Implementing SSL on IIS 5.0

The CSR file contains an encrypted version of all the information you just provided. For more information about how to produce a CSR, see the Microsoft article "Generating a Certificate Request File Using the Certificate Wizard in IIS 5.0" (http://support.microsoft.com/support/kb/articles/q228/8/21.asp).

Now, all you need to do is submit the CSR to a CA. A word of warning: When applying for an SSL certificate, you might need your company's Dun & Bradstreet identification number. This number proves that your company is an actual corporation. If your company doesn't have a number, you must choose the option for a nonprofit organization when you apply for the certificate. You'll also probably need to supply contact information for yourself and possibly a backup contact, as well as a credit card or purchase order number. After submitting all this information, you'll receive your certificate by email in as little as one day or as much as a week, assuming no problems arise with your application or payment.

Installing a Certificate
When you receive your security certificate, save it to a disk or a secured network location so that you can access it from your Web server. Start the Web Server Certificate Wizard as you did before. This time, IIS 5.0 remembers that you've created a CSR and asks whether you want to process or delete the pending request, as Figure 3 shows. Select the Process the pending request and install the certificate option. Next, you must enter the location of the certificate. The wizard expects a .cer file, but a .txt file is fine, too. Figure 4 shows the next wizard page, which lets you confirm that the certificate information is correct. For a more detailed explanation of the installation process, see the Microsoft article "Installing a New Certificate with Certificate Wizard for Use in SSL/TLS" (http://support.microsoft.com/support/kb/articles/q228/8/36.asp).

Now, for the big test: Enter https://common_name in a Web browser, and see whether your site responds to the SSL request. If it does, congratulations—you successfully installed an SSL certificate on IIS 5.0.

If the site doesn't respond, double-check that the Web server's port 443 is enabled for SSL communications. You can check and change this setting on the Web Site tab of the Web site's Properties dialog box. Also, on the Directory Security tab of the Web site's Properties dialog box, you can click View Certificate to confirm that the SSL certificate is installed and valid. If you receive error messages telling you that the certificate isn't valid or that the site name doesn't match the certificate, confirm your system's time and date (browsers compare the certificate expiration date with your system's clock) and confirm that the CN you used in creating the CSR matches the name you're using to access the site.

Anticipating Your Questions
Here are the answers to a couple of questions about certificates that people have asked me in the past. If you have a site that is accessible by multiple different DNS entries using CNAME records, you don't need to purchase and install multiple certificates; you need only one certificate per Web site. In fact, IIS 5.0 doesn't allow more than one certificate per site. However, if you have more than one secure Web site on a server, you'll need an SSL certificate for each Web site on that server. HTTP traffic sent to multiple CNAME records pointing to the same IP address arrives in fine shape, but SSL traffic will arrive without errors only if it's sent to the CN specified in the certificate. Change your HTML so that it directs traffic only to the CN. For example, you should change a POST directive that targets /scripts/purchase.asp to target https://common_name/scripts/purchase.asp instead.

If you've made a mistake on a submitted CSR, or if you're moving from IIS 4.0 with SSL to IIS 5.0 with SSL, you'll probably need a new certificate, but you might not need to pay again. Call the CA and ask for help. The CA will probably cancel the faulty or old certificate and tell you to submit a new one, most likely at the CA Web site, with a promotional code that lets you bypass payment.

Related Reading

Secure Sockets Layer (SSL) is a complex topic. Here are a few resources to help you understand the protocol better:

Allen Jones, "SSL Demystified," December 2000, InstantDoc ID 16047
SSL.com (http://www.ssl.com/developers/faq)
The Microsoft article "Description of the Secure Sockets Layer (SSL) Handshake"
(http://support.microsoft.com/support/ kb/articles/q257/5/91.asp? ln=en-us&sd=so&fr=0)

End of Article

Previous 1 [2] Next

Very nice explanation, thank you very much indeed.

Chris Hebrard October 27, 2003

Hi, The explanation was very helpful. Can I create my own certificate to use in my intranet instead of getting a certificate from a certificate agency. If yes how. It would be very kind of you to let me know on amolsbox@rediffmail.com
Thanks in advance.
Amol

Anonymous User October 26, 2004

I need to have only some pages of my site as SSL secured.Can someone tell me how to automatically redirect a http page to https.

Thanks

Anonymous User January 19, 2005

Thank You So Much. This is thee only place I found that told me to add port 443. I could not figure why https:// gave me nothing. Thanks again

guest May 26, 2006 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.