Configuring Server Certificates
One
of the many challenges related to security is that of verifying the
identity of a Web server and, once you are reasonably sure that the
server can be trusted, you need to protect communications between the
Web client and the Web server. On many networks, and especially on the
Internet, providing secure communications for sensitive data is a key
concern. Server certificates are designed to provide added security for
Web services. IIS provides built-in support for creating and managing
server certificates and for enabling encrypted communications. In this
section, you’ll learn how to configure and enable these options.
Understanding Server Certificates
Server certificates
are a method by which a Web server can prove its identity to the
clients that are attempting to access it. The general approach to
provide this functionality is by a hierarchy of trust authorities. The
party that issues a server certificate is known as a Certificate Authority (CA).
On the Internet, numerous third-party organizations are available for
validating servers and generating certificates. Assuming that users
trust these third parties, they should also be able to extend the trust
to validated Web sites. Organizations can also serve as their own CA
for internal servers. This enables systems administrators to validate
and approve new server deployments by using a secure mechanism.
The general process for obtaining a server certificate involves three major steps:
Generating a certificate request
The request is created on a Web server, which produces a text file
containing the information about the request in an encrypted format.
The certificate request identifies the Web server uniquely.
Submitting the certificate request to a CA
The certificate request is submitted to a CA (generally by using a
secure Web site or e-mail). The CA then verifies the information in the
request and creates a trusted server certificate.
Obtaining and installing a certificate on the Web server
The CA returns a certificate to the requester, usually in the form of a
small text file. This file can then be imported into the Web server
configuration to enable secure communications.
Note: Client certificates vs. server certificates
Certificate-based
technology can be used with a Web server by several methods. Use
client-based certificates to verify access to a Web server by
validating clients. In this case, the client holds a certificate that
the server can validate. You learned about this method earlier in this
lesson. Server-side certificates are installed on Web server computers
to prove their identity to Web clients and to enable encrypted
communications. Client-side certificates are generally used in intranet
or extranet environments, while server-side certificates are common for
securing all types of Web servers.
Creating an Internet Certificate Request
Use
IIS Manager to obtain a certificate for use on an IIS Web server. To
begin the process, connect to a Web server running Windows Server 2008
and select Server Certificates in Features View. (See Figure 8.)
Note that certificate requests are generated at the level of the Web
server and not for other objects such as Web sites or Web applications.
Depending
on the configuration of the local server, some certificates might
already be included in the default configuration. The Actions pane
provides commands for creating new certificates.
To begin the certificate request process, click Create Certificate Request. As shown in Figure 9,
you will be required to provide information about the requesting
organization. This information will be used by the CA to determine
whether to issue the certificate. Therefore, it is important for
information to be exact. For example, the Organization field should
include the complete legal name of the requesting company. The Common
Name field generally defines the domain name that will be used with the
certificate.
The
second step of the certificate request process requires you to choose
the cryptographic method that will be used to secure the certificate
request. (See Figure 10.)
The Cryptographic Service Provider setting should use a method that is
accepted by the certificate authority. (The default option of Microsoft
RSA SChannel Cryptographic Provider is accepted by most third-party
CAs.) The Bit Length setting indicates the strength of the encryption.
Larger values take more time to process (due to computational overhead)
but provide added security.
The
final step of the process involves storing the certificate request to a
file. Here you can provide a fully qualified path and file name into
which the request will be stored. The request itself will be stored in
a text file that contains encrypted information.
The
next step of the process involves submitting the certificate request to
a CA. Generally, the issuer’s Web site will request that you either
upload the certificate request or copy and paste the contents into a
secure Web site. The issuer will also require additional information
such as details about your organization and payment information.