You have two options for creating and installing certificates. You can use your own Certificate Services to generate your certificates or you can use a trusted third-party authority. When you use Certificate Services, you manage the certificate creation, expiration, and revocation process. When you create certificates through trusted third-party authorities, you let the trusted authority manage the certificate creation, expiration, and revocation process. Either way, the basic tasks you need to perform to create and install a certificate are as follows:
Each Web site hosted on your Web server needs a separate certificate if you want SSL to work properly. The first step in the certificate creation process is to generate a certificate request. You can generate a certificate request by completing the following steps:
In the IIS snap-in, right-click the site for which you want to generate the certificate and then select Properties.
From the Directory Security tab, select Server Certificate. This starts the Web Server Certificate Wizard. Click Next.
Note
If you or someone else has already generated a certificate request for the site, you’ll see the Pending Certificate Request dialog box shown in Figure 8-16 later in the chapter. You must either process the request or delete the request to continue. For more information, see the sections of this chapter entitled "Processing Pending Requests and Installing Site Certificates" and "Approving and Declining Pending Certificate Requests."
As shown in Figure 8-12, select Create A New Certificate and then click Next.
Select Prepare The Request Now, But Send It Later to prepare a request and submit it manually to an authority, and then click Next.
As shown in Figure 8-13, you must assign the certificate a name and select a bit length. The name should be descriptive and easy to refer to. The bit length sets the encryption strength of your public and private keys. In most cases you should choose the maximum bit length you’re allowed to use.
Caution
A high level of encryption might slow down a CPU-intensive application when it’s running over SSL. If you use SSL with ASP applications extensively and your Web server demonstrates high CPU utilization, you might want to experiment with different levels of encryption and determine where the acceptable levels of performance are achieved.
Click Next. You have now created a public and private key pair. These keys are stored locally on the Web server. The final steps are used to create a certificate-signing request (CSR). The information in the request identifies the key’s owner and is displayed on your certificate.
Note
The CSR is used only to request the certificate. Certain characters must be excluded from your CSR fields, or your certificate might not work. Don’t use any of the following characters:
! @ # $ % ^ * () ~ ? > < & /
Enter your organization information in the fields provided as follows:
Organization. Sets your company’s legal name, such as Microsoft Corporation
Organizational Unit. Sets the division in your company responsible for the certificate, such as Technology Department
Click Next and enter your Web site’s common name. When the certificate will be used on an intranet (or internal network), the common name may be one word, and it can also be the server’s NetBIOS name, such as CorpIntranet. When the certificate will be used on the Internet, the common name must be a valid DNS name, such as www.microsoft.com. Click Next.
As shown in Figure 8-14, enter the geographic information for your company in the fields provided and then click Next:
Country/Region. Select the country or region for your company.
State/Province. Type the full name of the state or province in which your company is located.
City/Locality. Type the city or locality in which your company is located.
You need to specify the file name and path for the certificate request file. By default, the file name and path are set to %SystemDrive%Certreq.txt. Type a new path, or click Browse to select a path and file name using the Save As dialog box.
Click Next twice and then click Finish to complete the request generation process.
Real World
The common name is typically composed of Host + Domain Name, such as www.microsoft.com or products.microsoft.com. Certificates are specific to the common name that they have been issued to at the Host level. The common name must be the same as the Web address you’ll be accessing when connecting to a secure site. For example, a certificate for the domain microsoft.com will receive a warning if accessing a site named www.microsoft.com or services.microsoft.com, as www.microsoft.com and services.microsoft.com are different from microsoft.com. You’d need to create a certificate for the correct common name.
