Request, install, and troubleshoot an SSL certificate

Netscape designed the Secure Sockets Layer (SSL) protocol to encrypt communications traveling over the Internet. You can use SSL to encrypt email messages and files as well as to further secure Web sites that use Basic authentication, and to encrypt sessions between client browsers and Web servers. SSL is fairly complex, but if you want more information about it, see "Related Reading," page 10.

Why would you want to SSL-enable your Web site? If you're running an e-commerce site, a corporate intranet, or a site that stores any personal information, you might want an SSL certificate for two major reasons: to protect your business and to protect your customers or users. My aim is to help you get a secure IIS 5.0 Web site running as quickly and painlessly as possible.

Keep in mind that SSL alone isn't enough to secure your Internet operations. Think of SSL as the armor on an armored car carrying sensitive data. If you use SSL to collect credit card information from your customers but then store the data in a plaintext file on your server, you might very well be defeating the purpose of using SSL in the first place.

SSL Costs
A legitimate question to ask when considering SSL is, how much will it cost? Perhaps the biggest cost is the CPU cycles SSL will burn up on your system. Adding SSL will have minimal effect on your programming work, forms, and scripting, and implementing SSL on IIS 5.0 is simple (assuming, of course, that you read this article first).

Table 1 shows the monetary cost of a 40-bit SSL certificate from several Certificate Authorities (CAs). You can also purchase a more secure 128-bit solution, but the added security will cost you more. VeriSign is the most expensive, but it's also the best-known CA, so I trust it to protect my data and business. Another good reason to go with a big name in the business is that browsers will likely support it. To see the list of CAs that Microsoft Internet Explorer (IE) 5.0 recognizes and automatically trusts, choose Internet Options from the Tools menu. On the Content tab, click Certificates. The Certificates dialog box's Intermediate Certification Authorities tab and Trusted Root Certification Authorities tab each displays a list of CAs. Figure 1 shows the Trusted Root Certification Authorities tab.

Requesting a Certificate
After you decide on a CA, you're ready to begin the process of generating a certificate signing request (CSR). The first step is to open Internet Services Manager (ISM) in Windows 2000's Administrative Tools folder. Right-click the Web site for which you want to create a CSR, and select Properties, as Figure 2 shows. Select the Directory Security tab, and click Server Certificate to start the Web Server Certificate Wizard, which guides you through these six steps:

  1. At the first screen, select the option to create a new certificate.
  2. Supply a certificate name and a bit length for the certificate's encryption key. The name is for display purposes and can be anything you want, but it should describe the Web site. The goal is to differentiate this certificate from any other certificates you might have. The default bit length for the key is 512, but I recommend using 1024 bits or higher. VeriSign also recommends using a 1024-bit length key because 512-bit keys have been cracked. For more information about the vulnerability of 512-bit keys, see http://www.verisign.com/cus/srv/faq/512/index.html.
  3. Supply an organization name and an organizational unit (OU) name. Like the certificate name, these descriptors are handy if you manage many certificates. Stick to alphanumeric characters and spaces; avoid characters such as commas and semicolons.
  4. Supply the common name (CN) for the Web site. Type the URL that users enter to access the site. For example, if your site is Amazon.com, your CN is www.amazon.com. If the site is your intranet, which runs only on a LAN with NetBIOS, your CN might just be intranet. The key here is to enter exactly what you intend users to enter to access the site.
  5. Supply your city and state. Enter the complete names—some CAs don't recognize two-letter state abbreviations.
  6. Finally, choose a filename (IIS 5.0 typically assumes a .cer extension for certificate filenames) and location in which to save the CSR, click Next, then click Finish to generate the CSR file.

The CSR file contains an encrypted version of all the information you just provided. For more information about how to produce a CSR, see the Microsoft article "Generating a Certificate Request File Using the Certificate Wizard in IIS 5.0" (http://support.microsoft.com/support/kb/articles/q228/8/21.asp).

Now, all you need to do is submit the CSR to a CA. A word of warning: When applying for an SSL certificate, you might need your company's Dun & Bradstreet identification number. This number proves that your company is an actual corporation. If your company doesn't have a number, you must choose the option for a nonprofit organization when you apply for the certificate. You'll also probably need to supply contact information for yourself and possibly a backup contact, as well as a credit card or purchase order number. After submitting all this information, you'll receive your certificate by email in as little as one day or as much as a week, assuming no problems arise with your application or payment.

Installing a Certificate
When you receive your security certificate, save it to a disk or a secured network location so that you can access it from your Web server. Start the Web Server Certificate Wizard as you did before. This time, IIS 5.0 remembers that you've created a CSR and asks whether you want to process or delete the pending request, as Figure 3 shows. Select the Process the pending request and install the certificate option. Next, you must enter the location of the certificate. The wizard expects a .cer file, but a .txt file is fine, too. Figure 4 shows the next wizard page, which lets you confirm that the certificate information is correct. For a more detailed explanation of the installation process, see the Microsoft article "Installing a New Certificate with Certificate Wizard for Use in SSL/TLS" (http://support.microsoft.com/support/kb/articles/q228/8/36.asp).

Now, for the big test: Enter https://common_name in a Web browser, and see whether your site responds to the SSL request. If it does, congratulations—you successfully installed an SSL certificate on IIS 5.0.

If the site doesn't respond, double-check that the Web server's port 443 is enabled for SSL communications. You can check and change this setting on the Web Site tab of the Web site's Properties dialog box. Also, on the Directory Security tab of the Web site's Properties dialog box, you can click View Certificate to confirm that the SSL certificate is installed and valid. If you receive error messages telling you that the certificate isn't valid or that the site name doesn't match the certificate, confirm your system's time and date (browsers compare the certificate expiration date with your system's clock) and confirm that the CN you used in creating the CSR matches the name you're using to access the site.

Anticipating Your Questions
Here are the answers to a couple of questions about certificates that people have asked me in the past. If you have a site that is accessible by multiple different DNS entries using CNAME records, you don't need to purchase and install multiple certificates; you need only one certificate per Web site. In fact, IIS 5.0 doesn't allow more than one certificate per site. However, if you have more than one secure Web site on a server, you'll need an SSL certificate for each Web site on that server. HTTP traffic sent to multiple CNAME records pointing to the same IP address arrives in fine shape, but SSL traffic will arrive without errors only if it's sent to the CN specified in the certificate. Change your HTML so that it directs traffic only to the CN. For example, you should change a POST directive that targets /scripts/purchase.asp to target https://common_name/scripts/purchase.asp instead.

If you've made a mistake on a submitted CSR, or if you're moving from IIS 4.0 with SSL to IIS 5.0 with SSL, you'll probably need a new certificate, but you might not need to pay again. Call the CA and ask for help. The CA will probably cancel the faulty or old certificate and tell you to submit a new one, most likely at the CA Web site, with a promotional code that lets you bypass payment.

Related Reading
Secure Sockets Layer (SSL) is a complex topic. Here are a few resources to help you understand the protocol better:
  • Allen Jones, "SSL Demystified," December 2000, InstantDoc ID 16047
  • SSL.com (http://www.ssl.com/developers/faq)
  • The Microsoft article "Description of the Secure Sockets Layer (SSL) Handshake"
    (http://support.microsoft.com/support/ kb/articles/q257/5/91.asp? ln=en-us&sd=so&fr=0)