Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

 

patterns & practices Developer Center

How To: Set Up SSL on a Web Server

J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation

Published: November 2002

Last Revised: January 2006

Applies to:

  • Internet Information Services (IIS) 5.0, 5.1, and 6.0
  • Microsoft® Windows 2000 Server™ and Windows Server 2003

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for a starting point and complete overview of Building Secure ASP.NET Applications.

Summary: A Web server must be configured for SSL in order to support https connections from client applications. This How To shows you how to configure SSL on a Web Server. (5 printed pages)

Contents

Summary of Steps Step 1. Generate a Certificate Request Step 2. Submit a Certificate Request Step 3. Issue the Certificate Step 4. Install the Certificate on the Web server Step 5. Configure Resources to Require SSL Access

Secure Sockets Layer (SSL) is a set of cryptographic technologies that provides authentication, confidentiality, and data integrity. SSL is most commonly used between Web browsers and Web servers to create a secure communication channel. It can also be used between client applications and Web services.

Note   Ensure that Microsoft Certificate Services (required if you need to generate your own certificates) are installed on the certification authority (CA) machine.

Summary of Steps

This How To includes the following steps:

  • Step1. Generate a Certificate Request
  • Step 2. Submit a Certificate Request
  • Step 3. Issue the Certificate
  • Step 4. Install the Certificate on the Web server
  • Step 5. Configure Resources to Require SSL Access

Step 1. Generate a Certificate Request

This procedure creates a new certificate request, which can be sent to a Certificate Authority (CA) for processing. If successful, the CA will send you back a file containing a validated certificate.

To generate a certificate request

  1. Start the IIS Microsoft Management Console (MMC) snap-in.

  2. Expand your Web server name and select the Web site for which you want to install a certificate.

  3. Right-click the Web site, and then click Properties.

  4. Click the Directory Security tab.

  5. Click the Server Certificate button within Securecommunications to launch the Web Server Certificate Wizard.

    Note   If ServerCertificate is unavailable, you probably selected a virtual directory, directory, or file. Go back to Step 2 and select a Web site.

  6. Click Next to move past the welcome dialog box.

  7. Click Createa New Certificate, and then click Next.

  8. The dialog box has the following two options:

    • Prepare the request now, but send it later

      This option is always available.

    • Send the request immediately to an online certification authority

      This option is available only if the Web server can access one or more Microsoft Certificate servers in a Windows 2000 Server or Windows Server 2003 domain configured to issue Web server certificates. Later on in the request process, you are given the opportunity to select an authority from a list to send the request to.

    Click Prepare the request now, but send it later, and then click Next.

  9. Type a descriptive name for the certificate in the Name field, type a bit length for the key in the Bitlength field, and then click Next.

    The wizard uses the name of the current Web site as a default name. It is not used in the certificate but acts as a friendly name to help administrators.

  10. Type an organization name (such as Contoso) in the Organization field and type an organizational unit (such as Sales Department) in the Organizationalunit field, and then click Next.

    Note   This information will be placed in the certificate request, so make sure it is accurate. The CA will verify this information and will place it in the certificate. A user browsing your Web site will want to see this information in order to decide if they should accept the certificate.

  11. In the Common name field, type a common name for your site, and then click Next.

    Important   The common name is one of the most significant pieces of information that ends up in the certificate. It is the DNS name of the Web site (that is, the name that users type in when browsing your site). If the certificate name doesn't match the site name, a certificate problem will be reported when users browse to the site.

    If your site is on the Web and is named www.contoso.com, this is what you should specify for the common name.

    If your site is internal and users browse by computer name, enter the NetBIOS or DNS name of the computer.

  12. Enter the appropriate information in the Country/Region, State/province, and City/locality fields, and then click Next.

  13. Enter a file name for the certificate request.

    The file contains information similar to the following.

    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIIDZjCCAs8CAQAwgYoxNjA0BgNVBAMTLW1penJvY2tsYXB0b3Aubm9ydGhhbWVy
    -----END NEW CERTIFICATE REQUEST-----
    

    This is a Base 64 encoded representation of your certificate request. The request contains the information entered into the wizard and also your public key and information signed with your private key.

    This request file is sent to the CA. The CA then uses your public key information from the certificate request to verify information signed with your private key. The CA also verifies the information supplied in the request.

    After you submit the request to a CA, the CA sends back a certificate contained in a file. You would then restart the Web Server Certificate Wizard.

  14. Click Next. The wizard displays a summary of the information contained in the certificate request.

  15. Click Next, and then click Finish to complete the request process.

    The certificate request can now be sent to a CA for verification and processing. After you receive a certificate response from the CA, you can continue and install the certificate on the Web server, once again by using the IIS Certificate Wizard.

Step 2. Submit a Certificate Request

This procedure uses Microsoft Certificate Services to submit the certificate request generated in the previous procedure.

To submit a certificate request

  1. Use Notepad to open the certificate file generated in the previous procedure and copy its entire contents to the clipboard.
  2. Start Internet Explorer and navigate to http:// hostname/CertSrv, where hostname is the name of the computer running Microsoft Certificate Services.
  3. Click Request a Certificate, and then click Next.
  4. On the Choose Request Type page, click Advancedrequest, and then click Next.
  5. On the Advanced Certificate Requests page, click Submit a certificate request using a base64 encoded PKCS#10 file, and then click Next.
  6. On the Submit a Saved Request page, click in the Base64 Encoded Certificate Request (PKCS #10 or #7) text box and press CTRL+V to paste the certificate request you copied to the clipboard earlier.
  7. In the Certificate Template combo box, click WebServer.
  8. Click Submit.
  9. Close Internet Explorer.

Step 3. Issue the Certificate

To issue the certificate

  1. Start the Certification Authority tool from the AdministrativeTools program group.
  2. Expand your certificate authority, and then select the Pending Requests folder.
  3. Select the certificate request you just submitted.
  4. On the Action menu, point to All Tasks, and then click Issue.
  5. Confirm that the certificate is displayed in the Issued Certificates folder, and then double-click it to view it.
  6. On the Details tab, click Copy to File, and save the certificate as a Base-64 encoded X.509 certificate.
  7. Close the properties window for the certificate.
  8. Close the Certificate Authority tool.

Step 4. Install the Certificate on the Web Server

This procedure installs the certificate issued in the previous procedure on the Web server.

To install the certificate on the Web server

  1. Start Internet Information Services, if it's not already running.

  2. Expand your server name and select the Web site for which you want to install a certificate.

  3. Right-click the Web site, and then click Properties.

  4. Click the Directory Security tab.

  5. Click Server Certificate to launch the Web Server Certificate Wizard.

  6. Click Process the pending request and install the certificate, and then click Next.

  7. Enter the path and file name of the file that contains the response from the CA, and then click Next.

  8. Examine the certificate overview, click Next, and then click Finish.

    A certificate is now installed on the Web server.

Step 5. Configure Resources to Require SSL Access

This procedure uses Internet Services Manager to configure a virtual directory to require SSL for access. You can require the use of SSL for specific files, directories, or virtual directories. Clients must use the HTTPS protocol to access any such resource.

To configure resources to require SSL access

  1. Start Internet Information Services, if it's not already running.

  2. Expand your server name and Web site. (This must be a Web site that has an installed certificate.)

  3. Right-click a virtual directory, and then click Properties.

  4. Click the Directory Security tab.

  5. Under Secure communications, click Edit.

  6. Click Require secure channel (SSL).

    Client's browsing to this virtual directory must now use HTTPS.

  7. Click OK, and then click OK again to close the Properties dialog box.

  8. Close Internet Information Services.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.