Implementing SSL Certificates on IIS
If you design your Web site for commerce and it collects credit card information or provides other confidential information, then your customers need protection. Usually, that means some form of encryption.
When users access your Web site, the information they send is not in encrypted by default. Someone may intercept and decipher the data sent from the user's browser to your Web site. To prevent data theft you can apply a special encryption mechanism to your Web site. This method employs Secured Socket Layer (SSL). Accessing Web sites using SSL appears different from regular sites. A normal web site might be:
If a web site is using SSL, then the http protocol token becomes https as in:
To use SSL you must first create keys. Keys are the special encryption encoding that are applied to the data. Both the web site and user browser must have keys to open and read the transmitted data. The Key Manager program allows the Web site Administrator to create keys.
Two types of keys are used, the public key and the private key. The owner of the keys holds the private key. The public key is available to anyone that wishes to exchange data. The keys are used to package data into digital envelopes that have digital signatures.
Digital envelopes. When sending data, the sender uses the recipient's public key to encrypt the information into a digital envelope. The sender transmits the digital envelope to the recipient. Since only the recipient's private key decodes the digital envelope, anyone who steals the packet of data cannot read the information. Only the official recipient has the private key.
Digital signatures. The sender will also add a digital signature as proof of the sender's credentials. The sender uses his or her private key to sign the digital envelope. The recipient uses the sender's public key to verify the digital signature. Only the sender's public key will verify the signature, insuring that the digital envelope came from the official sender.
The problem with just creating public/private keys and implementing SSL is that they can lull users into a false sense of security. Users think because a Web site is secure, it must be a legitimate site. A rogue Web site could create keys, establish an SSL Web site, and collect credit-card numbers for a bogus product. To resolve this problem, before you can install any encryption keys on your Web site, a Certificate Authority must certify them.
A Certificate Authority (CA) insures that your Web site is a legitimate place of business. A quick search of the Internet will list hundreds of certificate authorities that can certify your keys. You must have a CA certify and assign your site a certificate before you can use SSL. Certificates remain valid until they expire or the CA revokes them. The CA maintains a list of invalid certificates in a special list called the certificate revocation list (CRL). Note: you may fine details on SSL, encryption, cryptography, and public/private keys at www.rsa.com.
Why not use as SSL for everything?
If securing data is as easy using SSL, why not use it to for all your Web sites? The answer to this question is simple: performance. Using SSL dramatically affects the speed at which users can access information. Because the system must encrypt and decrypt all data, a huge amount of processing occurs. This slows both the user and the Web site. The best time to use SSL is when sending a confidential data over the Internet. Whether your Web site or the user sends it, confidential information should be protected.
Creating a Secure Site
Creating your own secure web site with SSL is not as difficult as it may initially seem. I will take you through the steps now.
Open the Internet Information Server Management Console. Right click on the Web site for which you wish to use SSL. When the pop-up menu appears, select properties. Click on the properties dialogue security tab as shown in Figure 1
Figure 1: Go to the Directory Security settings for the Web site.
After clicking on the Key Manager button, right click on the WWW entry, and a sub menu has shown in Figure 2 will appear.
Figure 2: The pop-up menu gives you the option of creating a new key.
Select Create New Key from the pop-up menu. You must then enter a file name in which the key will be contained. You will use this generated key when you apply for your certificate. You can see the dialog box in which you enter the filename in Figure 3 .
Figure 3: Use can set the filename in which the newly created key will be contained.
The next step in the process is where you name the key and type in a password. As with most Microsoft password selection dialogues, you must confirm the password before continuing. The naming and password dialogue can be seen in Figure 4 .
Figure 4: Here, you have the chance to name the key and set your password.
As you can see in Figure 5 , the next dialog is for entering the organizational information. Make sure that the common name field contains the fully qualified domain name.
Figure 5: Enter the organizational information here along a with a domain name.
The next dialog allows you to enter location information. You can see this in Figure 6 .
Figure 6: Location information is entered here.
A very important dialogue comes next in which you enter your name, e-mail address, and phone number. You can see this in Figure 7 .
Figure 7: Name, e-mail address, and phone number are very important.
Finally, you'll get to a dialog box with instructions as shown in Figure 8 . This is largely a confirmation dialog.
Figure 8: This dialogue allows you to confirm everything.
