Completing an Internet Certificate Request
The
amount of time a public third-party CA can take to process a request
will vary. Once the request has been processed and approved, the CA
will send a response by e-mail or through its Web site. You can then
store this response in a text file and provide it to IIS to complete
the process. To do this, select the appropriate request in the Server
Certificates feature view, and then click the Complete Certificate Request
command in the Actions pane. You will be asked to specify the path and
file name of the response along with a friendly name for administration
purposes. (See Figure 11.)
The convention is to use a file name with a .cer extension for the
response; however, any type of standard text file will work.
Assuming
that the certificate request matches the response, the certificate will
be imported into the configuration of IIS and ready for use.
Creating Other Certificate Types
In
addition to the standard certificate request process, you can use two
other commands to create certificates. These commands are also
available in the Actions pane in the properties of the Server
Certificates feature. The Create Domain Certificate option generates a
request to an internal certificate authority. This is used commonly in
organizations that have their own certificate services infrastructure.
Instead of sending the request to a third-party CA, the request is
designed to be sent to an internal server. Figure 12
shows the available options. The Specify Online Certificate Authority
text box accepts the path and name of an internal CA server. The
Friendly Name can be used to identify the purpose of the certificate.
Creating a Self-Signed Certificate
The
certificate creation and management process can require several steps
and usually requires an added cost for obtaining a certificate from a
trusted third-party CA. Although these steps are necessary to ensure
security in a production environment, an easier method is preferable
for development and test environments. Self-signed certificates
can test certificate functionality by creating a local certificate. By
avoiding the CA process, it is easy to create these certificates, using
the Create Self-Signed Certificate command in the Actions pane. Figure 13 shows the dialog box.
Unlike
other certificate types, it is not necessary to provide organizational
information for the certificate. This is because the certificate itself
is created immediately on the local computer. The primary drawback of
self-signed certificates is that users who access the Web server using
a secure connection will receive a warning that the certificate has not
been issued by a third party. (See Figure 14.)
While this is generally not a problem in test environments, it prevents
the use of self-signed certificates for production Web servers.