Configuring SSL Settings

Now that you have installed a certificate, you can offer secure communication to users of your site. By default, a web site does not require secure communications. You will need to decide whether your entire site or only a certain directory will be secure. Since encryption impacts the performance of a web site, it is a good idea to require secure communication only on the directories that absolutely need it.

You can choose any of the following options:

• Enable encryption on the entire site or individual directories.

• Require 128-bit encryption (leaving this unchecked will allow 40-bit encryption).

• Ignore, accept if offered, or require client certificates.

• Enact certificate mapping.

• Use client trust lists.

You can edit your certificate setting for a web site from the Secure Communications Properties window:

1. Open the IIS MMC snap-in.

2. Click the virtual site in which you installed a certificate.

3. Right-click the virtual host if you want to configure certificates for the entire site, or right-click a folder if you want to configure certificates for only a certain directory. Choose Properties.

4. In the Properties window, open the Directory Security tab.

5. In the Secure Communications window, shown in Figure 10-7, check the Enable Client Certification box and click the Edit button. Here you can edit your certificate settings.

   
   Figure 10-7: The Secure Communications window

Requiring Secure Communication

In the Secure Communications window, check the Require Secure Channel (SSL) checkbox to require encryption. You can also choose to require 128-bit encryption by clicking the appropriate checkbox. If you require 128-bit encryption, your web server will communicate only with web browsers that are capable of 128-bit encryption. By clicking the Require Client Certificates radio button in the Client Certificates area, you will deny access to any visitors that don't have a client certificate. You will not gain any access control with client certificates until you configure client certificate mapping or certificate trust lists.

Mapping Client Certificates to User Accounts

With IIS client certificate account mappings, you can map a client certificate to a specific user account, or map a group of certificates that match a certain criteria to a single user account.

One-to-One Mapping

A one-to-one mapping compares the certificate that the client sends to a certificate you have stored. If they match, the authentication is successful. Using client certificates, the server can authenticate the client, so they are useful when you're not using anonymous access. If the client creates a new certificate with the same information, the client will not be able to authenticate with the same one-to-one mapping; because the new certificate will not match the one IIS has stored, the one-to-one mapping would have to be re-created with the new certificate.

To use one-to-one mapping, you need to export the client certificates from your CA. This can be accomplished through the Certification Authority snap-in.

1. Choose Start | Administrative Tools | Certification Authority.

2. In the Certification Authority snap-in, select Issued Certificates.

3. Right-click the certificate that you would like to export, and choose All Tasks | Export Binary Data.

4. In the Export Binary Data dialog box, select Binary Certificate from the drop-down list (this should be selected by default).

5. Select the Save Binary Data To A File radio button.

6. Name the file something descriptive, such as the name of the user.

7. Save the file somewhere that the web server can access it, or save to a floppy.

8. Click Save.

Now that the client certificate has been exported, you can set up one-to-one mapping in IIS:

1. Open the IIS MMC by choosing Start | Administrative Tools | Internet Information Services (IIS) Manager.

2. Open the Properties for the web site you wish to set up client certificate mapping for by right-clicking the site and choosing Properties.

3. In the Properties window, open to the Directory Security tab.

4. In the Secure Communications section, click the Edit button.

5. In the Secure Communications window, check the Enable Client Certificate Mapping checkbox, and click the Edit button.

6. In the Account Mappings window, open the 1-to-1 tab (it should be open by default).

7. Click Add.

8. In the Open window, browse to the directory to which you saved the exported certificate and select it.

9. Click Open.

10. In the Map To Account window, name the map something descriptive.

11. Click Browse to select the account to which you want to map.

12. Select the account, click OK, and the account will populate in the Map To Account window.

13. Enter the account password.

14. Click OK.

15. Confirm the password.

16. Click OK.

You can repeat this process for as many client mappings as you like.

Many-to-One Mapping

With many-to-one mapping, you compare a set of criteria with the user certificate. If the information matches, the client is authenticated. In many-to-one mapping, you can authenticate several users with one rule. For example, you could allow all certificates issued by a particular CA to be mapped to one user account. This could be handy for authenticating all users from a sister company that uses a different CA than yours. Since many-to-one mappings are comparing information instead of certificates, if a user creates a new certificate with the same information, they would still be able to authenticate. You also don't have to extract certificates as you do in one-to-one mapping. Many-to-one rules are processed in order; the first rule that matches authenticates the user. Keeping this in mind, the last rule should always be to deny everybody (unless you have a reason not to).

