Microsoft KB Archive/218445

= How to configure Certificate Server for use with SSL on IIS =

Article ID: 218445

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Windows NT 4.0
 * Microsoft Windows NT version 4.0 Option Pack

-



This article was previously published under Q218445



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
You can use Certificate Server to issue certificates for use with the Secure Sockets Layer (SSL). This is typically done on a local intranet, where you have the ability to directly inform your clients that they can trust your certificates.



MORE INFORMATION
Microsoft Internet Information Server (IIS) 4.0 supports the SSL 3.0 protocol, which uses certificates to identify both the client and server during communication, and to establish a one-time session key to encrypt and decrypt data transmitted during that particular communication session.

You can use Certificate Server 1.0, which is a component of the Windows NT Option Pack, to issue certificates for your clients to use.

Before SSL can be used, the following tasks must be performed on the server:
 * 1) Create a Root CA Certificate on the server.
 * 2) Install the Root CA Certificate on the server.
 * 3) Create a Key Certificate Request for the server.
 * 4) Process the Key Certificate Request for the server.
 * 5) Install the Key Certificate on the server.
 * 6) Secure the directory on the server.

Next, perform the following tasks on the client:
 * 1) Install the Root CA Certificate on the client.
 * 2) Install a Certificate on the client.
 * 3) Connect to the SSL-Secured directory from the client.

Note Each of the tasks listed above correspond to a section below. Go to that section for details on how to perform that particular task.

Creating a root CA Certificate on the server
To create a root CA certificate on the server, simply perform the default installation of the Certificate Server component of the Windows NT Option Pack. The default installation automatically creates a root CA certificate.

Note If you choose to use Advanced Configuration, do NOT select the Non-root CA option.

Installing the root CA Certificate on the server
 Browse to http://localhost/certsrv/, click the Certificate Enrollment Tools link, and then click the Install Certificate Authority Certificates link. Click the Refresh button to verify that the information displayed is current, and then click the Certificate for \  link.  In the File Download dialog box, select the Open this file from its current location radio button, and then click OK.

Perform the following steps if Windows NT 4.0, SP4 or SP5 is installed
 In the Certificate dialog box, click the Install Certificate button. When the Certificate Manager Import Wizard starts, click Next. When prompted to select a certificate store, select the Place all certificates into the following store radio button, and then click Browse.</li> Select the Show Physical Stores option, open Trusted Root Certificate Authorities, and then click Local Computer. Click OK.</li> Click Next, and then click Finish. Click OK to close the dialog box.</li> Restart the server to cause the root CA certificate to take effect.</li></ol>

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

194788 Windows NT Service Pack 4 and Client Certificates

Perform the following steps if Windows NT 4.0, SP3 is installed
<ol style="list-style-type: lower-alpha;"> In the New Site Certificate dialog box, click OK (you will typically want to leave all of the check boxes selected).</li> When prompted by Do you want to ADD the following certificate to the Root Store?, click Yes.</li> At a command prompt, use the CD command to change directories to the %SystemRoot%\System32\InetSrv directory (for example, type cd \winnt\system32\inetsrv if your system root is \winnt).</li> Type iisca, to synchronize the root CA certificate stores used by IIS and Internet Explorer.</li> Force the registry to be re-read, so that the new root CA certificate is recognized. This is done by either restarting the server, or stopping the IISADMIN service and its dependent services (for example WWW, FTP, NNTP, SMTP, and so on) and then restarting the dependent services that you use. These services can be stopped and restarted by doing one of the following: <ul> Open Control Panel, open Services, and then stop and restart the services.</li> Run NET STOP and NET START commands at a command prompt. To do this, follow these steps: <ol> At a command prompt, type net stop iisadmin /y to stop the IISADMIN service and its dependent services.</li> Restart the dependent services you use. For example, to restart the WWW service, type net start w3svc. To restart FTP, type net start msftpsvc .</li></ol> </li></ul> </li></ol> </li></ol>

Creating a Key Certificate Request for the server

 * 1) Start the Internet Service Manager (ISM), which loads the Internet Information Server snap-in for the Microsoft Management Console (MMC).
 * 2) Right-click the Web site, directory, or file to be secured, and then click Properties. Click the Directory Security (or File Security) tab.
 * 3) Under Secure Communications, click the Key Manager button.

Note This button will labeled "Edit" instead of "Key Manager" if a certificate has already been installed.
 * 1) In Key Manager, right-click WWW, and then click Create New Key.
 * 2) Click the Put the request in a file that you will send to an authority radio button, and then save the file to your hard disk. Be sure to remember the name and location of the file.

Note C:\NewKeyRq.txt is the default path and name for this file.
 * 1) Step through the rest of the Create New Key dialog boxes.

Note When prompted for your state, be sure to spell it out completely (do not use the abbreviation), with proper capitalization, so that the certificate request will be PKCS #10 compatible.
 * 1) Close the Key Manager, being sure to click Yes when prompted to Commit all changes now?
 * 2) In the MMC, click OK.

Processing the Key Certificate Request for the server
<ol> Open the text file created for the server request (C:\NewKeyRq.txt by default).</li> Select and copy the text for the key, beginning with the line:

-BEGIN NEW CERTIFICATE REQUEST-

and ending with:

-END NEW CERTIFICATE REQUEST-

(in other words, include both of these lines).</li> Browse to http://localhost/certsrv/, click the Certificate Enrollment Tools link, and then click the Process a Certificate Request link.</li> On the Web Server Enrollment page, paste the text from the key into the text box, and then click Submit Request.

If you receive the following error message:

Error!!! Certificate Server is unable to process your request. Last status error code = 57.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

255981 Processing the Key Certificate Request for the server fails

</li> <li>When the certificate has been successfully processed, click the Download button.</li> <li>Click the Save this file to disk radio button, and then save the file. Be sure to remember the name and location of the file.

Note Newcert.cer is the default name for this file.</li></ol>

Installing the Key Certificate on the server

 * 1) In the MMC, right-click the Web site, directory, or file to be secured, and then click Properties. Click the Directory Security (or File Security) tab.
 * 2) Under Secure Communications, click the Edit button (note that this changed from previously being labeled Key Manager). Now click the Key Manager button.
 * 3) In Key Manager, right-click the new key request (the icon with a red slash through it), and then click Install Key Certificate.
 * 4) Select the certificate file, and then when prompted, provide the password. Click OK.
 * 5) In the Server Bindings dialog box, Any Unassigned should be displayed under both the IP Address and Port Number columns. Click OK (unless you want to assign the key to particular IP address and port number).
 * 6) Close Key Manager and make sure to click Yes when prompted to Commit all changes now?
 * 7) Click OK twice to return to the MMC.

Securing the directory on the server

 * 1) In the MMC, right-click the the Web site, directory, or file to be secured, and then click Properties.
 * 2) Click the Directory Security (or File Security) tab. Under Secure Communications, click the Edit button.
 * 3) Select the Require Secure Channel when accessing this resource check box.
 * 4) Select the Require Client Certificates radio button.
 * 5) Click OK twice to return to the MMC.

Installing the root CA Certificate on the client

 * 1) Browse to http:// /certsrv/, click the Certificate Enrollment Tools link, and then click the Install Certificate Authority Certificates link.
 * 2) Click the Refresh button to verify that the information displayed is current, and then click the Certificate for  \  link.
 * 3) In the File Download dialog box, select the Open this file from its current location radio button, and then click OK.
 * 4) The dialog box displayed next will depend on which Service Pack has been applied to Windows NT 4.0.

If SP4 or SP5 is installed

 * 1) In the Certificate dialog box, click the Install Certificate button.
 * 2) When the Certificate Manager Import Wizard starts, click Next.
 * 3) When prompted to select a certificate store, select the Place all certificates into the following store radio button, and then click Browse.
 * 4) Select the Show Physical Stores check box, open Trusted Root Certificate Authorities, and then select Local Computer. Click OK.
 * 5) Click Next, and then click Finish. Click OK to close the dialog box.
 * 6) Restart the computer.

If SP3 is installed

 * 1) In the New Site Certificate dialog box, click OK (you will typically want to leave all of the check boxes selected).
 * 2) When prompted by Do you want to ADD the following certificate to the Root Store?, click Yes.
 * 3) Restart the client computer, so that the new root CA certificate will take effect.

Installing a certificate on the client
<ol> <li>Browse to http:// /certsrv/, click the Certificate Enrollment Tools link, and then click the Request a Client Authentication Certificate link.

Note In Internet Explorer, security must be set to Medium in order to download the ActiveX control on this Web page. (Netscape does not use the ActiveX control, so the security setting is not an issue for it).</li> <li>Fill in the information requested in Certificate Enrollment Form the page, and then click the Submit Request button.</li> <li>When the certificate has been successfully processed, click the Download button.</li> <li>Click OK when you see the following message:

Your new certificate has been successfully installed!

</li></ol>

Connecting to the SSL-secured directory from the client

 * 1) Browse to https:// /

Note Be sure to use the httpS protocol, not just http, so that the server will create a secure connection.
 * 1) When the Client Authentication dialog box appears, select the certificate you just installed (in the section above), and then click OK.

You should now have a secure connection from the client to the server, using SSL.

<div class="references_section">