Microsoft KB Archive/299525

= How to set up SSL by using IIS 5.0 and Certificate Server 2.0 =

Article ID: 299525

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0
 * Microsoft Certificate Services 2.0

-



This article was previously published under Q299525



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
This article explains how to set up Secure Sockets Layer (SSL) on an Internet Information Services (IIS) version 5.0 computer, using Certificate Server 2.0 as the certificate provider.



MORE INFORMATION
 First, the Web server must make a certificate request. To do this, follow these steps:  Start the Internet Service Manager (ISM), which loads the Internet Information Server snap-in for the Microsoft Management Console (MMC). Right-click the Web site on which you want to enable SSL, and click Properties. Click the Directory Security tab, and then click Server Certificate to start the Web Server Certificate Wizard. Click Next to start the wizard, and select Create a new certificate. Click Next, and select Prepare the request now, but send it later.</li> Click Next, and give your certificate a name. You may want to match it with the name of the Web site. Now, select a bit length; the higher the bit length, the stronger the certificate encryption. Select Server Gated Cryptography if your users may be coming from countries with encryption restrictions.</li> Click Next, and type your Organization and Organizational Unit. These values do not need to match any Active Directory entries.</li> Click Next, and enter the common name. The common name must match the fully qualified domain name of the server as listed in DNS. For example, if the URL is https://www.mydomain.com/securedir, then the common name must be www.mydomain.com.</li> Click Next, and type your country, state, and city or locality. Type the full name of your state here; do not abbreviate.</li> Click Next, and select a location and file name to save your request to.</li> Click Next twice, and then click Finish to close the wizard.</li></ol> </li> Process your request through Certificate Server. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Browse to http://CAServerName/CertSrv, and select Request a certificate.

Note Do not use &quot;localhost&quot; as the server name. If you browse from the Certificate Server computer, use the computer name instead.</li> Click Next and select Advanced request.</li> Click Next and select Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file. Click Next, and open the request file that you saved from the Web Certificate Wizard in Notepad. Paste the entire text of the file, including the BEGIN and END lines, into the Base64 Encoded Certificate Request text box.

Note Depending on the configuration of the Certificate Server service, you may see radio buttons on this page instead of Additional Attributes. If the &quot;Submit a Certificate Request or Renewal Request&quot; page includes these radio buttons, select the Web server option. The default setting, Admin, will cause the SSL Web service to fail.</li> Click Submit. You may be presented with a Certificate Pending dialog box. If you are prompted for download, skip to step 2i.</li> Close your browser. On the Certificate Server computer, open the Certification Authority MMC.</li> Expand the tree underneath the server name, and select the Pending Requests folder. Right-click the certificate that you just submitted (scroll to the right for more information to determine which certificate is yours if there are several pending), click All Tasks, and then click Issue. You may now close the Certification Authority MMC.</li> Open a new browser window, and browse to the URL that is listed in step a. Select Check on a pending certificate.</li> Click Next, and select the request that you made earlier.</li> Click Next, select DER encoded, and then click the Download CA certificate link. Save the certificate file to your Web server's local drive, and close your Web browser.</li></ol> </li> <li>Now, finish processing the request within IIS to install the certificate to the server, and enable SSL. <ol style="list-style-type: lower-alpha;"> <li>Open the Internet Information Services MMC, right-click the Web site on which you want to enable SSL, and click Properties.</li> <li>Click the Directory Security tab, then click Server Certificate.</li> <li>Click Next, and select Process the pending request and install the certificate.</li> <li>Click Next, and enter the path and file name of the certificate that you saved in the last section.</li> <li>Click Next twice, and then click Finish to complete the wizard.</li> <li>Click the Web Site tab, and make sure that the SSL Port text box is populated with the port you would like SSL to run on. The default (and recommended) port is 443.</li> <li>Click OK to close the Web site Properties dialog box.</li></ol> </li></ol>

You can now use SSL on your server. Test the setup by connecting to the Web site's home page by using https instead of http. You have a valid connection if the page comes up and a small lock appears in the status bar in the lower right-hand corner of the browser.

<div class="references_section">