Configuring Your Server to Use SSL

Configuring your server to use SSL is a straightforward process. However, if you are planning to use a server certificate from a third-party certificate authority, you should be warned that it can be a long process. Receiving a server certificate can take several weeks. This process also can be expensive. Verisign, for example, currently charges $349 for a server certificate, and you must pay $249 each additional year the certificate is renewed.

Three main steps are involved in installing SSL. First, you must generate a certificate request file and an encryption key pair file using the Web Server Certificate Wizard. Next, you must apply for a server certificate at a third-party certificate authority by providing it with your certificate request file. Finally, after you receive your server certificate, you must install it by using the Web Server Certificate Wizard.

Generating a Certificate Request File

To create a certificate request filealso called a certificate signing request (CSR) open the Web Server Certificate Wizard by completing the following steps:

1. Launch the Internet Services Manager.

2. Open the property sheet for your Web site (by clicking the icon with the hand holding a piece of paper).

3. Select the Directory Security tab.

4. Click the Server Certificate button in the section labeled Secure Communications.

The Web Server Certificate Wizard guides you through the task of creating the certificate request file (see Figure 21.2).

To create the certificate request file, supply the following information:

• Name You can supply any name here. This name is used to identify the key.

• Bit length You can choose the value 512 or 1040. The greater the bit length, the more work the server must perform.

• Organization The name of the owner of your domain name. Usually, the organization is the name of your company.

• Organizational unit The name of your department or business unit.

• Common name Your fully qualified domain name; for example, www.superexpert.com . You should not include the protocol ( http:// ).

• Country/Region The two-letter ISO country code for your country; for example, US for the United States or CA for Canada.

• State/ province The full name of your state or province; for example, Washington.

• City/locality The name of your city or town; for example, Seattle.

• Certificate Request File Name When you complete the wizard, your certificate request file is stored on your hard drive with this name.

After you supply this information to the wizard, a certificate request file is saved to your hard drive. At this point, the certificate request file has been generated, but the certificate has not been installed. If you're curious , here's an example of a certificate request file:

 -----BEGIN NEW CERTIFICATE REQUEST----- MIIChjCCAjACAQAwdjEUMBIGA1UEAxMLc3VwZXJleHBlcnQxFDASBgNVBAsTC1N1 cGVyZXhwZXJ0MRQwEgYDVQQKEwtTdXBlcmV4cGVydDEQMA4GA1UEBxMHU2VhdHRs ZTETMBEGA1UECBMKV2FzaGsafsdsbjELMAkGA1UEBhMCVVMwXDANBgkqhkiG9w0B AQEFAANLADBIAkEAyeavOog01j1aPdoEi6dO1qKB6WLie0Ilz/Yr1NioPmRRNxw8 7QbgGoVcaDNmxCBWFE9UzCasffsMHZL9GCey3QIDAQABoIIBUzAaBgorBgEEAYI3 DQIDMQwWCjUuMC4yMTk1LjIwNQYKKwYBBAGCNwIBDjEnMCUwDgYDVR0PAQH/BAQD AgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMIH9BgorBgEEAYI3DQICMYHuMIHrAgEB HloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAg AEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIDgYkA 0jwwllPCwtmzxrLJ/2/rpGCvHrqzYzASmxr2ltdVP4OJogQKKcWQz5vkwdEPmEY2 3Ivam+3jSC5oZ6+I54thisdfszNLyHZ5lZK11nalKu/dN6hbwBhBemxUoi4NpIFf dw6MIxm1bmlcLFxaI4jtJ7UDIg+pMMiMraSAo4zAaBMAAAAAAAAAADANBgkqhkiG 9w0BAQUFAANBAL2Y6L96BpQMWayt0LzHtTjRGf+dNDHUFFNtWWB3iVwztCdJsvFa luqFigBWYWLubHjOp+0MKg18p62BG5tVfoI= -----END NEW CERTIFICATE REQUEST----- 

Applying for a Server Certificate

After you generate a certificate request file, you can apply for a server certificate from a certificate authority. These three are the more popular ones:

• Verisign Inc. (http://www.verisign.com)

• Thawte Consulting (http://www.thawte.com)

• GTE CyberTrust Solutions (http://www.cybertrust.gte.com)

To apply for a Verisign server certificate, for example, go to http://www.verisign.com and choose Secure Server ID. You need to provide Verisign with identifying information about your organization, such as your Dun and Bradstreet DUNS number, your articles of incorporation, or your business license. After you provide this information, you can submit your certificate request file through an online form. After your information is verified , you receive an e-mail message that contains instructions for downloading your new server certificate.

Installing Your Server Certificate

The last step in preparing your server to use SSL is to actually install the server certificate. To do so, launch the Web Server Certificate Wizard once again and choose the option labeled Process the Pending Request and Install the Certificate. Then open the server certificate file from your hard drive. The server certificate should now be installed on your server.