Enabling SSL on IIS with a self-signed certificate

Discussion in 'Engineering Concepts' started by pradeep, Oct 30, 2007.

  1. pradeep

    pradeep Team Leader

    Joined:
    Apr 4, 2005
    Messages:
    1,645
    Likes Received:
    87
    Trophy Points:
    0
    Occupation:
    Programmer
    Location:
    Kolkata, India
    Home Page:
    http://blog.pradeep.net.in
    SSL (Secure Sockets Layer) certificates are perhaps the most common way to protect information being transmitted between a visitor Web browser and your Web site. SSL provides encryption services to information flowing between systems and can protect Web traffic, e-mail, instant messages and a host of other kinds of data transmittals.

    In the most simplistic view, there are four kinds of certificates to which you will be exposed during your SSL installation:


    1. Self-signed SSL certificates: These are certificates that you generate and use to encrypt information passing between a client and your server. These certificates are good insofar as they do allow you to encrypt data, but since they are created on-site, the certificates have not been verified by a third party entity, meaning that the site can’t necessarily be trusted.
    2. Third-party SSL certificate: A third-party SSL certificate provides the same encryption capabilities as a self-signed certificate. However, since the certificate is issued by a third party, it is considered a more trusted type of certificate, especially when the certificate chain extends to a trusted root certificate.
    3. Intermediate certificate: Not all SSL certificate vendors are created equal. In order to be fully trusted, any certificate you obtain needs to eventually link to a root certificate that is trusted by your Web browser. However, not all vendors’ SSL certificates are natively trusted by root certificates. As such, with these vendors, you need to complete the SSL trust chain by (in addition to installing your SSL certificate) installing an intermediate certificate between a root certificate and your new SSL certificate. If you skip this step, users will continue to get certificate errors until this trust chain is established. The use of an intermediate SSL certificate requires a bit of additional network communication at the initial establishment of an SSL-secure session but beyond that, there is no performance penalty.
    4. Trusted root certificate (or Trusted root certification authorities): A root certificate is the Grand PooBah of the certificate world. In order to complete the trust chain, your individual certificate must, in some way, link to a root certificate.
    A third-party SSL certificate is generally considered more trusted than a self-signed certificate since the certificate information is verified by a third party and the certificate ultimately maps to what is called a trusted root certificate.

    Enabling SSL on IIS is not as simple as clicking a checkbox setting, especially on Windows XP Professional. This article describes how to use OpenSSL to create a self-signed certificate that will freely enable SSL encryption for testing and private purposes.The article assumes that you have SSL installed.

    Requirements



    Now that you have IIS running and have set up some pages, let's say you would like to share your documents or web application securely, making sure everything is encrypted during its transmission over the wild, wild web. Encryption on the web is possible using a technology called SSL (Secure Sockets Layer). However, enabling SSL on IIS is not as simple as clicking a checkbox setting. In particular, enabling SSL independently on Windows XP Professional is not possible. This site describes a method of creating a self-signed certificate to enable SSL encryption for testing and private purposes. For businesses, novices, and individuals who don't have time to mess with server settings, you should hire an expert. I recommend you skim through this entire site before attempting the procedure, because it is fairly advanced. The requirements are below.

    OpenSSL i386 binary and source distributions (free)
    Active Perl (free)
    Basic knowledge of how to use the command shell "cmd"
    Text editor

    IIS Directory Security



    First open the IIS configuration console. To do this the easy way, right click on the "My Computer" on your desktop and select "Manage". You can also get to it via Control Panel -> Administrative Tools -> Computer Management. Expand through the following heirarchy: Services and Applications -> Internet Information Services -> Web Sites -> Default Web Site

    Right click on "Default Web Site", and select "Properties". Then click on the "Directory Security" tab.

    Prepare a Certificate Request



    Click on the "Server Certificate..." button. This will open the Web Server Certificate Wizard. Click "Next". At this point, you have the options of "Create a new certificate", "Assign an existing certificate", and "Import a certificate from a Key Manager backup file." Select "Create a new certificate" and click Next.

