Setting up SSL

This page describes how to set up Internet Information Server (IIS) Web server to serve Web pages and other resources via HTTPS (Hypertext Transfer Protocol-Secure).

HTTPS is the standard approach for secure communications between client and server over the Internet. HTTPS enables the communication to be encrypted so that if it is intercepted, the third party cannot easily view and use the information. You should ensure that any sensitive information transferred to your server is secured through HTTPS. Any login should use HTTPS, as should pages that transfer data that you do not wish to be viewed by parties other than the end user.

To serve pages and other resource via HTTPS, you must obtain and install a certificate for Secure Sockets Layer (SSL) on the IIS server. Normally you obtain the SSL certificate from a certificate authority (CA) that is generally recognized by browsers and other Internet-capable client software. If the certificate is issued by a CA that is recognized by the browser, the communication with the server occurs with no special action required by the user. Hence for production servers, obtaining a CA-issued certificate is highly recommended. See Obtaining and Installing a SSL Certificate from a Certificate Authority for information.

Once you have a SSL certificate installed, you can access Web pages and other resources on the server using HTTPS. If the resource carries sensitive information, it is recommended that you require clients to use HTTPS to use the resource. See Requiring the use of HTTPS for details.

For development and testing purposes, using a self-signed SSL certificate may be adequate. Browsers and other clients will not automatically accept such certificates, and will display a warning message for the certificate. See Using a self-signed SSL certificate for details.

Obtaining and Installing a SSL Certificate from a Certificate Authority

This section outlines the procedure for obtaining and installing a SSL certificate from a certificate authority (CA). For complete information, please consult your system administrator, outside consultant, or other resources on security. See this page at Microsoft for more information on using SSL in IIS: Using SSL to Encrypt Confidential Data.

  1. Create a request for a certificate using IIS Manager. For instructions, see: Request a Server Certificate. (This page applies to Windows Server 2003. Other products may differ)
  2. Send the request to a recognized certificate authority. For a list of CAs that work with Microsoft software, see: Microsoft Root Certificate Program Members.
  3. Once you obtain the certificate, install the certificate into the IIS server. For instructions, see: Install a Server Certificate. (This page applies to Windows Server 2003. Other products may differ.)

After the certificate is installed, clients may access pages and other resources using the HTTPS protocol. You may also require that HTTPS be used when accessing a resource.

Requiring the use of HTTPS

You should require clients to use HTTPS to access Web pages and resources with sensitive data. This includes login pages, but may also include whole Web applications.

Using HTTPS adds overhead to communications between client and server. Use or require HTTPS only for resources that should not be disclosed to third parties.

To require a Web application, Web page or other resource to use HTTPS:

  1. Open IIS Manager at Control Panel-Administrative Tools-Internet Information Services.
  2. Expand the Web Sites node and in turn expand the web site that contains the resource to restrict to HTTPS. By default IIS serves sites in the Default Web Site. In the web site, navigate through the tree to find the Web application, folder, Web page or other resource you wish to restrict to HTTPS.
  3. Right-click on the resource and choose Properties. The properties dialog opens for the resource.
  4. Click on the Directory (or File) Security tab. In this tab, in the Secure communications area, click the Edit... button. If this button is not available, then the IIS server does not have a SSL certificate installed. See the previous section to obtain and install a certificate.
  5. In the Secure Communications dialog that opens, check the box to Require secure channel (SSL) .
  6. Click OK to dismiss this dialog, as well as the properties dialog for the resource. You may close IIS Manager.
  7. Test by attempting to retrieve the resource using http://. You should see a message that HTTPS is required. Retrieve the resource using https://.

Note that if clients request a page or resource via HTTP when it requires HTTPS, they are not automatically redirected to the HTTPS URL of the resource. It is possible to programmatically redirect such requests (search Internet resources for a variety of developer resources), but no out-of-the-box tools are available. Make sure your users are aware that they need to use https:// to access the resource.

Using a self-signed SSL certificate

For development and testing, a self-signed SSL certificate may be adequate. Using a self-signed certificate is not recommended for production sites. Browser users will see a security warning when loading a resource from a site that uses a self-signed certificate. You should not trust any self-signed certificate unless you are certain of the identity of the server and organization you are connecting to.

Self-signed certificates may be generated in a number of ways. Consult your security expert, texts on security, or websites for options.

The following procedure uses the SelfSSL tool in the IIS 6.0 Resource Kit to create and install a self-signed SSL certificate.

  1. Download and install the IIS 6.0 Resource Kit from Microsoft.

    Install at least the SelfSSL tool. Other tools are optional.

    This tool is supported on Windows Server 2003 and Windows XP. Other platforms may require a different tool.

  2. Run SelfSSL and install the certificate at the IIS machine
  3. Test the certificate by opening a browser and loading a page on the server using https://... You should get a warning that the certificate is not from a known certificate authority. Click to proceed, and the page should load normally.

The certificate will only be recognized when requested with the name as specified with the "N" argument above (or the machine name, if N is not specified). For example, if the machine-name "myserver" default is used and the client requests the page with the fully qualified domain name "myserver.example.com", the client will warn that the name on the certificate does not match the request.

With a self-signed certificate, the client will display a warning at the start of each session with the server. To avoid these security warnings, you can export the certificate from the server and import it at client machines. This should only be done for internal test and development purposes, not for production sites. To export the certificate:

  1. IIS Manager, open expand the tree and right-click Default Web Site and choose Properties.
  2. In the Directory Security tab, and under Secure Communications, click View Certificate.
  3. In the Certificate window, click Details tab, then Copy to File.
  4. In the Certificate Export Wizard, accept all defaults (don't export private key; use DER format), name the file (e.g., mymachine-ssl-cert-export.cer), and click Finish. By default, the certificate file is put in \Windows\System32\inetsrv\, but you can save it to any location.
  5. Share certificate with client machines - via e-mail, file share or on the Web server.

Once the certificate is available, import it at a client machine:

  1. Obtain a copy of the certificate file produced earlier and save it locally.
  2. Double-click on the .cer file to display certificate information.
  3. Click Install Certificate...
  4. In Certificate Import Wizard, click Next and accept the defaults. A warning will be displayed upon finishing.
  5. Now Internet Explorer can use https on the server without warnings. Browsers other than Internet Explorer may require a separate acceptance of the certificate.