Microsoft KB Archive/234271

= INFO: Installing a VeriSign SGC certificate on IIS 4.0 =

Article ID: 234271

Article Last Modified on 11/17/2005

-

APPLIES TO


 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q234271



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SUMMARY
This article describes how to install a VeriSign Server Gated Crypto (SGC) certificate on a computer running Microsoft Internet Information Server (IIS) version 4.0. VeriSign uses the term "Global ID" to refer to their SGC certificates.



MORE INFORMATION
The process for configuring non-US versions of IIS 4.0 (for example, the English international 40-bit version) to use a VeriSign SGC certificate is as follows.

Prerequisites
Note Bypass the Prerequisites section if Windows NT 4.0 Service Pack 4 has been applied to the IIS 4.0 computer.  Ensure that you have at least Windows NT 4.0 Service Pack 3 applied on the IIS computer. Make sure that you obtain the latest Schannel patch and Sgcinst.exe files from ftp://ftp.microsoft.com/ and that you view the Readme file prior to implementation on a live environment. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

148427 Generic SSL (PCT/TLS) updates for IIS and Microsoft Internet products

 Check the EnableSGC registry value in the following registry key:

NEL is set to 1. If this value is different or not created, use Registry Editor to modify or add the DWord value.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Obtaining the SGC certificate
At this stage, the IIS computer is now configured with the necessary file revisions to accept the SGC certificate. Go to the VeriSign Web site and request a SGC digital ID. When VeriSign approves your certificate request, you will receive your certificate in the mail.

Note Some e-mail systems may corrupt the valid certificate. Please check with you vender. At present there are no known issues with Microsoft Exchange Server.

Sample certificate
-BEGIN CERTIFICATE- MIIBqDCCARECAQAwaTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMRMwEQYD VQQHEwpMYXNDb2xpbmFzMRIwEAYDVQQKEwlNaWNyb3NvZnQxDjAMBgNVBAsTBUl0 ZWFtMREwDwYDVQQDFAhOVFZPT0RPTzCBnjANBgkqhkiG9w0BAQEFAAOBjAAwgYgC gYBxmmAWKbLJHg5TuVyjgzWW0JsY5Shaqd7BDWtqhzy4HfRTW22f31rlm8NeSXHn EhLiwsGgNzWHJ8no1QIYzAgpDR79oqxvgrY4WS3PXT7OLwIDAQABoAAwDQYJKoZI hvcNAQEEBQADgYEAVcyI4jtnnV6kMiByiq4Xg99yL0U7bIpEwAf3MIZHS7wuNqfY acfhbRj6VFHT8ObprKGPmqXJvwrBmPrEuCs4Ik6PidAAeEfoaa3naIbM73tTvKN+ WD30lAfGBr8SZixLep4pMIN/wO0eu6f30cBuoPtDnDulNT8AuQHjkJIc8Qc= -END CERTIFICATE-

Configuring and installing the certificate
The certificate will be sent in the body of an e-mail message. Copy the contents of the mail message into a text file using a plain text editor (which does not insert specific format information, such as Notepad.exe). Make sure that the very first line is "--Begin Certificate--" and the last line being "--End Certificate."

Formatting the certificate
Notes  Do not use Microsoft Word. Microsoft Word specifically formats documents. Microsoft Notepad.exe does not apply any specific formatting. Make sure that you do not have the Word Wrap feature set on your text processor, and that there are no leading or trailing spaces on EACH line in the certificate. Make sure that the "Begin Certificate" and "End Certificate" lines are separate from the main body of the message (certificate). Save this file as a text file.</li> Run the Sgcinst.exe utility that you obtained from the Microsoft FTP site against the raw certificate. The command should be similar to the following:

C:\sgcinst.exe -i -o sgccert.txt rawcert.txt

</li> Install the new outputted file (for example Sgccert.txt) as the Certificate in Key Manager.</li></ul>

The IIS 4.0 computer should now negotiate 128-bit secure sessions.

Additional query words: SGCInst Certificate

Keywords: kbinfo KB234271

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.