After you create a CSR, you can submit it to a third-party authority, such as Entrust, Equifax, Valicert, or Verisign. The CSR is stored as American Standard Code of Information Interchange (ASCII) text in the file you specified in step 10 in the section entitled "Creating Certificate Requests." It contains your site’s public key and your identification information. When you open this file, you’ll find the encrypted contents of the request, such as:
--BEGIN NEW CERTIFICATE REQUEST-- MIXCCDCCAnECAQAwczERMA8GA1UEAxMIZW5nc3ZyMDExEzARBgNVBAsTClRlY2hu b2xvZ3kxEzARBgNVBAoTCkRvbWFpbi5Db20xEjAQBgNVBAcTCVZhbmNvdXZlcjET MBEGA3UECBMKV2FzaGluZ3RvbjELMAkGA1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBALElbrvIZNRB+gvkdcf9b7tNns24hB2Jgp5BhKi4NXc/twR7 C+GuDnyTqRs+C2AnNHgb9oQkpivqQNKh2+N18bKU3PEZUzXH0pxxjhaiT8aMFJhi 3bFvD+gTCQrw5BWoV9/Ff5Ud3EF5TRQ2WJZ+JluQQewo/mXv5ZnbHsM+aLy3AgMB AAGgggFTMBoGCisGAQQBgjcNAgMxDBYKNS4wLjIxOTUuMjA1BgorBgEEAYI3AgEO MScwJTAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0lBAwwCgYIKwYWWQUHAwEwgf0GCisG AQQBgjcNAgIxge4wgesCAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBBACAA UwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAA cgBvAHYAaQBkAGUAcgOBiQBfE24DPqBwFplR15/xZDY8Cugoxbyymtwq/tAPZ6dz Pr9Zy3MNnkKQbKcsbLR/4t9/tWJIMmrFhZonrx12qBfICoiKUXreSK89OILrLEto 1frm/dycoXHhStSsZdm25vszv827FKKk5bRW/vIIeBqfKnEPJHOnoiG6UScvgA8Q fgAAAAAVVAAAMA0GCSqGSIb3DQEBBQUAA4GBAFZc6K4S04BMUnR/8Ow3J/MS3TYi HAvFuxnjGOCefTq8Sakzvq+uazUO3waBqHxZ1f32qGr7karoD+fq8dX27nmh0zpp RzlDXrxR35mMC/yP/fpLmLb5lsxOt1379PdS4trvWUFkfY93/CkUi+nrQt/uZHY3 N0SThxf73VkfbsE3 --END NEW CERTIFICATE REQUEST--
Most CAs have you submit the certificate request as part of a formal site registration process. In this registration process you’ll be asked to submit the request file in an e-mail or through an online form. When using e-mail, you simply attach the request file to the e-mail and send it. When using an online form, you can copy the entire text of the request—including the BEGIN and END statements—to the clipboard and paste this into the online form. You can use Microsoft Notepad to do this. Or you might be able to browse for the file to insert and let the server paste the data into the form for you.
After the CA reviews your certificate request, the CA either approves or declines your request. If the CA approves the request, you’ll receive an e-mail with the signed certificate attached or a notice to visit a location where you can retrieve the signed certificate. The certificate is an ASCII text file that you can view in Notepad, and it can only be decrypted with the private key you generated previously. As before, the contents of the file are encrypted and include BEGIN and END statements, as in this example:
--BEGIN CERTIFICATE-- MXXCWjCCAgQCEDlpyIenknxBt43eUZ7JF9YwDQYJKoZIhvcNAQEEBQAwgakxFjAU BgNERAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw RAYDVQQLEz1G45IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIeev IGFzc3VyYW5jZXMgKEM345MxOTk3MB4XDTAwMTEwNzAwMDAwMFoXDTAwMTEyMTIz NTk1OVowczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEjAQBgNV BAcUCVZhbmNvdXZlcjETMBEGA1UEChQKRG9tYWluLkNvbTETMBEGA1UECxQKVGVj aG5vbG9neTERMA8GA1UEAxQIZW5nc3ZyQWEwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBALElbrvIZNRB+gvkdcf9b7tNns24hB2Jgp5BhKi4NXc/twR7C+GuDnyT qRs+C2AnNHgb9oQkpivqQNKh2+N18bKU3PEZUzXH0prtyhaiT8aMFJhi3bFvD+gT CQrw5BWoV9/Ff5Ud3EF5TRQ2WJZ+JluQQewo/mXnTZnbHsM+aLy3AgMBAAEwDQYJ KoZIhvcNAQEEBQADQQCQIrhq5UmsPYzwzKVHIiLDDnkYunbhUpSNaBfUSYdvlAU1 Ic/37OrdN/E1ZmOut0MbCWIXKr0Jk5q8F6Tlbqwe --END CERTIFICATE--
Save the certificate file to a location that you can access when using the IIS snap-in. You should use .cer as the file extension. Then process and install the certificate as described in the "Processing Pending Requests and Installing Site Certificates" section of this chapter.
