Recipe12.9.Obtaining and Installing SSL Certificates

Recipe 12.9. Obtaining and Installing SSL Certificates

Problem

You want to obtain a server certificate from a Certificate Authority (CA) and install it on your IIS computer to enable SSL on a web site.

Solution

Using a graphical user interface

To obtain a certificate from a third-party CA and install it on a web site named MTIT Corp, first generate a certificate request as follows:

1. Open Internet Information Services (IIS) Manager.

2. In the left pane, expand the MTIT Corp web site, right-click on the site, and select Properties.

3. Select the Directory Security tab.

4. Click the Server Certificate button to start the Web Server Certificate Wizard and click Next.

5. Select Prepare the request now but send it later and click Next.

6. Type the name of the web site (in this example, MTIT Corp) and click Next.

7. Leave the bit length at 1024 or choose a higher value if desired for greater security and click Next.

8. Type the name of your organization and organizational unit (e.g., department or division) and click Next.

9. Type the DNS name of your web site and click Next.

10. Type the specified geographical information and click Next.

11. Save your certificate request file as C:\certreq.txt.

To submit your certificate request to a third-party CA such as Verisign, do the following:

Go to the CA's web site (e.g., www.verisign.com) and follow instructions for submitting your certificate request to obtain a server certificate. Typically, you will have to paste the contents of your certreq.txt file into a form as part of the process. You will receive an email from the site with the certificate at the end of the message, bracketed between lines that say BEGIN CERTIFICATE and END CERTIFICATE.

To install your server certificate on your web site, do the following:

1. Copy the entire section from BEGIN CERTIFICATE to END CERTIFICATE (including these two lines) from the CA's email message to the clipboard by selecting the text and pressing Ctrl-C.

2. Use Notepad to create a new text file, press Ctrl-V to paste the certificate information into the file, and save it as a *.cer file; for example, C:\newcert.cer.

3. Open Internet Information Services (IIS) Manager.

4. In the left pane, expand the console tree to display the MTIT Corp web site, right-click on the site, and select Properties.

5. Select the Directory Security tab.

6. Click the Server Certificate button to start the Web Server Certificate Wizard and click Next.

7. Select Process the pending request and install the certificate and click Next.

8. Specify the path to the *cer file containing the certificate (e.g., C:\newcert.cer) and click Next.

9. Accept 443 as the standard SSL port number, click Next, and then Finish.

To verify the certificate has been installed, do the following:

1. Open Internet Information Services (IIS) Manager.

2. In the left pane, expand the console tree to display the MTIT Corp web site, right-click on the site, and select Properties.

3. Select the Directory Security tab.

4. Click the View Certificate button.

Using a command-line interface

For simple testing purposes, the following command uses the selfssl utility from the IIS 6 Resource Kit Tools to install a self-signed SSL certificate on your Default Web Site:

> selfssl

Type y and press Enter when prompted.

The following command installs a server certificate using a *.cer file and a password-protected *.pfx file obtained from a third-party CA using the IISCertDeploy.vbs command script included in the IIS 6 Resource Kit Tools:

> iiscertdeploy -new C:\newcert.cer -c C:\newcert.pfx -p <password> -i w3svc/1005026399

Note that this command installs the certificate on the web site that has site ID number 1005026399.

To determine the ID number of a web site without delving into the metabase, right-click on the web site in IIS Manager and select Properties, select the Web Site tab, click the Properties button, and note the numeric portion of the string beginning W3SVC beside Log file name.

Using VBScript

For a good example script on how to import a certificate, see iiscertdeploy.vbs in the IIS 6 Resource Kit.

Discussion

If you want to use IIS for hosting public SSL (https) sites for e-commerce or other reasons, you'll need to obtain a server certificate (i.e., a certificate that verifies the identify of a web server to clients that try to access it) from a commercial CA such as Verisign and install the certificate on your web server. Such certificates can cost hundreds of dollars or more per year, but most CA's also provide time-limited certificates for free that you can use to test your SSL site before purchasing a commercial server certificate.

If you have used Windows Certificate Services to install your own CA, the process of requesting and installing a server certificate is different. See the Knowledge Base articles in the See Also section for more information. Using your own CA is useful on a corporate intranet or extranet scenario, but not on a general Internet site, because any clients that need to access your site using SSL must first have your CA's root certificate installed on them. In other words, if you want your secure site to be accessible to anonymous users on the Internet, you'll have to obtain an install a server certificate from a third-party CA such as Verisign instead of using Certificate Services.

See Also

Recipe 12.10, MS KB 324284 (HOW TO: Secure XML Web Services with Secure Socket Layer in Windows Server 2003), and MS KB 816794 (HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003)