Wednesday, July 7, 2010

How to implement HTTPS / SSL on IIS 6.0 web servers

You need to buy a certificate signed by a trusted certificate authority (trusted by your browsers) or by an authority which also has an 'intermediate certificate bundle' (which traces that authority up to the root CA authorities which are trusted by your browsers).

The example below explains how to do it with a GoDaddy certificate and a GoDaddy dedicated server:

When buying a new certificate or downloading an existing one (from GoDaddy account) you receive a zip file that contains the certificate (.crt) and an intermediate certificate (.p7b)

The certificate is a signed certificate by GoDaddy and the intermediate certificate is a ‘chain certificate’ that shows who signed the GoDaddy certificate, and who signed that one, on and on up until the root certificate authority (this is needed because GoDaddy itself is not trusted by FireFox browsers, only by IE).

In order to download the certificate from GoDaddy, you need to initiate a request from the web site on IIS:

Taken from http://help.godaddy.com/topic/746/article/5277 :

Follow the below instructions to generate a CSR for your website. When you have completed generating your CSR, cut/copy and paste it into the CSR field on the SSL certificate-request page.

NOTE: You must have at least Service Pack 1 installed before generating a CSR.

To Generate and Submit the Certificate Signing Request (CSR)

1. Open the Administrative Tools menu (right click on My Computer; select Manage or Control Panel; select Administrative Tools.)

2. Select Internet Information Services.

3. Select the computer and website (host) that you wish to secure. Right click and select Properties.

4. Click the Directory Security tab.

5. Click the server Certificate. button (located in the Secure communications area)

6. Click Next in the Welcome to the Web Server Certificate Wizard window.

7. Select Create a new certificate; then click Next.

8. Select Prepare the request now, but send it later and click Next.

9. In the Name and Security Settings window, fill in the name field for the new certificate; then select the bit length (2048 or higher). Click Next.

10. Enter your Distinguished Name field information. The following characters cannot be accepted:

< > ~ ! @ # $ % ^ * / \ ( ) ? &.

11. Complete the Distinguished Name Fields:

o Organization - The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor's name in the "Organization" field, and the DBA (doing business as) name in the "Organizational Unit" field.

o Organizational Unit - Optional. Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.

o Common Name - The Common Name is the fully-qualified domain name - or URL - for which you plan to use your certificate, e.g., the area of your site you wish customers to connect to using SSL. For example, an SSL certificate issued for "www.yourcompanyname.com" will not be valid for "secure.yourcompanyname.com." If the Web address to be used for SSL is "secure.yourcompanyname.com," ensure that the common name submitted in the CSR is "secure.yourcompanyname.com."

NOTE:If you are requesting a Wildcard certificate, please add an asterisk (*) on the left side of the Common Name (e.g., "*.coolexample.com" or "www*.coolexample.com"). This will secure all subdomains of the Common Name.

o Country - The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered.

o State/Province - Name of state or province where your organization is located. Please enter the full name. Do not abbreviate.

o City/Locality Name of the city in which your organization is registered/located. Please spell out the name of the city. Do not abbreviate.

12. Enter your Administrator contact information.

13. Enter a path and file name for the CSR.

14. Verify the information in the request and click Next.

15. On the Completing the Web Server screen, click Finish.

16. Open the generated CSR file; then, using a plain-text editor, such as Windows Notepad, copy and paste the CSR into our online enrollment form.

Now you can download the certificate zip file by accessing the SSL in “my products” of godaddy, selecting a certificate and choosing ‘rekey’ and giving the dialog your CSR.

Install both the certificate (.crt) and the intermediate certificate (.p7b) according to this site:

http://help.godaddy.com/topic/742/article/4875

After your certificate request is approved, you can download your SSL and intermediate certificate from within the SSL application. For more information see Downloading Your SSL Certificate. Both of these files must be installed on your Web server.

You may also download the intermediate certificate from the repository.

To Install the Intermediate Certificate Bundle

1. Click the Start menu and click Run.... Type mmc in the Run window and click OK to start the Microsoft Management Console (MMC).

2. In the Management Console, select File then Add/Remove Snap In.

3. In the Add or Remove Snap-ins dialog, click the Add button and then select Certificates.

4. Choose Computer Account then click Next.

5. Choose Local Computer, then click Finish.

6. Close the Add or Remove Snap-ins dialog and click OK to return to the main MMC window.

7. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.

8. Right-click on Intermediate Certification Authorities and choose All Tasks, then click Import.

9. Follow the wizard prompts to complete the installation procedure.

10. Click Browse to locate the certificate file. Change the file extension filter in the bottom right corner to be able to select the file. Click Open after selecting the appropriate file.

11. Click Next in the Certificate Import Wizard.

12. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next. Click Finish.

NOTE: If the Go Daddy Class 2 Certification Authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder.

13. Expand the Trusted Root Certification Authorities folder

14. Double-click the Certificates folder to show a list of all certificates.

15. Find the Go Daddy Class 2 Certification Authority certificate.

16. Right-click on the certificate and select Properties.

17. Select the radio button next to Disable all purposes for this certificate.

18. Click OK.

19. Repeat steps 13 to 18, using Starfield Class 2 Certificate Authority as the certificate name to disable.

NOTE: Do not disable the Go Daddy Secure Certification Authority certificate located in the Intermediate Certification Authorities folder. Doing so will break the server, causing it to stop sending the correct certificate chain to the browser.

To Install the SSL Certificate

1. Select the Internet Information Service console within the Administrative Tools menu.

2. Select the website (host) for which the certificate was made.

3. Right mouse-click and select Properties.

4. Select the Directory Security tab.

5. Select the Server Certificate option.

6. The Welcome to the Web Server Certificate Wizard windows opens. Click OK.

7. Select Process the pending request and install the certificate. Click Next.

8. Enter the location for the certificate file at the Process a Pending Request window. The file extension may be .txt or .crt instead of .cer (search for files of type all files).

9. When the correct certificate file is selected, click Next.

10. Verify the Certificate Summary to make sure all information is accurate. Click Next.

11. Select Finish.

And finally restart the “IIS admin service” from the windows services panel.
Note: If after this step the web server is marked as stopped (refresh with F5 to see it), it might mean you have another existing SSL web site on the same server – this is a special case and it will cause both web servers to stop functioning until one SSL certificate is removed from one of them (see my next post on multiple SSL/HTTPS web sites on one IIS server).

If you have more than one server with the same host name (like the case of multiple IPs for one DNS name for the sake of load balancing) -

Repeat this process for each server only this time, instead of initiating a request for each IIS, you should export the first certificate you installed to a .pfx file and import it on the other servers (the process will ask you to set a password for exporting and you will need to use the password for importing). Importing and exporting certificates is done in the certificate button in the properties of your web site.

No comments:

Post a Comment

Feel free to comment. No links/URLs allowed in comments.