Digital certificates verify identity. When customers connect to your Web storefront and are ready to provide their credit card information, they need to know that their confidential information is secure. Customers also need to know that they're sending information to your company--not to an intruder impersonating your company. A digital certificate provides third-party verification that your Web storefront represents your company, thereby verifying your company's identity. After your identity is thus proven, the customer's Web browser and your Web server can create a secure channel, using a set of public and private keys to exchange private information. (To learn more about digital certificates, see Tao Zhou, "Digital Signature Technology," page 75.)
You can obtain digital certificates from a third-party Certificate Authority (CA), such as VeriSign (http://www.verisign.com) and Thawte (http://www.thawte.com). Web browsers use a Certificate Authorities list to trust certificates that various CAs issue. Browser developers configure CA lists, but users can modify a list, if necessary. For example, Screen A shows the Content tab of Internet Explorer (IE) 4.0's Internet Options page, with the Authorities button circled. To view the list of CAs that IE 4.0 accepts, you click the Authorities button.
REQUESTING A CERTIFICATE
The first step in obtaining a digital certificate is to create a set of unique keys and generate a request for the certificate. To use IIS 4.0 to create a key pair and Certificate Signing Request (CSR), take the following steps:
- From the Rebar of Microsoft Management Console (MMC), click the icon for Key Manager, which is circled in Screen B.
- When Key Manager opens, click the WWW icon (under the Local Computer icon) once to highlight it.
- Select Create New Key from the Key Menu to start the Create New Key wizard.
- Enter a path and filename for the storage of the CSR, as Screen C shows, and click Next.
- Enter a name for the key and a password, as Screen D shows. To install your digital certificate, you must have a password. Make this password complex, and don't forget it. Click Next when you have finished entering your key information.
- In the resulting dialog box, specify the name of your organization in the Organization field, as Screen E shows. The organization name must be the registered owner of the domain name for the Web server that will use the certificate.
- In the Organizational Unit field, specify the organizational unit for the department that will use the digital certificate.
- In the Common Name field, enter the fully qualified domain name of the Web server that will use the digital certificate. Do not include http://. For example, enter ec.net-etc.com as the common name. Click Next.
- In the resulting dialog box, enter your country code, state or province, and your city or locality. Don't abbreviate your state name. Click Next.
- In the resulting dialog box, enter the contact information for the administrator responsible for the digital certificate. Click Next.
- Click Finish to create a new key and CSR. Another dialog box will appear, informing you that the CSR now exists. Click OK to dismiss the dialog box.
- In Key Manager, select Commit Changes Now from the Computers menu to save your key. Then click Yes in the Commit All Changes Now? dialog box to confirm your changes.
- Open the CSR file with an ASCII text editor and copy the information between the headers Begin New Certificate Request and End New Certificate Request. Be sure to include the leading and trailing dashes. Submit this information via a Web form or in an email message to your CA.
Your CA will email your certificate to you after the CA verifies your information and you have paid your fees.
INSTALLING YOUR DIGITAL CERTIFICATE ON IIS
- Copy your new certificate to an ASCII text file. Include everything between the lines Begin Certificate and End Certificate, including the dashes.
- Open Key Manager and expand the WWW icon to display the key you created in steps 3 through 12 above. A red slash will cross the key icon, as Screen F shows, signifying that the key's certificate is not installed.
- Highlight the key you created when you generated the certificate request in step 11 above, and select Install Key Certificate from the Key Menu.
- A File Open dialog box will appear to let you browse for the file containing your certificate. Select the ASCII file you created in step 1 to hold your new certificate. Click Open to continue.
- When the Confirm Password dialog box appears, enter the password you specified in step 5 above, when you created the key and CSR. Click OK.
- In the Server Bindings dialog box, which Screen G shows, specify the IP address or addresses that will use the digital certificate, then click OK.
- Select Commit Changes Now from the Computers menu of Key Manager, and confirm your changes before exiting. Your new digital certificate is ready for use.