This article describes the following:
- How to set up and enable server certificates so that your
customers can be certain that your Web site is valid, and that any information
that they send to you stays private and confidential.
- How to use third-party certificates to enable Secure
Sockets Layer (SSL), as well as a general overview of the process that is used
to generate a Certificate Signing Request (CSR), which is used to obtain a
- How to enable SSL connectivity for your Web
- How to enforce SSL for all connections, and set the
required encryption length between your clients and your Web site.
You can use your Web server's SSL security features for two
types of authentication. You can use a server certificate
to allow users to authenticate your Web site before they transmit
personal information, such as a credit card number. Also, you can use client certificates
to authenticate users that request information on your Web site.
This article assumes that you will use a third-party certificate
authority (CA) to provide authentication for your Web server.
enable SSL server certificate verification, and to provide the level of
security that your customers desire, you should obtain a certificate from a
third-party CA. Certificates that are issued to your organization by a
third-party CA are typically tied to the Web server, and more specifically to
the Web site to which you to bind SSL. You can create your own certificate with
the Internet Information Services (IIS) server, but if you do so, your clients
must implicitly trust you as the certificate authority.
assumes the following:
- You have installed IIS.
- You have created and published the Web site that you wish
to secure with SSL.
Obtain a Certificate
To begin the process to obtain the certificate, you must generate
a CSR. You do this through the IIS management console; therefore, IIS must be
installed before you can generate a CSR. A CSR is basically a certificate that
you generate on your server that validates the computer-specific information
about your server when you request a certificate from a third-party CA. The CSR
is simply an encrypted text message that is encrypted with a public/private key
Typically, the following information about your computer is
included in the CSR that you generate:
- Organizational unit
- Common nameNOTE: The common name is usually comprised of your host computer name
and the domain to which it belongs, such as xyz.com. In this case, the computer
is part of the .com domain, and is named XYZ. This may be the root server for
your corporate domain, or simply a Web site.
Generate the CSR
- Access the IIS Microsoft Management Console (MMC). To do
this, right-click My Computer and click Manage. This opens the Computer Management Console. Expand the Services and Application section. Locate Internet Information Services and expand the IIS console.
- Select the specific Web site on which you want to install a
server certificate. Right-click the site and click Properties.
- Click the Directory Security tab. In the Secure Communications section, click Server Certificate. This starts the Web Server Certificate Wizard. Click Next.
- Select Create a New Certificate and click Next.
- Select Prepare the request now, but send it later and click Next.
- In the Name field, enter a name that you can remember. It will default to the
name of the Web site for which you are generating the CSR.NOTE: When you generate the CSR, you need to specify a bit length. The
bit length of the encryption key determines the strength of the encrypted
certificate which you send to the third-party CA. The higher the bit length,
the stronger the encryption. Most third-party CAs prefer a minimum of 1024
- In the Organization Information section, enter your organization and organizational unit
information. This must be accurate, because you are presenting these
credentials to a third-party CA and you must comply with their licensing of the
certificate. Click Next to access the Your Site's Common Name section.
- The Your Site's Common Name section is responsible for binding the certificate to your Web
site. For SSL certificates, enter the host computer name with the domain name.
For Intranet servers, you may use the NetBIOS name of the computer that is
hosting the site. Click Next to access geographical information.
- Enter your country, state or province, and country or
region information. Completely spell out your state or province and country or
region; do not use abbreviations. Click Next.
- Save the file as a .txt file.
- Confirm your request details. Click Next to finish, and exit the Web Server Certificate Wizard.
Request the Certificate
There are different methods of submitting your request. Contact
the certificate provider of your choice for the method to use
and to determine the best certificate level for your needs. Depending on the method that is chosen for sending your request to the CA, you may send the CSR file from step 10 in the "Generate the CSR" section, or you may have to paste the contents of this file into the request. This file will be encrypted and will contain a header and a footer for the contents.
You must include both the header and the footer when you request the certificate. Your CSR should resemble the following:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
Install the Certificate
Once the third-party CA has completed your request for a server
certificate, you will receive it by e-mail or download site. The certificate
must be installed on the Web site on which you want to provide secure
To install the certificate, follow these steps:
- Download or copy the certificate that you obtained from the CA to the Web server.
- Open the IIS MMC as described in the "Generating the CSR"
- Access the Properties dialog box for the Web site on which you are installing the
- Click the Directory Security tab, and then click Server Certificate. This starts the Web Server Certificate Wizard. Click Next.
- Select Process the Pending Request and install the certificate, and then click Next.
- Browse to the location of the certificate that you saved in step 1. Click Next twice, and then click Finish.
Enforce SSL Connections
Now that the server certificate is installed, you can enforce SSL
secure channel communications with clients of the Web server. First, you need
to enable port 443 for secure communications with the Web site. To do this,
follow these steps:
- From the Computer Management console, right-click the Web
site on which you want to enforce SSL and click Properties.
- Click the Web Site tab. In the Web Site Identification section, verify that the SSL Port field is populated with the numeric value 443.
- Click Advanced. You should see two fields. The IP address and port of the Web
site should already be listed in the Multiple identities for this web site field. Under the Multiple SSL Identities for this web site field, click Add if port 443 is not already listed. Select the server's IP
address, and type the numeric value 443 in the SSL Port field. Click OK.
Now that port 443 is enabled, you can enforce SSL connections.
To do this, follow these steps:
- Click the Directory Security tab. In the Secure Communications section, note that Edit is now available. Click Edit.
- Select Require Secure Channel (SSL).NOTE: If you specify 128-bit encryption, clients who use 40-bit or
56-bit strength browser will not be able to communicate with your site unless
they upgrade their encryption strength.
- Open your browser and try to connect to your Web server by
using the standard http:// protocol. If SSL is being enforced, you receive the
following error message:
You can now connect to your Web site only by using the https://
The page must be viewed over a
The page you are trying to view requires the use of "https"
in the address.
Please try the following: Try again by typing
https:// at the beginning of the address you are attempting to reach. HTTP
403.4 - Forbidden: SSL required Internet Information Services
Information (for support personnel) Background: This error indicates that the
page you are trying to access is secured with Secure Sockets Layer (SSL).