificate authority this way you only need to import 1 certificate into the root store. If you are using client certs it will use the common name as the user id with the proviso that the server trusts the client certificate.