Managing Site Certificates in the IIS Snap-In

Once you’ve installed a certificate on a Web site, you can use the IIS snap-in to manage it. Key management tasks are discussed in this section.

Viewing and Modifying Issued Certificates

Certificates contain the identity and geographic information specified in the original certificate request. They also have a number of properties set by the CA. These properties describe the certificate, set its authorized uses, and define the site for which the certificate is valid. If needed, you can modify the certificate to do the following:

• Update the friendly name assigned when the certificate was created

• Specify a detailed description of the certificate

• Enable or disable purposes for which the certificate can be used

You can view or modify a site’s certificate by completing the following steps:

1. In the IIS snap-in, right-click the Web site you want to manage and then select Properties.

2. In the Directory Security tab, click View Certificate. This displays the Certificate dialog box, shown in Figure 8-21.

   
   Figure 8-21: The Certificate dialog box provides summary information on the site certificate, and you can use it to modify properties and export the certificate to a file.

3. To view properties set when the certificate was issued, select the Details tab. Fields in the Details tab include:

   • Version The X.509 version used in creating the certificate

   • Serial Number The unique serial number for the certificate

   • Signature Algorithm The encryption algorithm used to create the certificate’s signature

   • Issuer The issuer of the certificate

   • Valid From The date from which the certificate is valid

   • Valid To The date after which the certificate expires

   • Subject Used to set the subject of the certificate, which typically includes the identification and geographic information

   • Public Key The certificate’s encrypted public key

   • Thumbprint Algorithm The encryption algorithm used to create the certificate’s thumbprint

   • Thumbprint The encrypted thumbprint of the signature

   • Friendly Name The descriptive name assigned to the certificate

4. To view or edit a list of purposes for which the certificate can be used, in the Details tab, click Edit Properties. You can then use the Certificate Properties dialog box, shown in Figure 8-22, to view or edit the certificate purposes.

   
   Figure 8-22: You can modify certificate purposes to meet your organization’s needs.

Renewing, Removing, and Replacing Certificates

Normally, certificates are valid for one year from the date they were issued. This means certificates must be renewed annually. You can also remove or replace certificates as necessary. To renew, remove, or replace a certificate, follow these steps:

1. In the IIS snap-in, right-click the Web site you want to manage and then select Properties.

2. Select the Directory Security tab and then click Server Certificate on the Secure Communications frame. This starts the Web Server Certificate Wizard. Click Next.

3. As shown in Figure 8-23, you can now elect to renew, remove, or replace the current certificate. Make your selection and then continue through the remaining wizard pages.

   
   Figure 8-23: You can renew, remove, or replace a certificate at any time using the Web Server Certificate Wizard.

Exporting Site Certificates

You can export site certificates to a file, if necessary. To do this, complete the following steps:

1. In the IIS snap-in, right-click the Web site you want to manage and then select Properties.

2. In the Directory Security tab, click View Certificate. This displays the Certificate dialog box, shown previously in Figure 8-21.

3. Select the Details tab and then select Copy To File. This starts the Certificate Export Wizard. Click Next.

4. You can export the certificate file with or without the associated private key. If you want to export the private key, select Yes. Otherwise, select No. Click Next.

5. The next page lets you choose the export file format. The default format should be adequate, so note the format that will be used and then click Next.

6. If you elected to export the private key, you must now set a password for the certificate file. After you type and then confirm the password in the fields provided, click Next.

7. Specify the name of the file you want to export. Click Browse if you want to use the Save As dialog box to set the file location and name.

8. Click Next and then click Finish. Click OK to confirm a successful export. Click OK twice more to return to the IIS snap-in.

Ignoring, Accepting, and Requiring Client Certificates

Client certificates allow users to authenticate themselves through their Web browser. You might want to use client certificates if you have a secure external Web site, such as an extranet. If a Web site accepts or requires client certificates, you can configure client certificate mappings that permit access control to resources based on client certificates. A client certificate mapping can be mapped to a specific Windows account using a one-to-one mapping, or it can be mapped based on rules you specify.

By default, IIS doesn’t accept or require client certificates. You can change this behavior. Keep in mind that accepting client certificates isn’t the same as requiring client certificates. When a site requires client certificates, the site is secured for access using SSL only and can’t be accessed using standard HTTP. When a site accepts client certificates rather than requires them, the site can use either HTTP or Hypertext Transfer Protocol Secure (HTTPS) for communications.

To configure client certificate usage, follow these steps:

1. In the IIS snap-in, right-click the Web site you want to manage and then select Properties.

2. Select the Directory Security tab and then click Edit on the Secure Communications frame. This displays the Secure Communications dialog box, shown in Figure 8-24.

3. If you want to require SSL (and preclude the use of insecure communications), select Require Secure Channel (SSL). Optionally, you can also select Require 128-Bit Encryption if your server has a 128-bit encryption installed and enabled.

4. In the Client Certificates frame, select the Ignore, Accept, or Require Client Certificates option as necessary.

   Note

   You can only require client certificates when secure SSL communications are required as well. Because of this, you must check Require Secure Channel (SSL) when you want to require client certificates. Figure 8-24: Sites can ignore, accept, or require client certificates.

5. If you want to map client certificates to Windows user accounts, select Enable Client Certificate Mapping and then click Edit. Then use the Account Mappings dialog box to configure certificate mappings.

6. If you want to accept client certificates only from specific CAs, select Enable Certificate Trust List and then click New. This starts the Certificate Trust List Wizard, which you can use to specify the root CA certificates that are trusted. Client certificates from trusted root CAs will be accepted. Client certificates from other root CAs won’t be accepted.

7. Click OK twice.

Requiring SSL for All Communications

In some cases you’ll want to create sites that can only be accessed using secure communications. You can do this by requiring SSL and prohibiting the use of insecure communications. To require SSL for communications with a Web site, follow these steps:

1. In the IIS snap-in, right-click the Web site you want to manage and then select Properties.

2. Select the Directory Security tab and then click Edit on the Secure Communications frame. This displays the Secure Communications dialog box, shown previously in Figure 8-24.

3. Select Require Secure Channel (SSL) if you want to require SSL and preclude the use of insecure communications.

4. Optionally, select Require 128-Bit Encryption if your server has a 128-bit encryption installed and enabled.

5. Click OK twice.