INFO: Installing a VeriSign SGC certificate on IIS 4.0 (234271)


The information in this article applies to:

  • Microsoft Internet Information Server 4.0
This article was previously published under Q234271
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SUMMARY

This article describes how to install a VeriSign Server Gated Crypto (SGC) certificate on a computer running Microsoft Internet Information Server (IIS) version 4.0. VeriSign uses the term "Global ID" to refer to their SGC certificates.

MORE INFORMATION

The process for configuring non-US versions of IIS 4.0 (for example, the English international 40-bit version) to use a VeriSign SGC certificate is as follows.

Prerequisites

Note Bypass the Prerequisites section if Windows NT 4.0 Service Pack 4 has been applied to the IIS 4.0 computer.
  1. Ensure that you have at least Windows NT 4.0 Service Pack 3 applied on the IIS computer.
  2. Make sure that you obtain the latest Schannel patch and Sgcinst.exe files from ftp://ftp.microsoft.com/ and that you view the Readme file prior to implementation on a live environment. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    148427 Generic SSL (PCT/TLS) updates for IIS and Microsoft Internet products

  3. Check the EnableSGC registry value in the following registry key:

    HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\SecurityProviders\SCHAN

    NEL is set to 1. If this value is different or not created, use Registry Editor to modify or add the DWord value.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Obtaining the SGC certificate

At this stage, the IIS computer is now configured with the necessary file revisions to accept the SGC certificate. Go to the VeriSign Web site and request a SGC digital ID. When VeriSign approves your certificate request, you will receive your certificate in the mail.

Note Some e-mail systems may corrupt the valid certificate. Please check with you vender. At present there are no known issues with Microsoft Exchange Server.

Sample certificate

-----BEGIN CERTIFICATE-----
MIIBqDCCARECAQAwaTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMRMwEQYD
VQQHEwpMYXNDb2xpbmFzMRIwEAYDVQQKEwlNaWNyb3NvZnQxDjAMBgNVBAsTBUl0
ZWFtMREwDwYDVQQDFAhOVFZPT0RPTzCBnjANBgkqhkiG9w0BAQEFAAOBjAAwgYgC
gYBxmmAWKbLJHg5TuVyjgzWW0JsY5Shaqd7BDWtqhzy4HfRTW22f31rlm8NeSXHn
EhLiwsGgNzWHJ8no1QIYzAgpDR79oqxvgrY4WS3PXT7OLwIDAQABoAAwDQYJKoZI
hvcNAQEEBQADgYEAVcyI4jtnnV6kMiByiq4Xg99yL0U7bIpEwAf3MIZHS7wuNqfY
acfhbRj6VFHT8ObprKGPmqXJvwrBmPrEuCs4Ik6PidAAeEfoaa3naIbM73tTvKN+
WD30lAfGBr8SZixLep4pMIN/wO0eu6f30cBuoPtDnDulNT8AuQHjkJIc8Qc=
-----END CERTIFICATE-----

Configuring and installing the certificate

The certificate will be sent in the body of an e-mail message. Copy the contents of the mail message into a text file using a plain text editor (which does not insert specific format information, such as Notepad.exe). Make sure that the very first line is "--Begin Certificate--" and the last line being "--End Certificate."

Formatting the certificate

Notes
  • Do not use Microsoft Word. Microsoft Word specifically formats documents. Microsoft Notepad.exe does not apply any specific formatting. Make sure that you do not have the Word Wrap feature set on your text processor, and that there are no leading or trailing spaces on EACH line in the certificate. Make sure that the "Begin Certificate" and "End Certificate" lines are separate from the main body of the message (certificate). Save this file as a text file.
  • Run the Sgcinst.exe utility that you obtained from the Microsoft FTP site against the raw certificate. The command should be similar to the following:

    C:\sgcinst.exe -i -o sgccert.txt rawcert.txt

  • Install the new outputted file (for example Sgccert.txt) as the Certificate in Key Manager.
The IIS 4.0 computer should now negotiate 128-bit secure sessions.
Modification Type:MajorLast Reviewed:11/17/2005
Keywords:kbinfo KB234271
©2004 Microsoft Corporation. All rights reserved.