IIS and the Certificate Signing Request

handshakeIf you want SSL on your Microsoft Internet Information Services (IIS) web server (or any web server for that matter), you need to install an SSL certificate in the web server.

If you plan to make you web server available to anyone who enters your URL, and you expect to offer secure connections, then you will need to purchase an SSL certificate for your purchased internet address. A standard home internet connection won’t work because your ISP can and does change your IP address whenever it feels like it, and in general, you can’t get an SSL certificate for a site you don’t own. To the good, the Certificate Authority (the SSL certificate vendor) will certainly have its root certificate already installed everywhere it need to be, so you won’t need to worry about users getting an untrusted web site warning when they enter your HTTPS URL.

If you plan to have a private internet at home, then DDNS will suffice and you can create your own root certificate and SSL certificate.

You can read Basic SSL background information here, You can find out about DDNS here, and learn how to use OpenSSL to create and install a root certificate here.

Regardless of your intentions, IIS needs an SSL certificate for secure access. For the most part, the instructions for installing SSL certificates are the same for IIS on Windows Server 2012 and for IIS  hosted on a PC. You …

Use IIS to Create the Certificate Signing Request

Take the certificate signing request (CSR) and make or buy an SSL certificate

Install the SSL Certificate Into IIS

Windows Server 2012 Essentials Anywhere Access requests its SSL certificate during configuration. It will be covered separately.

I will assume IIS has already been installed and you can access the IIS management console.

As always, click on the image for a better look.

Create the Certificate Signing Request

Go to this screen in the IIS management console and double click Server Certificates

csr01

###

This is where you make the Certificate Signing Request (CSR). Your end objective is to fill in several screens of prompts and write a little file out to a location of your choice on your computer. The little file is the CSR. You will use it as input into OpenSSL or you will send it off to your chosen Certificate Authority as a part of the application for an SSL certificate.

To the right, click Create Certificate Request

csr02

###

Fill in the form. It is extremely important that the field Common Name be used for your URL. If you were Google, you would enter google.com here.  Anything you enter here will be visible to anyone who uses a tool to look at SSL certificates.

csr03

###

This screen asks you to provide details about how to construct the private key for the SSL certificate. The private key stays behind in the CSR process. It is yours and yours alone. It does not go to the Certificate Authority. It does not go to OpenSSL. Change the default to 2048 from 1024.

csr04

###

You’re nearly done with the CSR. Now you pick out where to save the little file that will contain the details from your form and the public key that matches the private key that stays behind. This little file will be either sent to the Certificate Authority as a part of the SSL certificate application or will be used by OpenSSL to make your SSL certificate.

csr05

###

Make or Buy an SSL Certificate

To make an SSL certificate using OpenSSL

[April 9, 2014 update: OpenSSL has a recently discovered security bug called Heart Bleed that is said to have been repaired starting with version 1.01g and above. Version 1.02 will be secure, according to articles available on the internet. The bug will allow a knowledgeable hacker to pierce a part of the encryption so that much is in the clear. Specific details are a little vague, but the flaw is on the server and private information in memory can apparently be read after performing the exploit. This exploit is a big deal because hundreds of thousands of web sites, including major ones, reportedly, use OpenSSL. The flaw is with OpenSSL, not SSL in general, and has existed for two years.

More information is available here.

The recommended fix is to re-create all your keys and signed certificates and redistribute them as if you are installing them for the first time. Passwords should also be changed.]

***

Copy the CSR to the same directory as your root certificate and the private key for your root certificate. If you used the default location, this would be c:\OpenSSL-Win32\bin or c:\OpenSSL-Win64\bin

Assume, for this example,  your root certificate is named ca.crt, your private key is named ca.key, and your CSR is named iis-csr.txt. Assume you wish to name your SSL certificate IIS.cer.

Start OpenSSL using an elevated command prompt. You need administrator privileges. Navigate to the correct directory.  Enter this command using the correct names of your files, but please be aware that OpenSSL is case sensitive with respect to its keywords. -CAcreateserial is not the same as -cacreateserial. If you make a mistake, OpenSSL will list the correct commands. Figure out what you did wrong and try it again. the -days parameter is used for the validity period. Use any number you like, but it must be less than the remaining validity period of the root certificate.

Openssl x509 -req -days 1825 -in iis-csr.txt -CA ca.crt -CAkey ca.key -CAcreateserial -out IIS.cer

csr06

Done

To buy an SSL certificate

Decide who your Certificate Authority will be. There are several to choose from. Find the place on their site where you apply for an SSL certificate, then follow the instructions. If your application is accepted, you will receive an SSL certificate.

Your Certificate Authority may also make available an intermediate certificate. It is probable they signed your SSL certificate with an intermediate certificate and not their corporate root certificate. It’s common for large companies to have a layered certificate structure. The intermediate certificate will chain back to the root certificate installed on your PC or browser.

You will need to import the intermediate certificate they provided into the intermediate certificate store of the local computer on the server. Follow the instructions they provide. They should be something like what follows …

Start  the MMC snap in console, MMC.exe,

File / Add Remove Snap in / Certificates / Add / Computer Account / Local Computer / Finish / OK

Intermediate Certificate Authorities / Certificates / Right Click / All Tasks / Import

Follow the wizard prompts to import the intermediate certificate. Place the certificate in the Intermediate Certification Authorities store, which should be already in the prompt.

When exiting the MMC console, you don’t need to save it.

int02

As you can see, certco.com ( a quick mockup using OpenSSL to create an intermediate CA)  now has an intermediate certificate in the store.

Install the SSL Certificate Into IIS

Return to this screen and, on the right, select Complete Certificate Request.

csr02

###

Navigate to the SSL certificate you made or purchased. This is the screen that will control the import into IIS. It assumes your certificate has a .cer file extension. IIS will also import files with a .crt extension, but you have to tell the import wizard to look for it.

csr07

###

If successful, you will see a screen similar to this one. Your SSL certificate has been installed.

csr08

###

The next thing to do is associate the SSL certificate with port 443 on IIS.  A port is a lot like the channel on TV, such as NBC is on channel 5 in Chicago. The internet communicates on ports. There are thousands of them, but only a few are considered standard. Port 443 is associated with HTTPS. Port 80 is associated with normal internet web page traffic. The act of linking a certificate to a port is called binding. To the right, click bindings.

csr09

###

Click Add

csr10

###

Fill in the prompt

csr11

###

Done.

csr12

###

Open port 443 on your router and direct it toward the local network address of your IIS server. Every router has a different screen for this, but all screens look and operate in a similar way. Your IP address will undoubtedly be different.This is an Asus port forwarding screen. Make sure DDNS in enabled. You should also open port 80 if you want to allow normal internet access to your new web server.

ssl port forward###

If you used OpenSSL, make sure your root certificate has been installed in the client’s and server’s root certificate store and in any browsers, such as Firefox, that have trusted root certificate stores separate from the client PCs.

The result …

(the padlock is real, the URL, not so much)

The URL is a mockup but this page was loaded from another computer over the internet using HTTPS and my personal DDNS internet address. The padlock is real. I used the miracle of Microsoft Paint to cut my address out and replace it with something editorial.

csr13


2 Comments on “IIS and the Certificate Signing Request”

  1. This is my first time visit at here and i am actually impressed to read all at single place.


Have Something To Add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s