Microsoft KB Archive/887490

= How to implement SSL with a stand-alone certificate server in Virtual Server 2005 =

Article ID: 887490

Article Last Modified on 11/2/2007

-

APPLIES TO


 * Microsoft Virtual Server 2005 Standard Edition

-





IN THIS TASK

 * INTRODUCTION
 * MORE INFORMATION
 * Part 1: Install certificate services
 * Part 2: Prepare a certificate request
 * Part 3: Request a certificate
 * Part 4: Issue the certificate
 * Part 5: Export the certificate
 * Part 6: Import the certificate
 * Part 7: Optional post-certificate steps
 * Troubleshooting



INTRODUCTION
To help improve security, we recommend that you run the Administration Website in Microsoft Virtual Server 2005 over a Secure Sockets Layer (SSL) connection. This article describes the steps for setting up an SSL connection in an environment where the server certificates are based on a stand-alone root. If you use a third-party certificate root authority or an enterprise certificate root authority, you can still follow these steps because no assumptions are made in this process about the location or the ownership of each component that is used for setting up SSL for Virtual Server 2005.

You can use this process to set up SSL for Virtual Server 2005 on a Microsoft Windows XP-based host or on a Microsoft Windows Server 2003-based host. On a Windows Server 2003-based host, you set up a certificate for the site that you use. In this case, that is the Virtual Server site, not the default Web site. In Windows XP, there is only one site. That site is the default Web site.

back to the top



Part 1: Install certificate services
If there is a certification authority available to issue certificates on your network, the following procedure may be optional. You can use any current Microsoft server product to install your certification authority. Follow these steps to install Certificate Services on a Windows Server 2003-based computer:
 * 1) In Control Panel, double-click Add or Remove Programs, and then click Add/Remove Windows components.
 * 2) Click to select the Certificate Services check box, and then click Next.
 * 3) Click Stand-alone root CA, and then click Next.
 * 4) Type the name that you want to use in the Common name for this CA box. Typically, this is the computer name. This computer name could be different from the computer that you are running Virtual Server 2005 on. Also, you may need only one certificate server for multiple Virtual Server hosts.
 * 5) Click Next to accept the default settings for the share that is created and for the log files.
 * 6) Insert the Windows installation media when you are prompted.
 * 7) Click Yes when you receive the Active Server Pages (ASP) warning message.

Note When you perform this procedure, Microsoft Internet Information Services (IIS) stops, and ASP pages are installed. Then, IIS restarts to complete the installation. You do not have to restart the computer.

What to consider when you install a certification authority

 * Certification authority (CA) issues can cause you to have to reinstall the operating system on the CA computer and to issue new certificates for all your Web sites. Think about this when you select a server for the root CA installation. This may be a different computer than the Virtual Server host computer.
 * Restoring an outdated system state may cause CA issues.
 * Removing the computer from the domain breaks the CA.
 * The CA is linked to your user name. This is not typically an issue, except during installation if the Distinguished Name box is blank. However, it can be an issue if you log on to the network by using your domain user name even though the Virtual Server host computer is already in the domain. The distinguished name must be a Domain Name System (DNS) resolvable name that is in distinguished name syntax. For example: CN=Concours88,DN=northamerica,DN=corp,DC=Microsoft,DC=com.
 * You can manually type the required information in a blank field when you request a certificate.

back to the top

Part 2: Prepare a certificate request
Prepare a certificate request for the Virtual Server site in the Internet Information Service (IIS) Manager snap-in:
 * 1) On the Virtual Server host computer, start the Internet Information Service (IIS) Manager snap-in
 * 2) In the navigation pane, expand  , right-click Default Web Site or Virtual Server, and then click Properties.
 * 3) On the Directory Security tab, click Server Certificates under Secure communications.
 * 4) In the IIS Certificate Wizard, click Next.
 * 5) Click Create a new certificate, and then click Next.
 * 6) Click Prepare the request now, but send it later, and then click Next.
 * 7) Type the name that you want to use, or use the default name. The default name of the certificate is the same as the site name, for example, Virtual Server.
 * 8) In the Bit length box, click a key length, and then click Next. Typically, you can use the default bit length value.
 * 9) For an internal certificate, type the name that you want to use in the Organization box and in the Organizational Unit box.

For example, type the name of your organization in the Organization box, and then type the name of your department in the Organizational Unit box. Third-party certificates have specific data requirements for these fields. This information is supplied by the third-party CA.
 * 1) In the Common name field, type the NetBIOS name or the DNS name.

Note The common name is important because you have to decide the complete name of your site. You can choose either a NetBIOS name or the DNS name. Selecting one lets you issue a connection from Microsoft Internet Explorer by using either name. However, if you use a name that is different from the common name that was discussed earlier, you receive a warning message about the name mismatch. Use the most frequently used syntax in your environment to avoid the warning message. This warning message appears in a window, but the message does not block your access to the site. It is not important whether you choose the NetBIOS name or the DNS name.
 * 1) Type the correct country, state, and city.
 * 2) Type a file name for the certificate request that you are exporting.

back to the top

Part 3: Request a certificate
 In Internet Explorer, open the Certification Authority Web page:

http://localhost/certsrv

 Under Select a task, click Request a certificate. Under Request a certificate, click advanced certificate request, and then click submit a saved request.  Security settings may prevent you from using the Web page links from here.

Alternatively, copy all the text from the C:\Certreq.txt file. Then, paste the text into the Saved Request box on the Submit a Certificate Request or Renewal Request page. The certificate request is a text file that contains the information that you entered in step 1. The certificate request is encoded the same as the following sample. -BEGIN NEW CERTIFICATE REQUEST- MIIDTTCCArYCAQAwcjESMBAGA1UEAxMJZnVua3libHVlMRMwEQYDVQQLEwpEZXBh cnRtZW50MRkwFwYDVQQKHhAATwByAGcAXwBOAGEAbQBlMRIwEAYDVQQHEwlTdXF1 YW1pc2gxCzAJBgNVBAgTAldhMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEApGI6rK3DjiUAfRYkqlw17AS1KGy15lg6X2miuEc6mz8aRLQ6 cxnrIrXLMePT5rR5KhLw6TWO3HPfpIbqbgaN1FeAbLz0ByzX1P/nXee+zbSEn+4l 1BTw4yfP4/0RySCqN5DwHNQD5zSpn9lGFs5UW0Tshr0/6zYRR6DbZgmfMMMCAwEA AaCCAZkwGgYKKwYBBAGCNw0CAzEMFgo1LjEuMjYwMC4yMHsGCisGAQQBgjcCAQ4x bTBrMA4GA1UdDwEB/wQEAwIE8DBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMC AgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwEwYDVR0l BAwwCgYIKwYBBQUHAwEwgf0GCisGAQQBgjcNAgIxge4wgesCAQEeWgBNAGkAYwBy AG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0 AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgOBiQCTSR8dKSviOwRX JreaBSjJpgw7jnoQI1mvgJv5aE+B7F+M47mrA4bWgM5NorJyuRzmkb4g8FCer7hy i1PyFYlDClz6oZvzFQROnEKiSGuE3nTv28Ver/l2weSa05PCRKpKfP3Ku5WjFh4N DyMjcobcdODHAW2jyhmeb4T5jiiyFQAAAAAAAAAAMA0GCSqGSIb3DQEBBQUAA4GB ACJ6OT9VeyKfPYFzkHATgGiJ8KVHGQuxE70r1W2wCvpWCLRfjhxzgoc3I84ddS2o 9QQDoU4P4CIp9Lw89x0jJtI2PD+xVmRdz7Trkl0lKB17nfVcnDXXwygm6PUUy/52 PXkXU6RggFy1m28khilKK8uXBfHLyRrK8W3zyygiJMgV -END NEW CERTIFICATE REQUEST-  Click Submit.

