Encryption

Authentication provides one half of the story, and in this section you ll examine the second half: encryption. Encryption even plays a role in the authentication story when you re using authentication systems such as Basic Authentication that don t encrypt the username and password data when they transmit.

There s one encryption system that is predominant on the Internet, be it encrypting authentication information, encrypting credit card information, or keeping other information on a Web site protected. That system is HTTPS.

Both IIS and Internet Explorer support HTTPS. Again, it s more interesting when you want to have programmatic HTTPS support ”for example, in a client application. In this section you ll create a simple ATL Server Web service and expose it over HTTPS. You ll use the HTTPS support in WinHTTP to access this service from the client.

To set up an HTTPS server you ll need to have a trusted certificate on your machine. Usually you ll use a company such as VeriSign to get certificates, but for development and testing purposes, you can create your own certificate server (this requires that you have a server version of Windows installed). Use the Add/ Remove Windows Components dialog box (available under the Add/Remove Programs option in the Control Panel) to install the certificate server components on your machine.

Your machine is now a certificate authority, and you can make a request against your certificate authority to request a certificate. The easiest way to request a certificate is to use your Web browser. If you look under your IIS settings, you ll notice that the machine that you made a certificate server (say, MyCertServer ) has a new vroot called something like CertServ . If you go to http://MyCertServer/CertServ you ll see a number of options, including Request a Certificate. You can also use the certreq.exe utility to request a certificate from a server.

If you open your certification authority (from Administrative Tools, or go back to the original Web site), you ll see a pending request. You can then choose to issue the certificate. Once the certificate is granted, you can install the certificate.

If you now go to IIS, select the properties for the Default Web Site, and go to Directory Security, you ll see that you can either request a certificate or assign an existing certificate. Your machine now requires that SSL be used for communication.

For more information on this topic, we recommend looking at the SecureSoap sample included with the Visual Studio .NET Product samples. This sample also demonstrates how to access a secure server from a custom client application (in this case, a Web service).