DOCUMENT:Q218445  06-AUG-2002  [iis]
TITLE   :How to Configure Certificate Server for Use with SSL on IIS
PRODUCT :Internet Information Server
PROD/VER:winnt:4.0
OPER/SYS:
KEYWORDS:

======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Internet Information Server version 4.0 
-------------------------------------------------------------------------------

SUMMARY
=======

You can use Certificate Server to issue certificates for use with the Secure
Sockets Layer (SSL). This is typically done on a local intranet, where you have
the ability to directly inform your clients that they can trust your
certificates.

MORE INFORMATION
================

IIS supports the SSL 3.0 protocol, which uses certificates to identify both the
client and server during communication, and to establish a one-time session key
to encrypt and decrypt data transmitted during that particular communication
session.

You can use Certificate Server 1.0, which is a component of the Windows NT Option
Pack, to issue certificates for your clients to use.

Before SSL can be used, the following tasks must be performed on the server:

1. Create a Root CA Certificate on the server.

2. Install the Root CA Certificate on the server.

3. Create a Key Certificate Request for the server.

4. Process the Key Certificate Request for the server.

5. Install the Key Certificate on the server.

6. Secure the directory on the server.

Next, perform the following tasks on the client:

1. Install the Root CA Certificate on the client.

2. Install a Certificate on the client.

3. Connect to the SSL-Secured directory from the client.

NOTE: Each of the tasks listed above correspond to a section below. Go to that
section for details on how to perform that particular task.

Creating a Root CA Certificate on the Server
--------------------------------------------

To create a root CA certificate on the server, simply perform the default
installation of the Certificate Server component of the Windows NT Option Pack.
The default installation automatically creates a root CA certificate.

NOTE: If you choose to use Advanced Configuration, do NOT select the Non-root CA
option.

Installing the Root CA Certificate on the Server
------------------------------------------------

1. Browse to http://localhost/certsrv/, click the Certificate Enrollment Tools
   link, and then click the Install Certificate Authority Certificates link.

2. Click the Refresh button to verify that the information displayed is current,
   and then click the "Certificate for <ComputerName>\<CA-Name>"
   link.

3. In the File Download dialog box, select the "Open this file from its current
   location" radio button, and then click OK.

   Perform the following steps if Windows NT 4.0, SP4 or SP5 is installed:

   a. In the Certificate dialog box, click the Install Certificate button.

   b. When the Certificate Manager Import Wizard starts, click Next.

   c. When prompted to select a certificate store, select the "Place all
      certificates into the following store" radio button, and then click
      Browse.

   d. Select the Show Physical Stores option, open Trusted Root Certificate
      Authorities, and then click Local Computer. Click OK.

   e. Click Next, and then click Finish. Click OK to close the dialog box.

   f. Restart the server to cause the root CA certificate to take effect.

   For additional information, please see the following article(s) in the
   Microsoft Knowledge Base:

   Q194788 Windows NT Service Pack 4 and Client Certificates

   Perform the following steps if Windows NT 4.0, SP3 is installed:

   a. In the New Site Certificate dialog box, click OK (you will typically want
      to leave all of the check boxes selected).

   b. When prompted by "Do you want to ADD the following certificate to the Root
      Store?", click Yes.

   c. At a command prompt, use the CD command to change directories to the
      %SystemRoot%\System32\InetSrv directory (for example, type "cd
      \winnt\system32\inetsrv" (without the quotation marks) if your system root
      is \winnt).

   d. Type "iisca" (without the quotation marks), to synchronize the root CA
      certificate stores used by IIS and Internet Explorer.

   e. Force the registry to be re-read, so that the new root CA certificate is
      recognized. This is done by either restarting the server, or stopping the
      IISADMIN service and its dependent services (for example WWW, FTP, NNTP,
      SMTP, and so on) and then restarting the dependent services that you use.
      These services can be stopped and restarted by doing either of the
      following:

       - Open Control Panel, open Services, and then stop and restart the
         services.

      -OR-

       - Run NET STOP and NET START commands at a command prompt. To do this,
         perform the following:

         1. At a command prompt, type "net stop iisadmin /y" (without the
            quotation marks) to stop the IISADMIN service and its dependent
            services.

         2. Restart the dependent services you use. For example, to restart the
            WWW service, type "net start w3svc" (without the quotation marks).
            To restart FTP, type "net start msftpsvc" (without the quotation
            marks).

Creating a Key Certificate Request for the Server
-------------------------------------------------

1. Start the Internet Service Manager (ISM), which loads the Internet
   Information Server snap-in for the Microsoft Management Console (MMC).

2. Right-click the Web site, directory, or file to be secured, and then click
   Properties. Click the Directory Security (or File Security) tab.

3. Under Secure Communications, click the Key Manager button.

   NOTE: This button will labeled "Edit" instead of "Key Manager" if a
   certificate has already been installed.

4. In Key Manager, right-click WWW, and then click "Create New Key".

5. Click the "Put the request in a file that you will send to an authority"
   radio button, and then save the file to your hard disk. Be sure to remember
   the name and location of the file.

   NOTE: C:\NewKeyRq.txt is the default path and name for this file.