Before you make some rules, it may be helpful to know what kind of fields are included in a certificate that you can use for these rules:

1. In Windows Explorer, double-click a certificate file (such as a .cer file).

2. Click Details.

3. In the Details tab of the Certificate window, shown in Figure 10-8, the usable information is located under Issuer and Subject.

   
   Figure 10-8: The Details tab of the Certificate window

With this in mind, you can now create the default deny rule:

1. Open the IIS MMC.

2. Open the Properties window of the web site for which you want to set up client certificate mapping, and then open the Directory Security tab.

3. In the Secure Communications section, make sure Enable Client Certificate Mapping is checked, and then click the Edit button.

4. Click the Many-to-1 tab in the Account Mappings window.

5. Click Add.

6. In the General window, name the Wildcard Matching Rule something descriptive, such as Deny All. The Enable This Wildcard Rule checkbox should be checked by default.

7. Click Next. Then click New.

8. In the Rules window, select criteria that will match every certificate, such as

   • Certificate field: Issuer

   • Sub field: CN

   • Criteria: * (The asterisk will catch every possible entry)

9. Leave the Match Capitalization checkbox checked.

10. Click OK, and then click Next.

11. In the Mapping window, click the Refuse Access radio button.

12. Click Finish.

Now every visitor will be denied access, regardless of his or her certificate. The next obvious step is to make some rules that will allow access:

1. In the Account Mappings window from steps 3 and 4, click Add.

2. In the General window, name the rule something descriptive, such as Engineering Department.

3. Again, leave the Enable This Wildcard Rule checkbox checked.

4. Click Next, and then click New.

5. In the Rules window, select the appropriate setting, such as

   • Certificate Field: Subject

   • Sub Field: OU

   • Criteria: Engineering

6. Remember to toggle on or off the Match Capitalization checkbox if necessary; it is checked by default.

7. If this is enough information to identify the group you are authenticating, click Next. Otherwise, click New again to add as many rules as necessary.

8. In the Mapping window, select the account name and password of the account to which you want to map.

9. Click Finish.

10. Type the password again in the Confirm Password window that pops up.

11. Click OK.

12. Make sure that you order your rules appropriately, as shown in Figure 10-9. Everything below the deny rule will be ignored. Use the Move Up and Move Down buttons as necessary to order the list.

    
    Figure 10-9: Account Mappings rules

13. Click OK to exit the Account Mappings window.

Backing Up and Restoring a Certificate

When backing up your SSL certificate, you will need to back up your private key along with the certificate from the Certification Authority snap-in.

To back up your certificate and private key:

1. Open the Certification Authority snap-in by choosing Start | Administrative Tools | Certification Authority.

2. Click the plus (+) in front of Personal.

3. Click Certificates.

4. Right-click your certificate and select Export.

5. Click Next.

6. Select the Yes, Export The Private Key radio button, and then click Next.

7. Select the Personal Information Exchange radio button.

8. Check Include All Certificates In The Certification Path, If Possible checkbox. Uncheck everything else.

9. Click Next.

10. Chose a password, and then click Next.

11. Click Browse.

12. Name your file something descriptive, and select a directory in which to save it.

13. Click Save, then click Next, and then click Finish.

    Caution

    This can be dangerous if the certificate and private key backup falls into the wrong hands. Make sure this is saved in a secure location.

To restore your certificate:

1. Open the IIS MMC.

2. Right-click the virtual server to which you want to restore a certificate, and choose Properties.

3. In the Secure Communications section in the Directory Security tab of the Properties window, click Server Certificate.

4. The Welcome To The Web Server Certificate Wizard Window pops up. Click Next.

5. Select the Import Certificate From A .pfx File radio button. Then click Next.

6. Click Browse, and select your .pfx file. Then click Next.

7. Enter the password. Click Next.

8. The wizard then asks for the SSL port number to use at this point. The default is 443, and should not be changed unless you have a good reason to, because clients look for SSL communication on port 443 by default.

9. Click Next.

10. You are presented with the certificate information. Click Next. Then click Finish.

    The certificate has now been restored!