In previous columns, I've talked about using Windows 2000’s Certificate Services to build a public key infrastructure (PKI) to provide secure network communications. This week, I explain how to use PKI, Microsoft IIS 5.0, and Secure Sockets Layer (SSL) to secure your Web site’s sensitive content.
SSL is a security protocol that Netscape Communications developed to secure traffic on the Internet. When a client connects to a Web site that uses SSL, the Web server sends a copy of its digital certificate to the client’s browser. This certificate, which includes the Web site’s public key, verifies the server’s identity. The client’s Web browser generates a master key that will be used to encrypt data transmissions between the browser and the server, and it then encrypts a copy with the Web server’s public key and sends the copy of the encrypted master key to the Web server. The Web server and client browser continue to encrypt the traffic between them using keys derived from the master key. With SSL configured on the Web server, this process occurs transparently to the user.
Using the Web Site Certificate Wizard to Request a Certificate
Before you can enable SSL for a Web site that uses IIS 5.0, you must first get a digital certificate from a valid Certificate Authority (CA). (Although for this article I assume that you have installed Win2K's Certificate Services and created your own CA hierarchy, a process I explain in Configuring Your Own CA, the process I outline here is similar if you use any CA.)
You use the Web Site Certificate Wizard to request a certificate for an IIS 5.0 Web site.
Open the Internet Service Manager (ISM) from the Web server’s Administrative Tools group, right-click the Web site, and choose Properties. Next, click the Directory Security tab, and, under Secure Communications, choose Server Certificate to launch the wizard. The Web Site Certificate Wizard lets you assign an existing certificate, restore a certificate from a backup, or create a new certificate. If you choose Create a new request and you have access to an online enterprise CA, the wizard handles the request and walks you through the process.
Requesting a Certificate from the Certificate Services Web Pages
You can also access the CA's Certificate Services Web pages to request a certificate. From the Web server, point your browser to http://CA_Server Name/certsrv. Once connected, choose Request a Certificate and, on the Request Type page that appears, choose Advanced Options. Click Next. On the Advanced Certificate Request page, you can either submit a request file that you generated using the Web Site Certificate Wizard or use a form to submit a new request. To submit a new request, fill out the appropriate information in the form, and, under Key Options, choose Use Local Machine Store. After the request processes, you'll have the option to install the certificate, which adds it to your local certificate store. To assign the certificate to your Web site, open the Web Site Certificate Wizard and choose Assign an Existing Certificate.
Once you have installed a certificate on your Web server, you can enable SSL. You can enable SSL for your entire Web site, but you should consider enabling it only for the directories that contain sensitive information because encryption and decryption consume additional processor resources for both the client and server. To enable SSL on a directory, open ISM, right-click the directory you want to secure, and choose Properties. Next, click the Directory Security tab and, under Secure communications, choose Edit. Finally, on the Secure Communications dialog box, choose Require secure channel to enable SSL.
When enabled, SSL secures communications between your server and a client’s browser whenever someone connects to your site's protected areas. However, be aware that if you use your own CA to issue the certificate for your Web server, clients will see a dialog box warning them that an untrusted CA issued the certificate. To prevent this dialog box from appearing, users can add your CA to the list of trusted sites in Internet Explorer's (IE's) Security settings.