Protect your Web Servers with SSL
How SSL works
SSL uses digital certificates issued by a valid certification authority (CA) to authenticate both parties to the transaction (client and server). If the Web server is set up to require secure connections, it will reject non-secure requests. To connect to a secure page, the client uses https:// at the beginning of the URL instead of http://.
If some of the components on the page use http:// in their links, visitors will receive a message saying that some items on the page are not secure. You can avoid this by either using https:// for all links or using a relative path that doesn't contain "http" or "https."
When the client's browser initiates a secure connection, the SSL "handshake" occurs. The browser checks the certificate to validate the identity of the server, the validity of the certification authority, and confirm that the certificate hasn't expired. Then the client and server negotiate the encryption methods and keys to be used.
When the handshake is complete, a new key is created, and this key is used to create session keys which are themselves used to encrypt the rest of the communications, using the encryption method that was negotiated between client and server. The server authenticates the client if the server is configured to require client authentication.
Now when an HTTP GET request is sent, form field responses and program variables that are tagged to the end of the URL are removed from the URL and inserted into the encrypted data block, which also will contain the data entered into the form on the client browser. The response from the server is likewise encrypted when it is returned to the client.
How to implement SSL
The first step in implementing SSL for your Web site is to get an SSL certificate from a certification authority that issues SSL certificates. The Web server's SSL certificate is bound to its fully qualified domain name and IP address. You can purchase SSL certificates from Verisign, Thawte, Entrust and other public certificate providers. These companies' certificates are recognized by all major browsers. You can also obtain a certificate from a local (internal) CA.
To configure your IIS 6.0 Web site (running on Windows Server 2003) to use SSL encryption, follow these steps:
- Open the IIS Manager from the Programs | Administrative Tools menu.
- In the left pane of the console, expand the node for your Web server name (in our example, CA1), and then expand the Web Sites folder, as shown in Figure A.
Figure A: Expand the Web Sites folder in IIS Manager
- Right click the Web site for which you want to use SSL, and then select Properties from the context menu. This opens the Properties sheet for the site.
- Click the Directory Security tab, as shown in Figure B.
Figure B: The Directory Security tab
- Under Secure Communications, click the Server Certificate button. This invokes the Web Server Certificate Wizard.
- Click the Next button on the first page of the Wizard.
- On the Server Certificate page, you'll see the following choices: Create a new certificate, Assign an existing certificate, Import a certificate from a Key Manager backup file, Import a certificate from a .pfx file, or Copy or move a certificate from a remote server to this site. Make the appropriate selection and follow the steps.
To import a certificate, you'll need to know:
- The path where the certificate is stored
- The password on the .pfx file.
To create a new certificate, you'll need to send the request to a certificate authority on your network, or prepare the request and send it manually to a CA that's not on your network. You must enter the URL for the Web site and, if you intend to make the site available over the Internet, the name must match the external fully qualified domain name for the site. If the site will only be available to intranet users, you can use the NetBIOS name.
- If you're creating a new certificate, you'll need to enter your geographic location (country, state/province and city/locality) on the Geographical Information page.
- The certificate request will be saved as a text file if you chose to create the request manually and send it later. Enter a name for the text file.
- Review the request information on the Request File Summary page and click Next to generate the file. You can e-mail the file to a certification authority.
If you are submitting the request to a local CA:
- Ensure that port 443 is selected on the SSL Port page.
- Select the CA on the Choose a Certification Authority page.
- Review the request information and click Next to submit the request on the Certificate Request Submission page.
You can delete the request by running the Wizard again. Just go back to the Directory Security tab in the site's Properties sheet and click Server Certificate again. The Wizard will notify you that a certificate request is pending and ask if you want to process the pending request and install the certificate or delete the pending request.
Once you have the certificate, you can secure the Web site with it by following these steps:
- On the Directory Security tab of the site's Properties sheet, under Secure Communications, click the Edit button (note that there are three Edit buttons on this page; be sure to click the one under Secure Communications).
- Check the box labeled Require secure channel (SSL) at the top of the Secure Communications dialog box. If you want to require 128 bit encryption, check the appropriate checkbox, as shown in Figure C. Some older browsers may not support 128 bit encryption.
Figure C: Set up the site to require a secure channel (SSL)
- Under Client Certificates, select whether you want to ignore client certificates, accept client certificates, or require client certificates (the latter is most secure). You can also map client certificates to Windows user accounts here, and enable a Certificate Trust List. Click OK when you're finished configuring these settings.
- Back on the Directory Security tab, under Authentication and Access Control at the top of the page, click the Edit button.
- Under Authenticated Access, you can select to require user names and passwords for any or all of the following authentication methods: Integrated Windows authentication, Digest authentication for Windows domain servers, Basic authentication, .NET Passport authentication. After configuring your preferences here, click OK.
- Click OK again to close the dialog boxes and close the IIS MMC.
Test the Connection
To verify that your SSL connection works, in a browser enter the server's name (fully qualified domain name for Internet Web server or NetBIOS name for intranet server), placing https:// at the beginning of the URL. You should receive a notice that you are about to view pages over a secure connection. Click OK. The secure Web site should be displayed.