SUMMARY

This step-by-step article describes how to set up Secure Sockets Layer (SSL) in a Windows 2000 Internet Information Services (IIS) 5.0 development lab environment. Microsoft Certificate Server 2.0 can create many different certificates; this article only covers creation of a standard Web certificate.

back to the top

Create a Certificate Request

To create a Web server certificate, follow these steps:

1. Open the Internet Service Manager Microsoft Management Console (MMC). To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Service Manager.
2. Double-click the server name so that you see all the Web sites.
3. Right-click the Web site where you want to install the certificate, and then click Properties.
4. Click the Directory Security tab.
   

You see three security methods. The one you will use to create a certificate request is Secure Communications.

1. Click Server Certificate. The Certificate Wizard starts. Click Next to continue.
2. Select Create a new certificate, and then click Next.
3. Select Prepare the request now, but send it later, and then click Next.
4. Type a name for your certificate, and then select a bit length. Unless it is needed for your lab, do not select the SGC Certificate check box. (For more information about SGC certificates, see the note at the end of this section.) Click Next to continue.
5. Type your organization name and the organizational unit (for example, company name and development department). Click Next.
6. For Common Name, type either the fully qualified domain name (FQDN) or the server name. If you are creating a certificate that will be used over the Internet, it is better to use an FQDN. Click Next.
7. Type your location information, and then click Next.
8. Type the path and file name where you want to save the certificate information, and then click Next.
   

NOTE: If you type anything other than the default location and file name, make sure to note the name and location you select, because you must access this file in later steps.

1. Verify the information that you have typed, and then click Next to complete the process and create the certificate request.
2. In the Completing the Web Server Certificate Wizard dialog box, click Finish.
3. Click OK to close the Web site properties.

NOTES: Server Gated Cryptography (SGC) certificates are used most frequently by financial institutions that require high-encryption connections even when connecting with international users or browsers that are limited to 40-bit encryption. When connecting to an international browser (40-bit), an SGC certificate creates a 128-bit tunnel to allow 128-bit encryption strength. When the secured connection or session ends, the intermediate certificate tunnel is closed.

Also, the SGC certificate is strictly domain-specific. Typically, if the domain name of a certificate does not match the domain of the Web site, you receive a warning stating this fact and you can choose to continue or not. An SGC certificate does not give you a warning or offer choices. The connection is unsuccessful, but you do not receive an explanation.

back to the top

Submit a Certificate Request

To submit a certificate request, follow these steps:

1. Open a browser, and then open http://YourWebServerName/certsrv/.
2. Select Request a Certificate, and then click Next.
3. Select Advanced Request, and then click Next.
4. Select the center option, Submit a Certificate Request using a Base64, and then click Next.
5. In Notepad, open the request document that you created in the first procedure section, "Create a Certificate Request".

6. Copy the contents of the document.
   
   The contents look similar to the following:

   -----BEGIN NEW CERTIFICATE REQUEST-----
   MIICcjCCAhwCAQAwYjETMBEGA1UEAxMKcm9ic3NlcnZlcjELMAkGA1UECxMCTVMx
   CzAJBgNVBAoTAk1TMREwDwYDVQQHEwhCZWxsZXZ1ZTERMA8GA1UECBMIV2FzaGl0
   b24xCzAJBgNVBAYTAlVTMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALYK4sYDNQ7h
   LmSfL0qpIvUfY7Ddw7fNCvDp3rM7z4QqoLhA2c8TkyamqWTBsV0WRHIidf/J6mU4
   wN4wrUzJTLUCAwEAAaCCAVMwGgYKKwYBBAGCNw0CAzEMFgo1LjAuMjE5NS4yMDUG
   CisGAQQBgjcCAQ4xJzAlMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEF
   BQcDATCB/QYKKwYBBAGCNw0CAjGB7jCB6wIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0
   ACAAUgBTAEEAIABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBw
   AGgAaQBjACAAUAByAG8AdgBpAGQAZQByA4GJAGKa0jzBn8fkxScrWsdnU2eUJOMU
   K5Ms87Q+fjP1/pWN3PJnH7x8MBc5isFCjww6YnIjD8c3OfYfjkmWc048ZuGoH7Zo
   D6YNfv/SfAvQmr90eGmKOFFiTD+hl1hM08gu2oxFU7mCvfTQ/2IbXP7KYFGEqaJ6
   wn0Z5yLOByPqblQZAAAAAAAAAAAwDQYJKoZIhvcNAQEFBQADQQCgRCWkaXlY2nVa
   tbn6p5miPwWfrbViYo0B62wkuH0f7J0nSGcxMnn/6Q/iLEIsgHqFhox5PWCzIV0J
   tXKPWrBL
   -----END NEW CERTIFICATE REQUEST-------
                           

   NOTE: If you save the document with the default name and location, it is located at C:\Certreq.txt.
   
   NOTE: Make sure that you copy all the content just as shown here.

7. Paste the contents of the document in the Base64 Encoded Certificate Request text box of the Web form. Click Submit.
8. If Certificate Server is set to Always Issue the Certificate, you are immediately directed to the Certificate Issued page. The address bar reads:

   http://YourWebServerName/certsrv/certfnsh.asp

   On this page, you can download the Web server certificate immediately. To do so, follow these steps on the Certificate Issued page:
   
   

   1. Click the top link, Download Certification Authority Certificate (do not click Download Certification Authority Certificate path).
   2. When you are prompted, select Save this file to disk and save the certificate to your desktop or another location that you will remember.
   3. Now, go straight to the "Install the Certificate" section.

9. If Certificate Server is set to Set the certificate request status to pending, you will receive the following "Certificate Pending" message:

   Certificate Pending.
   Your certificate request has been received. However, you must wait for an administrator to issue the certificate you requested. 
   Please return to this web site in a day or two to retrieve your certificate.
   Note: You must return with this web browser within 10 days to retrieve your certificate.
                           

   To continue, move on to the "Issue a Certificate" section.

NOTE: For more information about configuring certificate issuing policies, see Appendix A.

back to the top

Issue a Certificate

To issue (that is, authorize) a certificate in Certificate Server, follow these steps:

1. Open the certification authority Microsoft Management Console (MMC) snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
2. Expand Certification Authority.
3. Click the Pending Requests folder. Your pending certificate requests appear in the right pane.
4. Right-click the pending certificate request (that is, the request that you submitted in the third procedure in this article), select All Tasks, and then click Issue.
   

NOTE: After you select Issue, the certificate is not displayed in this window and folder. It now resides in the Issued Certificate folder.NOTE: For more information about configuring certificate issuing policies, see Appendix A.

back to the top

Download a Certificate

After you have issued and authorized the certificate, you can return to the Certificate Server Web interface to select and download the certificate:

1. Open http://YourWebServerName/certsrv/.NOTE: You must use lowercase letters when you type certsrv. If you do not, you cannot see pending requests.
   
   
2. On the default page, select Check on a pending certificate, and then click Next.NOTE: If you select Retrieve the certification authority certificate or certificate revocation list from the default Welcome page, you will download the root certification authority certificate and not the Web server certificate. If you try to install a root certification authority certificate to a Web site, you will receive the following error message:

   Selected certificate was already installed to another server. Please, choose another response file.

3. Select your pending certificate, and then click Next to open the download page.
4. On the download page, click the top hyperlink, Download Certification Authority Certificate (do not click Download Certification Authority Certificate path).
5. When you are prompted, select Save this file to disk and save the certificate to your desktop or another location that you will remember.

You have issued and downloaded your certificate.

The next step is to install the certificate and set up an SSL-encrypted Web site.

back to the top

Install the Certificate

There are several ways to install and set up an SSL certificate: for example, you can double-click the certificate and use the Certificate Installation Wizard to preinstall the certificate, then bind it to the site. This article describes how to install the certificate by using the Internet Service Manager MMC through the Web Server Certificate Wizard.

To install a certificate in Certificate Server, follow these steps:

1. Open the Internet Services Manager, and then expand the server name so that you can view the Web sites.
2. Right-click the Web site that you created the certificate request for, and then click Properties.
3. Click the Directory Security tab. Under Secure Communications, click Server Certificate.
   

This opens the Certificate Installation Wizard. Click Next to continue.

