Enabling SSL on a Web Server Directory


SSL can be applied to an entire Web site, directories (including virtual directories), or just certain files within the site. You can specify which sections of the Web site are secured using SSL through the Internet Information Services (IIS) Manager. This Microsoft Management Console (MMC) snapin should also be used in conjunction with authentication methods and access control lists (ACLs) to ensure that access to those resources is as secure as possible.

SSL Requires an X.509 Digital Certificate

SSL requires an X.509 digital certificate that can be obtained either from a trusted certificate authority such as Verisign or from the company's public key infrastructure (PKI).


To assign a certificate to a Web site it must first be requested and then installed. The request can either be created to obtain a certificate from an external Trusted Certificate Authority (CA), or when used internally from a standalone root CA or Enterprise CA within the organization's PKI infrastructure. For example, to request and install a certificate from an internal Enterprise CA the following steps should be performed:

  1. Open IIS Manager; expand the desired computer, Web sites, and the desired Web site to assign the certificate.

  2. Right-click on the Web site and select Properties.

  3. On the Directory Security tab, select Server Certificate located in the secure communications section.

  4. The Web Server Certificate Wizard will open; click Next .

  5. Choose the Create a New Certificate button and click Next.

  6. Select the Prepare Request Now, But Send It Later button and click Next.

  7. Type a "friendly" name in the dialog box and choose the desired Bit Length for the encryption key then click Next.

  8. Type the company's legal name in the Organization box and the responsible department for either this site or the company's security department in the Organization Unit box, and then click Next.

  9. Type the name of the computer hosting the Web site in the Common Name box. If the site will be accessed from the Internet be sure to fill in the fully qualified domain name, such as server.domain.com. Click Next.

  10. Select a Country or Region from the first pull-down menu and type in the State/ Province and City/Locality that will be embedded in the certificate; click Next.

  11. Enter an easily remembered filename, including path, or browse for a desired location and enter the filename in that path . (This file is important and will be used in subsequent steps. Note its name and location.) Click Next.

  12. The next screen is called the Request File Summary. If there are any errors, select the Back button and navigate to the page where the data was entered and correct it now. If everything looks correct click Next and then Finish.

The name on the security certificate is invalid or does not match the name of the site

The Common Name in step 9 is the name that the certificate is published with and is checked against for validity. If this name does not match the URL exactly the user will receive an error stating The name on the security certificate is invalid or does not match the name of the site .


After the certificate is requested it can be sent to an external trusted certificate authority. This is usually the case when the SSL secured content is going to be viewed by customers. If the SSL secured pages are going to be viewed internally or by users who can be instructed on how to install an internally generated certificate, the less costly option is to generate the certificate with the internal PKI services. To process the certificate request internally follow these steps:

  1. Enter the URL of the company's IIS server that is hosting Certificate Services (for example, http: // servername / certsrv ).

  2. If a sign-in dialog box appears, enter a username and password with sufficient privileges to generate the certificate and click OK.

  3. On the initial Welcome page select Request a Certificate.

  4. On the Request a Certificate page select Submit an Advanced Certificate Request.

  5. On the Advanced Certificate Request page select Submit a Certificate Request By Using a Base 64-encoded CMC or PKCS #10 File, or Submit a Renewal Request By Using a Base-64-encoded PKCS #7 File.

  6. On the Submit a Certificate Request or Renewal Request page, click on Browse for a File to Insert link, click on the Browse button and find the certificate request text file created in the previous section.

  7. When the filename appears in the Full Path Name box click on the Read button. The Saved Request box will now be populated with the text that was contained in the certificate request.

  8. Under the Certificate Template section use the pull down to select the Web Server selection and then click the Submit button.

  9. On the Certificate Issued page, select the Download Certificate link. When prompted select Save and Select a Folder and Desired Filename to save the certificate. When the download is complete click Close and then close the browser window.

  10. Open IIS Manager and navigate to the Web site for which the certificate was created.

  11. Right-click on the Web site and select Properties.

  12. Click on the Directory Security tab and select the Server Certificate button.

  13. Click Next on the initial Server Certificate Wizard page.

  14. Select Process the Pending Request and Install the Certificate, and then click Next.

  15. Browse for the certificate file that was created in the previous steps and select it (this will be a filename ending in .cer). Click Next.

  16. On the SSL Port page enter the desired SSL listening port for this Web site (443 is default). Click Next.

  17. On the Certificate Summary page the information from the certificate response file is displayed. Ensure that the correct filename and corresponding information is displayed. If it's not, click on the Back button and choose the correct file. If the information is correct click Next, and then Finish.

After the certificate is installed on the site all three buttons under the Secure Communications section of the Directory Security tab become available for selection.



Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net