SSL (Secure Sockets Layer )
Microsoft® Internet Information server offers a protocol for providing data security layered between its service protocols (HTTP) and TCP/IP. This security protocol, called Secure Sockets Layer (SSL), provides data encryption, server authentication, and message integrity for a TCP/IP connection.

About SSL
SSL is a protocol submitted to the W3C working group on security for consideration as a standard security approach for World Wide Web browsers and servers on the Internet.

SSL provides a security "handshake" that is used to initiate the TCP/IP connection. This handshake results in the client and server agreeing on the level of security they will use and fulfills any authentication requirements for the connection. Thereafter, SSL's only role is to encrypt and decrypt the byte stream of the application protocol being used (for example, HTTP). This means that all the information in both the HTTP request and the HTTP response are fully encrypted, including the URL the client is requesting, any submitted form contents (such as credit card numbers), any HTTP access authorization information (usernames and passwords), and all the data returned from the server to the client.

Generating a Key Pair
Use the keygen utility to create two files. Keygen.exe is in C:\Inetsrv\Server or the directory where you installed Microsoft Internet Information Server. The first file is a key file containing the key pair; the second file is a certificate request file (type keygen with no arguments for command syntax and an example).

Before starting you must have decided on the server's Distinguished Name. See Microsoft Internet Information Server Help specifying a Distinguished Name.

The following example creates the key file keypair.key and the certificate request file named Request.req for a server named www.mycompany.com: The files are generated in the current directory, C:\Inetsrv\Server. 

    c:\inetsrv\server>keygen MyPassword1 keypair.key request.req
    "C=US,S=WASHINGTON,L=REDMOND,O=EXAMPLE,OU=TOUR,CN=www.mycompany.com"

    PCT/SSL Key generation utility, Version 1.0

    Copyright (c) 1995 Microsoft Corporation

    Generating key pair of length 1024 bits...
    Completed.

    Send the generated request file, Request.req, to your Certificate 
    Authority for signing.
The argument in quotes in the keygen.exe command line ("C=US, S=Washington...") specifies several fields for the certificate request related to your organization and server. NOTE: Do not use commas in any field. Commas are interpreted as the end of that field and will generate an invalid request without warning.

If you run Keygen.exe more than once, note that it doesn't overwrite existing files; instead, it returns an error 80, meaning that the file already exists.

Acquiring a Certificate
In order to use SSL, you will need a certificate from a certifying authority such as VeriSign for your system. Instructions for acquiring a VeriSign certificate can be found on VeriSign's Web Site.

Applying Your Certificate to Your Server
After you complete your certificate request, you will receive a signed certificate from the certification authority (consult your certification authority for complete details). It will look something like:

-----BEGIN CERTIFICATE-----

 JIEBSDSCEXoCHQEwLQMJSoZILvoNVQECSQAwcSETMRkOAMUTBhMuVrMmIoAnBdNV
 BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMRwwGgYDVQQLExNQZXJzb25hIENl
 cnRpZmljYXRlMSQwIgYDVQQDExtPcGVuIE1hcmtldCBUZXN0IFNlcnZlciAxMTAw
 HhcNOTUwNzE5MjAyNzMwWhcNOTYwNTE0MjAyOTEwWjBzMQswCQYDVQQGEwJVUzEg
 MB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4xHDAaBgNVBAsTE1BlcnNv
 bmEgQ2VydGlmaWNhdGUxJDAiBgNVBAMTG09wZW4gTWFya2V0IFRlc3QgU2VydmVy
 IDExMDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDU/7lrgR6vkVNX40BAq1poGdSm
 GkD1iN3sEPfSTGxNJXY58XH3JoZ4nrF7mIfvpghNi1taYimvhbBPNqYe4yLPAgMB
 AAEwDQYJKoZIhvcNAQECBQADQQBqyCpws9EaAjKKAefuNP+z+8NY8khckgyHN2LL
 pfhv+iP8m+bF66HNDUlFz8ZrVOu3WQapgLPV90kIskNKXX3a
------END CERTIFICATE-----
Copy and save the text to a file -- using a tool such as Notepad -- giving it a name you can remember (for example, certif.txt).

Use Setkey.exe (included in your Microsoft Internet Information Server installation) to install your signed certificate on the server, for example: 

setkey MyPassword1 keypair.key certif.txt
Note: If you do not specify an IP address, the same certificate will be applied to all virtual servers created on the system. If you are hosting multiple sites on a single server, you can specify that the certificate only be used for a given IP address as follows: 
setkey MyPassword1 keypair.key certif.txt 10.191.28.45

Configuring a Directory to Require SSL
Once the certificate has been applied, SSL feature is enabled from the Internet Service Manager for the WWW services. SSL can be required on any virtual directory available through the Internet server and is configured on the "Directories" pane of the service property sheet.

PrevNext
Outline