1. Select Process the pending request and install the certificate, and then click Next.
2. Type the location of the certificate that you downloaded in the "Download a Certificate" section, and then click Next.
3. When the Wizard displays the certificate summary, verify that the information is correct, and then click Next to continue.
4. Click Finish to complete the process.

back to the top

Configure and Test the Certificate

To configure and test the certificate, follow these steps:

1. On the Directory Security tab, under Secure Communications, note that you now have three available options. To set the Web site to require secure connections, click Edit. The Secure Communications dialog box appears.
2. Select Require Secure Channel (SSL), and then click OK.
3. Click Apply and then OK to close the Properties window.
4. Locate the site and verify that it works:
   1. Access the site through http by typing http://localhost/Postinfo.html in the browser. You receive an error message that resembles the following:

      HTTP 403.4 - Forbidden: SSL required.

   2. Try to access the same Web page with a secured connection (https) by typing https://localhost/postinfo.html in the browser.NOTE: The Postinfo.html page is a standard HTML page that is found in the root of the default Web site.
      
      
   3. If you receive a security message that states that the certificate is not from a trusted root certification authority, click Yes to continue to the Web page.
      
      NOTE: To learn how to add your root certification authority to the Trusted Root Certification Authorities list in your browser, see Appendix B.

If you can view the page, you have successfully installed your certificate.

back to the top

Appendix A: How to Change Certificate Issuing Policies

You can select whether you want to issue a certificate upon request (no authorization) or whether you want all requests to be submitted for pre-authorization through the certification authority MMC snap-in. To do this, follow these steps:

1. Open the Certification Authority tool. To do this, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
2. Right-click your certification authority name, and then click Properties.
3. In the Properties window, click the Policy Module tab, and then click Configure.
4. On the Default Action tab, select either of the following:
   • Set the certificate request status to pending: The administrator must explicitly issue the certificate.
   • Always issue the certificate: This issues the certificate immediately, with no authorization required.NOTE: If a certificate is recognized on the network, select the second option.

back to the top

Appendix B: Install a Root Certification Authority Certificate in the Trusted Root Certification Authority List in Internet Explorer 5.x

You can deliver the root certification authority certificate to the Web site users in several ways. One way is to e-mail it and have the users install it from the e-mail. Another way is to include a download page on your Web site with a link to the certificate. A corporate-wide solution is to use the Internet Explorer Administration Kit (IEAK) to push a customer Internet Explorer browser with the root certification authority certificate already installed into the Trusted Root Certification Authorities list. However you make the certificate available, one thing stays the same: the way you install the certificate in the Trusted Root Certification Authorities list in Internet Explorer, as this appendix demonstrates.

NOTE: The certificate must be installed for Internet Explorer to trust that your site certificate is not the certificate that you just created but instead the root certification authority certificate, which was created when you installed Certificate Server.

For the purposes of this document, download the certificate by using the Certificate Servers Web interface, which is located at http://<YourServerName>/certsrv/. After you have arrived at the Welcome page, select Retrieve the certification authority certificate or certificate revocation list, and then click Next.

You now have two choices:

• Install this certification authority certification path. If you are installing the root certification authority certificate into the browser that you are currently connected with, click the Install this certification authority certification path link, and the root certification authority certificate is automatically installed in the Trusted Root Certification Authorities list in your Internet Explorer browser.
  
  After the installation is complete, you receive a confirmation page. -or-
  
  
• Download certification authority certificate. If you must install the root certification authority certificate in the root certification authorities list in any other Internet Explorer browser, you can download it and install it as follows:
  1. Click Download certification authority certificate.
  2. Select Save the file to disk.
  3. Access the location where you saved the root certification authority certificate, and then double-click the certificate to open the Properties window for that certificate.
  4. Click Install Certificate to start the Certificate Import Wizard. Click Next to continue.
  5. Select Place all certificates in the following store.
  6. Click Browse, select Trusted Root Certification Authorities, and then click Next.
  7. Verify the settings, and then click Finish.
     
     You receive the following message:

     The import was successful.

  8. Click OK to dismiss this message, and then click OK to close the Properties window.

  To see if you receive the trusted root certification authority warning again, close and reopen your browser, and then open the following Web site:

  https://<MySecureWebsite>/Postinfo.html

  NOTE: The Postinfo.html page is a standard HTML page that is found in the root of the default Web site.
  
  If you can open this site, you have successfully added your root certification authority to the Trusted Root Certification Authorities list in your Internet Explorer browser.
  
  

back to the top