Recipe 12.9. Obtaining and Installing SSL CertificatesProblemYou want to obtain a server certificate from a Certificate Authority (CA) and install it on your IIS computer to enable SSL on a web site. SolutionUsing a graphical user interfaceTo obtain a certificate from a third-party CA and install it on a web site named MTIT Corp, first generate a certificate request as follows:
To submit your certificate request to a third-party CA such as Verisign, do the following: Go to the CA's web site (e.g., www.verisign.com) and follow instructions for submitting your certificate request to obtain a server certificate. Typically, you will have to paste the contents of your certreq.txt file into a form as part of the process. You will receive an email from the site with the certificate at the end of the message, bracketed between lines that say BEGIN CERTIFICATE and END CERTIFICATE. To install your server certificate on your web site, do the following:
To verify the certificate has been installed, do the following:
Using a command-line interfaceFor simple testing purposes, the following command uses the selfssl utility from the IIS 6 Resource Kit Tools to install a self-signed SSL certificate on your Default Web Site: > selfssl Type y and press Enter when prompted. The following command installs a server certificate using a *.cer file and a password-protected *.pfx file obtained from a third-party CA using the IISCertDeploy.vbs command script included in the IIS 6 Resource Kit Tools: > iiscertdeploy -new C:\newcert.cer -c C:\newcert.pfx -p <password> -i w3svc/1005026399 Note that this command installs the certificate on the web site that has site ID number 1005026399.
Using VBScriptFor a good example script on how to import a certificate, see iiscertdeploy.vbs in the IIS 6 Resource Kit. DiscussionIf you want to use IIS for hosting public SSL (https) sites for e-commerce or other reasons, you'll need to obtain a server certificate (i.e., a certificate that verifies the identify of a web server to clients that try to access it) from a commercial CA such as Verisign and install the certificate on your web server. Such certificates can cost hundreds of dollars or more per year, but most CA's also provide time-limited certificates for free that you can use to test your SSL site before purchasing a commercial server certificate. If you have used Windows Certificate Services to install your own CA, the process of requesting and installing a server certificate is different. See the Knowledge Base articles in the See Also section for more information. Using your own CA is useful on a corporate intranet or extranet scenario, but not on a general Internet site, because any clients that need to access your site using SSL must first have your CA's root certificate installed on them. In other words, if you want your secure site to be accessible to anonymous users on the Internet, you'll have to obtain an install a server certificate from a third-party CA such as Verisign instead of using Certificate Services. See AlsoRecipe 12.10, MS KB 324284 (HOW TO: Secure XML Web Services with Secure Socket Layer in Windows Server 2003), and MS KB 816794 (HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003) |