Recipe 12.10. Enabling SSL on a Web SiteProblemYou want to enable SSL on a web site on which you have previously installed a server certificate. SolutionUsing a graphical user interfaceTo enable SSL on the MTIT Corp web site where we installed a server certificate in Recipe 12.9, do the following:
To verify that SSL works, do the following:
Using VBScript' This code enables 128-bit SSL on a web site. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ServerName>" strSiteID = "<SiteID>" ' Taken from AccessSSLFlags ' 8 = AccessSSL ' 256 = AccessSSL128 intFlag = 8 + 256 ' ------ END CONFIGURATION --------- set objweb site = GetObject("IIS://" & strComputer & "/W3SVC/" & strSiteID) objweb site.AccessSSLFlags = intFlag objweb site.SetInfo WScript.Echo "Successfully modified SSL settings for: " & _ objweb site.ServerComment DiscussionIf a Security Alert dialog box appears (see Figure 12-3 for an example) when you try step 7 in the graphical solution, your browser's certificate root store (the list of CAs your browser trusts) may not contain a root certificate that can validate your server certificate. This can happen, for example, if you obtain and install a limited-time test certificate from a third-party CA so you can test an SSL web site you are developing before you go ahead and purchase a server certificate and roll your server into production. In this case, the solution is to download the test root certificate (a *.cer file) from the CA and install it into Internet Explorer's root store as follows:
Figure 12-3. Security Alert dialog boxThe Security Alert box in Figure 12-3 should now not appear when you try to open the https:// URL for your SSL-enabled web site. The other settings on the Secure Communication dialog box deserve some mention. While server certificates identify web servers to clients, web clients can also have their own certificates, called client certificates, that they can use to prove their identify to the server. By default, SSL-enabled sites on IIS are configured to ignore client certificatesi.e., to authenticate clients regardless of whether they can prove their identity using a certificate. If desired, you can configure SSL sites to require that clients have certificates. This is often used in high-security environments where both sides (client and server) must be trusted. Client certificates can also be mapped to user accounts so that the client's certificate is used for authentication purposes instead of the user's credentials. For more information on client certificate mapping, see MS KB 315588. See AlsoRecipe 12.9 and MS KB 315588 (HOW TO: Secure an ASP.NET Application Using Client-Side Certificates) |