    Create The Self-Signed Certificate Using OpenSSL



    Continuing on in the wizard, choose "Prepare the request now, but send it later." The next four dialogs will ask you about the names that should be in the certificate. You can leave the defaults, or enter a name and location for your company. Finally, the wizard will ask you to save the certificate request to a file named certreq.txt.

    In order to create a private key and sign the certificate, you will need to download the free OpenSSL for Windows Binaries and Source packages, courtesy of the GnuWin32 project on SourceForge. From the GnuWin32 project downloads page, download the two OpenSSL zip files labeled as "src" and "bin" for i386.

    To make the process easier, you will also need to download and install the free ActivePerl. Download and install this so you will be able to run Perl scripts on your machine, independently or as scripts on IIS.

    Next, unzip both of the OpenSSL packages to temporary folders. From the binaries package "bin" folder, copy the files "openssl.exe" and the two DLLs into the source package's "apps" folder. In the "apps" folder is a file called CA.pl. Open this perl script in a text editor and change the line $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; to read $SSLEAY_CONFIG="-config openssl.cnf";. (Alternatively, you can change the individual occurrences. Change $CA="openssl ca $SSLEAY_CONFIG"; to $CA="openssl ca -config openssl.cnf"; and $REQ="openssl req $SSLEAY_CONFIG"; to $REQ="openssl req -config openssl.cnf";.) Now copy the certreq.txt file you made above into this "apps" directory, and rename it to "newreq.pem".

    Next, open a command prompt window in the apps directory, and run the following commands:

    Code:
    perl CA.pl -newca
     perl CA.pl -signreq 

    Installing the Certificate



    If all is successful, you should have a file called "newcert.pem" in the "apps" directory, which contains your certificate. Open this file in a text editor and remove everything before the -----BEGIN CERTIFICATE----- line.

    Go back into the IIS management console -> Directory Security tab and click "Server Certificates". In the wizard, select "Process the pending request and install the certificate" and press Next. Browse to and open the newcert.pem file in the "apps" directory. (Note, you will have to set the file filter to "all files" in order to see the .pem file.) Click next to complete the process.

    That's it! Now you have IIS set up with an SSL certificate. To turn on SSL, make sure in the IIS configuration -> Web Site tab -> Advanced -> Multiple SSL identities for this Web Site, you have a default IP address registered on port 443. If you want to only allow SSL encrypted connections from web browsers, click the "Edit" button in the "Secure Communications" section of the "Directory Security" tab, and check the "Require secure channel (SSL)" checkbox.

    Results Of Installing The Certificate In IE



    Whenever anyone visits your web server using the https:// prefix in Internet Explorer (6.0), they will see the dialog shown below.

    The dialog says Information you exchange with this site cannot be viewed or changed by others, which means that the data is being encrypted. However, because the certificate was not signed by a CA in the trust heirarchy, the warning is displayed. Therefore, this procedure is not recommended for any businesses collecting sensitive data from the public at-large, such as e-commerce. However, for testing and private use, you may find it useful. This certificate could be permanently installed as trusted by the client, and the warning would thereafter be automatically bypassed for that client.

    Companies That Sell Ssl Certificates



    These companies sell secure certificates. Note that even for 'free' certificates, the companies will require some form of validation that you are who you claim to be. This is because those certificates are at some level automatically trusted by web browsers. A self-signed certificate will not be trusted automatically by anyone, but is also completely unrestricted.

    • Verisign - the best among the lot
    • Thawte - purchased by Verisign in Dec. 1999, but retains its brand
    • Quality SSL - a smaller player (cheaper)
    • Instant SSL - offers 30-day free trusted trial certificates
    • GeoTrust - another established company
    • ipsCA - really cheap
    • FreeSSL - offers first-year free certificate for low volume & transaction commercial sites
    • XRamp Technologies, Inc. - secure certificates and security software vendor
    • Go Daddy SSL - Fully validated, low cost, secure SSL Certificates
    • CACert.org - a community-operated service that offers certificates free of cost
    • Network Solutions - Offers low volume and high volume options
     
  2. Izaan

    Izaan New Member

    Joined:
    Oct 16, 2007
    Messages:
    215
    Likes Received:
    2
    Trophy Points:
    0
    Nice one and I hope this article also gets nominated in the Monthly Article competition.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice