DOCUMENT:Q299525 13-AUG-2002 [iis] TITLE :HOWTO: Set Up SSL Using IIS 5.0 and Certificate Server 2.0 PRODUCT :Internet Information Server PROD/VER::2.0,5.0 OPER/SYS: KEYWORDS:kbgrpdsvc ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Services version 5.0 - Microsoft Certificate Services, version 2.0 ------------------------------------------------------------------------------- SUMMARY ======= This article explains how to set up Secure Sockets Layer (SSL) on an Internet Information Services (IIS) version 5.0 computer, using Certificate Server 2.0 as the certificate provider. MORE INFORMATION ================ 1. First, the Web server must make a certificate request. To do this, follow these steps: a. Start the Internet Service Manager (ISM), which loads the Internet Information Server snap-in for the Microsoft Management Console (MMC). b. Right-click the Web site on which you want to enable SSL, and click Properties. c. Click the Directory Security tab, and then click Server Certificate to start the Web Server Certificate Wizard. d. Click Next to start the wizard, and select Create a new certificate. e. Click Next, and select Prepare the request now, but send it later. f. Click Next, and give your certificate a name. You may want to match it with the name of the Web site. Now, select a bit length; the higher the bit length, the stronger the certificate encryption. Select Server Gated Cryptography if your users may be coming from countries with encryption restrictions. g. Click Next, and type your Organization and Organizational Unit. These values do not need to match any Active Directory entries. h. Click Next, and enter the common name. The common name must match the fully qualified domain name of the server as listed in DNS. For example, if the URL is https://www.mydomain.com/securedir, then the common name must be www.mydomain.com. i. Click Next, and type your country, state, and city or locality. Type the full name of your state here; do not abbreviate. j. Click Next, and select a location and file name to save your request to. k. Click Next twice, and then click Finish to close the wizard. 2. Process your request through Certificate Server. To do this, follow these steps: a. Browse to http://CAServerName/CertSrv, and select Request a certificate. NOTE: Do not use "localhost" as the server name. If you browse from the Certificate Server computer, use the computer name instead. b. Click Next and select Advanced request. c. Click Next and select Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file. d. Click Next, and open the request file that you saved from the Web Certificate Wizard in Notepad. Paste the entire text of the file, including the BEGIN and END lines, into the Base64 Encoded Certificate Request text box. e. Click Submit. You may be presented with a Certificate Pending dialog box. If you are prompted for download, skip to step 2j. f. Close your browser. On the Certificate Server computer, open the Certification Authority MMC. g. Expand the tree underneath the server name, and select the Pending Requests folder. Right-click the certificate that you just submitted (scroll to the right for more information to determine which certificate is yours if there are several pending), click All Tasks, and then click Issue. You may now close the Certification Authority MMC. h. Open a new browser window, and browse to the URL that is listed in step a. Select Check on a pending certificate. i. Click Next, and select the request that you made earlier. j. Click Next, select DER encoded, and then click the Download CA certificate link. Save the certificate file to your Web server's local drive, and close your Web browser. 3. Now, finish processing the request within IIS to install the certificate to the server, and enable SSL. a. Open the Internet Information Services MMC, right-click the Web site on which you want to enable SSL, and click Properties. b. Click the Directory Security tab, then click Server Certificate. c. Click Next, and select Process the pending request and install the certificate. d. Click Next, and enter the path and file name of the certificate that you saved in the last section. e. Click Next twice, and then click Finish to complete the wizard. f. Click the Web Site tab, and make sure that the SSL Port text box is populated with the port you would like SSL to run on. The default (and recommended) port is 443. g. Click OK to close the Web site Properties dialog box. You can now use SSL on your server. Test the setup by connecting to the Web site's home page by using https instead of http. You have a valid connection if the page comes up and a small lock appears in the status bar in the lower right-hand corner of the browser. REFERENCES ========== For additional information on connecting to IIS through SSL, click the article numbers below to view the articles in the Microsoft Knowledge Base: Q290625 HOWTO: IIS5: How to Configure SSL in a Windows 2000 IIS 5 Test Environment Using Certificate Server 2.0 Q201255 Enabling SGC on Internet Information Server Additional query words: iis 5 kbiisSearch kbCertSrvSearch ====================================================================== Keywords : kbgrpdsvc Technology : kbiisSearch kbiis500 kbCertServSearch kbZNotKeyword3 kbCertServ200 Version : :2.0,5.0 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.