This page is to provide information on installing a Certificate to IIS for SSL purposes and how to generate and use a Self Certificate.
For production systems an authorised certificate service should be used, certificates are available via the UIS, however for testing and internal purposes it is possible and sometime preferable to use self generated certificates.
Microsoft Certificate Authority
Microsofts certificate services can be installed from Add/Remove programs, select Windows Components then Certificate Services CA
You will see a warning about the computername and Domain membership (the fact that you should not change them once you have installed a CA). If you are sure that the name and domain status is certain click Yes to install.
The CA Wizard will run.
You will normally want to create a stand alone CA root so you can issue certificates without a certificate from a higher authority.
If you want to customise the certificate, select the tick box for;
- Use custom settings to generate the key pair and CA certificate
If customising you can select the cryptographic service provider, Hash algorithm (if available) and key length.
E.g. Microsoft Enhanced Cryptographic Provider with SHA-1 and a minimum key length of 2048.
CA Identifying Information
- Enter in the common name and distinguished name part. This should display the Fully Qualified Domain Name (FQDN) in the preview of the distinguished name.
The common name is the system name
The distinguished name needs to be in the form of - DC=CSI,DC=CAM,DC=AC,DC=UK.
- Select a validity period for the certificate then click Next.
- Pick a certificate database setting and a shared folder then click Next.
- Click Yes to agree to stopping of IIS service (if applicable)
File copy will take place. Click Finish to close the Components Wizard when complete
Your Certificate Authority is now ready for use.
Generating a Self Certificate
Generating a self certificate is a multi stage process;
- Open IIS Manager
- Select the website you want to enable SSL for and display the properties
- Select the Directory Security tab
- In the Secure Communications section select Server Certificate
The Certificate Wizard will now start.
- Click next on the Welcome Screen
- Select create a new certificate then click Next
- Select "Prepare the request now, but send it later" then click Next
- Enter in a name for the certificate - this should be the FQDN of the web site that will be used.
- Enter in or modify the bit length for the key then click next.
- Enter in details for the Organisation and Organisational unit then click next.
- Enter in the common name for the site - the DNS name of the site using SSL then click Next
- Enter in/select Country/Region/City/Locality info and click Next
- Modify the file name for the certificate request if required then click next
- Review the settings - make sure the DNS name of the server is listed or the name of the web site if different then click Next and Finish
- Close IIS Manager
NOTE : It is essential that the web site name or the FQDN of the server or the name to be used to access the server is listed in this or the certificate and SSL will not function. You should also use relevant information for all the details so it is clear what institution the certificate relates to.
Issue a Certificate
Now you have created a certificate request you need to use your Certificate Authority (CA) to authorise and issue a certificate. The certificate request generated in the previous stage can also be sent to any Certificate Authority as well.
- Run the CA mmc from Administrative tools
- Select the CA computer object, right click, select All Tasks - Submit new request
- Select the certificate request file you created in the previous stage
- Select the Pending requests folder to view the pending certificate
- In the right hand window pane, select and right click the pending certificate.
- In the menu select All tasks - Issue
The pending certificate will be moved to the Issued certificates folder
- Select the Issued certificates folder in the CA
- Right click the certificate in the right hand pane and open the certificate
- Select the details tab
- Select the Copy to File button (Bottom right of the Window)
- Click Next on the Welcome to Certificate Export Wizard
- Select Base 64 encoded x.509(.CER) then click Next
- Enter in a suitable file name
- Click Next, then Finish and then OK on Export sucessful
- Close the CA
Process Pending Certificate Request
However you get your certificate the procedure to install it into IIS is the same.
To process an issued certificate do the following;
- Run IIS Manager
- Display the properties of the web site the certificate is for
- Select the Directory Security tab
- Select Server certificate
- Click Next on Welcome screen
- Select "Process the pending request and install certificate" then click Next
- Browse to the .CER file then click Open/Next
- Select/Enter in the SSL port to use if different from the default then click Next
- Review the data then click Next then click Finish
You certificate is now installed.
There are many other self CA utilities available, one is also available in the IIS resourse kit. Which ever one you choose to use you should only use for internal and testing purposes.
Whatever self certificate authority you choose to use, any system which attaches to it will display a warning about an invalid/untrusted certificate. You need to configure your clients to accept your CA as a trusted authority or to issue the certificate to be trusted otherwise a warning will be displayed everytime the client connects to the system.