After you create a CSR, you can submit it to Certificate Services using the Web-based interface. To do this, complete the following steps:
The CSR is stored as ASCII text in the file you specified in step 10 in the section entitled "Creating Certificate Requests." Open this file in Notepad and copy the entire text of the request, including the BEGIN and END statements, to the clipboard (press Ctrl+A and then press Ctrl+C).
You’re now ready to submit the request to Certificate Services. Start your Web browser and type in the Certificate Services URL, such as http://ca.microsoft.com/certsrv/. You should see the main page for Certificate Services, as shown in Figure 8-15.
Select Request A Certificate.
On the Request A Certificate page, select Advanced Certificate Request.
Select Submit A Certificate Request Using A Base-64-Encoded.... Request. This option tells Certificate Services that you’re going to submit a request that’s Base64-encoded.
Paste the request into the Saved Request field (press Ctrl+V).
Click Submit.
If you’ve completed this process correctly, the final page shows you that your request has been received and is pending approval by the CA. If there’s a problem with the request, you’ll see an error page telling you to contact your administrator for further assistance. On the error page you can click Details to get more information on the error. You might need to recreate the certificate request or go back to ensure that you haven’t accidentally inserted additional spacing or characters in the request submission.
If you’re also the CA, you can use the Certification Authority snap-in to handle the request. See the "Approving and Declining Pending Certificate Requests" section of this chapter.
Once the request has been approved, use the Web-based interface to retrieve the signed certificate. To do this, complete the following steps:
Start your Web browser and type in the Certificate Services URL, such as http://ca.microsoft.com/certsrv/.
Click View The Status Of A Pending Certificate Request.
You should see a list of pending requests. Requests are listed with a description and a date/time stamp. Click the request for the site you want to work with.
Note
If you can’t access the certificate file online, you can have the certificate administrator generate the certificate manually. See the section of this chapter entitled "Generating Certificates Manually in the Certification Authority Snap-In."
If a certificate has been issued for the request, you should see a page stating that the certificate you requested was issued to you. On this page, select Base 64 Encoded and then click Download Certificate.
You should see a File Download dialog box. Select Save.
Use the Save As dialog box to select a save location for the certificate file, click Save, then Close. You should use .cer as the file extension. Then process and install the certificate as described in the following section of this chapter.
Once you receive the certificate back from the authority, you can install it by completing the following steps:
In the IIS snap-in, right-click the site for which you want to process the certificate and then select Properties.
From the Directory Security tab, select Server Certificate. This starts the Web Server Certificate Wizard. Click Next.
As shown in Figure 8-16, select Process The Pending Request And Install The Certificate and then click Next.
Type the path and file name to the certificate file returned by the authority, or click Browse to search for the file. Click Next to continue.
Select the SSL port the Web site should use. The default SSL port is 443. Click Next.
The next page provides summary information on the certificate. If this is the correct certificate, click Next and then click Finish to complete the installation process. Otherwise, click Back to choose a different certificate file and then repeat steps 3 to 5.
Click OK. Check the SSL configuration and manage the certificate as described in the sections of this chapter entitled "Working with SSL" and "Managing Site Certificates in the IIS Snap-In."
If you made a mistake in a certificate request that has already been generated, the only way to fix it is to delete the request and then create a new one. You delete pending certificate requests by completing the following steps:
In the IIS snap-in, right-click the site for which you want to generate the certificate and then select Properties.
From the Directory Security tab, select Server Certificate. This starts the Web Server Certificate Wizard. Click Next.
Select Delete The Pending Request and then click Next.
Click Next and then click Finish. This deletes the request association in IIS but doesn’t remove the actual request file. This file contains your site’s public key and should be deleted. Click OK.