6. Step through the rest of the Create New Key dialog boxes.

   NOTE: When prompted for your state, be sure to spell it out completely (do not
   use the abbreviation), with proper capitalization, so that the certificate
   request will be PKCS #10 compatible.

7. Close the Key Manager, being sure to click Yes when prompted to "Commit all
   changes now?"

8. In the MMC, click OK.

Processing the Key Certificate Request for the Server
-----------------------------------------------------

1. Open the text file created for the server request (C:\NewKeyRq.txt by
   default).

2. Select and copy the text for the key, beginning with the line:

   -----BEGIN NEW CERTIFICATE REQUEST-----

   and ending with:

   -----END NEW CERTIFICATE REQUEST-----

   (in other words, include both of these lines).

3. Browse to http://localhost/certsrv/, click the Certificate Enrollment Tools
   link, and then click the Process a Certificate Request link.

4. On the Web Server Enrollment page, paste the text from the key into the text
   box, and then click Submit Request.

   If you receive the following error message:

   Error!!! Certificate Server is unable to process your request. Last status
   error code = 57.

   See the following Knowledge Base article for more information:

   Q255981 Processing the Key Certificate Request for the Server Fails

5. When the certificate has been successfully processed, click the Download
   button.

6. Click the "Save this file to disk" radio button, and then save the file. Be
   sure to remember the name and location of the file.

   NOTE: Newcert.cer is the default name for this file.

Installing the Key Certificate on the Server
--------------------------------------------

1. In the MMC, right-click the Web site, directory, or file to be secured, and
   then click Properties. Click the Directory Security (or File Security) tab.

2. Under Secure Communications, click the Edit button (note that this changed
   from previously being labeled Key Manager). Now click the Key Manager button.

3. In Key Manager, right-click the new key request (the icon with a red slash
   through it), and then click Install Key Certificate.

4. Select the certificate file, and then when prompted, provide the password.
   Click OK.

5. In the Server Bindings dialog box, "Any Unassigned" should be displayed under
   both the IP Address and Port Number columns. Click OK (unless you want to
   assign the key to particular IP address and port number).

6. Close Key Manager and make sure to click Yes when prompted to "Commit all
   changes now?"

7. Click OK twice to return to the MMC.

Securing the Directory on the Server
------------------------------------

1. In the MMC, right-click the the Web site, directory, or file to be secured,
   and then click Properties.

2. Click the Directory Security (or File Security) tab. Under Secure
   Communications, click the Edit button.

3. Select the "Require Secure Channel when accessing this resource" check box.

4. Select the Require Client Certificates radio button.

5. Click OK twice to return to the MMC.

Installing the Root CA Certificate on the Client
------------------------------------------------

1. Browse to http://<ServerDomainName>/certsrv/, click the Certificate
   Enrollment Tools link, and then click the Install Certificate Authority
   Certificates link.

2. Click the Refresh button to verify that the information displayed is current,
   and then click the "Certificate for <ServerDomainName>\<CA-Name>"
   link.

3. In the File Download dialog box, select the "Open this file from its current
   location" radio button, and then click OK.

4. The dialog box displayed next will depend on which Service Pack has been
   applied to Windows NT 4.0.

If SP4 or SP5 Is Installed:

1. In the Certificate dialog box, click the Install Certificate button.

2. When the Certificate Manager Import Wizard starts, click Next.

3. When prompted to select a certificate store, select the "Place all
   certificates into the following store" radio button, and then click Browse.

4. Select the Show Physical Stores checkbox, open Trusted Root Certificate
   Authorities, and then select Local Computer. Click OK.

5. Click Next, and then click Finish. Click OK to close the dialog box.

6. Restart the computer.

If SP3 Is Installed:

1. In the New Site Certificate dialog box, click OK (you will typically want to
   leave all of the check boxes selected).

2. When prompted by "Do you want to ADD the following certificate to the Root
   Store?", click Yes.

3. Restart the client computer, so that the new root CA certificate will take
   effect.

Installing a Certificate on the Client
--------------------------------------

1. Browse to http://<ServerDomainName>/certsrv/, click the Certificate
   Enrollment Tools link, and then click the Request a Client Authentication
   Certificate link.

   NOTE: In Internet Explorer, security must be set to Medium in order to
   download the ActiveX control on this Web page. (Netscape does not use the
   ActiveX control, so the security setting is not an issue for it).

2. Fill in the information requested in Certificate Enrollment Form the page,
   and then click the Submit Request button.

3. When the certificate has been successfully processed, click the Download
   button.

4. Click OK when you see the message "Your new certificate has been successfully
   installed!"

Connecting to the SSL-Secured Directory from the Client
-------------------------------------------------------

1. Browse to https://<ServerDomainName>/<SecuredResource>

   NOTE: Be sure to use the httpS protocol, not just http, so that the server
   will create a secure connection.

2. When the Client Authentication dialog box appears, select the certificate you
   just installed (in the section above), and then click OK.

You should now have a secure connection from the client to the server, using
SSL.

(c) Microsoft Corporation 2000, All Rights Reserved. Contributions by Kevin
Zollman, Microsoft Corporation.


Additional query words: ntop certsrv certsvr wkz

======================================================================
Keywords          :  
Technology        : kbiisSearch kbiis400
Version           : winnt:4.0
Issue type        : kbhowto

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 2002.