Recipe12.10.Enabling SSL on a Web Site


Recipe 12.10. Enabling SSL on a Web Site

Problem

You want to enable SSL on a web site on which you have previously installed a server certificate.

Solution

Using a graphical user interface

To enable SSL on the MTIT Corp web site where we installed a server certificate in Recipe 12.9, do the following:

  1. Open Internet Information Services (IIS) Manager.

  2. In the left pane, expand the console tree to display the MTIT Corp web site, right-click on the site, and select Properties.

  3. Select the Directory Security tab.

  4. Under Secure Communications, click Edit.

  5. Select the checkbox labeled Require Secure Channel (SSL) and click OK twice.

To verify that SSL works, do the following:

  1. Open Internet Explorer on the IIS server and try to open an URL with the IP address of the MTIT Corp web site; for example, http://172.16.11.210. You should get an HTTP 403.4 error message: "Forbidden: SSL is required to view this resource."

  2. Try to open a secure URL with the IP address of the MTIT Corp web site, for example https://172.16.11.210. You should be able to view the default document (home page) of the site.

Using VBScript
' This code enables 128-bit SSL on a web site. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ServerName>" strSiteID = "<SiteID>"     ' Taken from AccessSSLFlags '   8 = AccessSSL '   256 = AccessSSL128 intFlag = 8 + 256 ' ------ END CONFIGURATION --------- set objweb site = GetObject("IIS://" & strComputer & "/W3SVC/" & strSiteID) objweb site.AccessSSLFlags = intFlag objweb site.SetInfo WScript.Echo "Successfully modified SSL settings for: " & _              objweb site.ServerComment

Discussion

If a Security Alert dialog box appears (see Figure 12-3 for an example) when you try step 7 in the graphical solution, your browser's certificate root store (the list of CAs your browser trusts) may not contain a root certificate that can validate your server certificate. This can happen, for example, if you obtain and install a limited-time test certificate from a third-party CA so you can test an SSL web site you are developing before you go ahead and purchase a server certificate and roll your server into production. In this case, the solution is to download the test root certificate (a *.cer file) from the CA and install it into Internet Explorer's root store as follows:

  1. Open Internet Explorer and select Tools

    Select the Content tab and click the Certificates button.

  2. Select the Trusted Root Certification Authorities tab.

  3. Click Import to start the Certificate Import Wizard and click Next.

  4. Browse to the test root certificate (*.cer) file that you downloaded from the CA and open it.

  5. Click Next twice and then Finish.

Figure 12-3. Security Alert dialog box


The Security Alert box in Figure 12-3 should now not appear when you try to open the https:// URL for your SSL-enabled web site.

The other settings on the Secure Communication dialog box deserve some mention. While server certificates identify web servers to clients, web clients can also have their own certificates, called client certificates, that they can use to prove their identify to the server. By default, SSL-enabled sites on IIS are configured to ignore client certificatesi.e., to authenticate clients regardless of whether they can prove their identity using a certificate. If desired, you can configure SSL sites to require that clients have certificates. This is often used in high-security environments where both sides (client and server) must be trusted. Client certificates can also be mapped to user accounts so that the client's certificate is used for authentication purposes instead of the user's credentials. For more information on client certificate mapping, see MS KB 315588.

See Also

Recipe 12.9 and MS KB 315588 (HOW TO: Secure an ASP.NET Application Using Client-Side Certificates)



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net