Important If you want to make multiple submissions, it is a good idea to document the exact order that you submitted the requests in. There may be no way to identify the certificates from the certificate export page when you export the certificate later in this procedure. This is because the display name is not available in any IIS Certificate Services Web page or in the Certificate Authority snap-in. Leave the Certificate Services site open for part 5.</li></ol>

back to the top

Part 4: Issue the certificate

 * 1) Start the Certificate Authority snap-in in Administrative Tools.
 * 2) In the left pane, expand  , and then click Pending Requests.
 * 3) In the right pane, right-click your request, point to All tasks, and then click Issue.

This approves the request. The certificate status changes from Pending to Issued.

back to the top

Part 5: Export the certificate
Return to the Certification Authority Web page, and then export the certificate.
 * 1) Under Select a task, click View the status of a pending certificate request.

Note You only have one chance to do this. If you click Download a CA certificate, you can choose from the certificates that are installed on the computer, typically from the root CA. You cannot choose from the certificates that are approved and that are requested. Also, if multiple certificates are available, you may not be able to identify a certificate. Even the Certificate Authority snap-in may not display useful information that lets you determine the certificate that belongs to a request.
 * 1) Under Certificate Issued, click Base 64 encoded.
 * 2) Click Download certificate, and then save the certificate locally.

back to the top

Part 6: Import the certificate

 * 1) On the Virtual Server host computer, start the Internet Information Service (IIS) Manager snap-in.
 * 2) In the navigation pane, expand  , and then right-click Virtual Server or Default Web Site. Then, click Properties.
 * 3) On the Directory Security tab, click Server Certificates under Secure communications.
 * 4) On the Directory Security tab, click Server Certificate.
 * 5) Click Process the pending request and install the certificate. Then, click Next.
 * 6) Use the notes that you made earlier to locate and then select the certificate that matches the request.
 * 7) Use the default port value of 443.
 * 8) Complete the wizard.
 * 9) If you are successful, the View Certificate option is displayed under Server Certificate on the Directory Security tab.

back to the top

Part 7: Optional post-certificate steps
<ol> Disable anonymous access for the Virtual Server site: <ol style="list-style-type: lower-alpha;"> Open the Virtual Server site properties or the default Web site properties in the Internet Information Service (IIS) Manager snap-in.</li> On the Directory Security tab, click Edit under Anonymous access and authentication control.</li> Click to clear the Anonymous access check box.</li> Click OK two times, and then quit the Internet Information Service (IIS) Manager snap-in.</li></ol> </li> Require SSL and 128-bit encryption: <ol style="list-style-type: lower-alpha;"> Open the Virtual Server site properties or the default Web site properties in the Internet Information Service (IIS) Manager snap-in.</li> On the Directory Security tab, click Edit under Secure communications.</li> Click to select Require SSL and 128 bit encryption.</li> Click OK two times, and then quit the Internet Information Service (IIS) Manager snap-in.</li></ol> </li> Add port 443 on the Web Site tab in the Virtual Server site properties or in the default Web site properties in the Internet Information Service (IIS) Manager snap-in.</li></ol>

back to the top

Troubleshooting

 * If you cannot complete these procedures, start again. Open the Virtual Server site properties or the default Web site properties in the Internet Information Service (IIS) Manager snap-in, click the Directory Security tab, and start the wizard again. One of two pages appears. One page states that a certificate is already installed. This page provides options for removing or replacing the certificate. The other page lets you import a certificate from a pending request. This page also lets you cancel the request. You can cancel the request and start over.
 * If you receive an error message that states that the certificate does not match the request, this may indicate that you forgot to click the Base 64 encoded option when you exported the certificate from the Certificate Authority Web page. Cancel the request, and then resubmit the request.
 * If you receive an error message that states that the certificate is already installed, you may have clicked Download a CA certificate instead of View the status of a pending certificate request.

back to the top

Keywords: kbhowtomaster kbcertservices KB887490

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.