Once you return to Key Manager, it will show that a key was created. The key icon, however, will indicate by the orange and a yellow mark that it is not complete. In other words the certificate from a Certificate Authority has not been added. You can see the incomplete key icon in Figure 9 for the newly-created sourceDNA key.
Figure 9: The key in this figure is missing the certificate from the certificate Authority.
There are many certificate authorities. I chose to use Thawte. Their web site is http://www.Thawte.com. When I went to their web site, I applied for a certificate. An important part of the application was submission of the key I had created. I opened the text file that Key Manager created, copied the key information, and pasted it into the application form as you can see in Figure 10 .
Figure 10: The key information that Key Manager created was pasted into the application form.
When you apply for a certificate, you must choose the Web server type you are using. As shown in Figure 11 .
Figure 11: You must select the server type.
When you apply for your certificate, you will need to be prepared to provide some documentation. You will need to show proof of your company's existence, proof of your right to apply for a certificate for the domain, and you'll have to sign the application. The application can be printed from your browser.
My difficulty, when I applied, was that I applied using a company that is a sole proprietorship. I got a response from Thawte indicating that they wanted my incorporation documents. Since I did not have any, mainly because I applied with a sole proprietorship, I had to provide some additional documentation. Be prepared for the extra step if you don't have of papers of incorporation. In spite of the in convenience, I would rather them err on the side of caution.
When I received my certificate, I was ready to complete the process. With certificate in hand, open Key Manager. Right click on the incomplete key icon. When the pop-up menu appears, select Install Key Certificate. You will then have to type in your password as shown in Figure 12 .
Figure 12: You must type in your password.
One word of warning: don't lose your password. If you pay for a certificate and lose your password and are then and able to install the certificate, you are out of luck. The Certificate Authority will not provide you with your password, and they will not issue another certificate.
You must now edit the server bindings for the SSL certificates. You will have to set the IP address or addresses, and the port number. You can see the dialog box in Figure 13 .
Figure 13: You will be required to edit the server bindings for the certificate.
In all likelihood, the IP address will be that of your domain. You can set the port to anything you want. Shown in Figure 14 , the port is set to 80. However, you will normally leave it set to All Unassigned.
Figure 14: You must set the IP address for the certificate.
For any resources that must be secure using the digital certificate, you must set its properties to be so. Normally, you will only want to make selected files secure. You can, however, make the entire domain. But as we discussed earlier, this may not be a good idea.
From the Internet Information Server Management Console, right click on the resources you want to make secure. For this example, I used a single file named UseSSL.htm. I write clicked on it, selected properties, clicked on the Key Manager button. The dialogue that you see in Figure 15 appeared. The only change I made, was to select the checkbox labeled secure channel when accessing this restores. One thing you must remember is to set the SSL port for your Web site. From the Management Console, right click on the Web sites and bring up its properties. Set the SSL port to 443 as show in Figure 16 .
Figure 16: You will be required to edit the server bindings for the certificate.
Thawte provides what I consider excellent tech support. I initially had some trouble with the installation. (I forgot to set the SSL port to 443.) I began by reading the FAQs on the Thawte Web site. When this didn't help, I launched their 24-hour 5-day tech support chat client. It provides an easy way to talk to their tech support people in real time.
The Thawte tech support people seemed to easily handle all of the questions. They fixed me up in a short time.
Dencrypted vs. Undecrypted
You may be wondering what the data stream looks like before SSL does its job on the client computer to descrypt it. I have two text files into which I captured data. The one in Figure 17 is the decrypted data that your browser sees. The one in Figure 18 is an encrypted file with no data decryption applied.
Figure 17: The html file after SSL has performed the decryption.
Figure 18: An encrypted file with no decryption applied.
If you have any commerce on your server, or if there's confidential information transfered, you need to use SSL. And to use SSL you'll need to obtain and install a digital certificate.
Adding SSL isn't a terribly difficult process, but is a mystery to many developers. Follow the instructions in this article, and you'll have no trouble implementing an SSL certificate on your IIS server.
About the author:Besides being a well-known author and trainer,
Rick Leinecker is also a contributing member of the CodeGuru Web site. To contact or find out more about Rick and his work, visit sourceDNA where Rick writes about the technologies required to develop Windows DNA applications.