• No results found

Securing your Microsoft IIS Web Server with a Thawte Digital Certificate

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Securing your Microsoft IIS Web Server with a Thawte Digital Certificate"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Securing your Microsoft IIS Web Server with a

Thawte Digital Certificate

Contents

1. Overview

2. IIS4 Web Server

2.1. System Requirements 2.2. How to generate a key pair 2.3. Test certificate

3. IIS5 web Server

3.1. System Requirements 3.2. How to generate a key pair 3.3. Test certificate

4. Requesting certificates for IIS4 and IIS5 5. Getting your certificate for IIS4 and IIS5 6. Securing virtual hosts

7. Useful URLs 8. Contact Thawte

1. Overview

This guide will take you through the steps for generating a key pair, requesting a Thawte digital certificate and installing the certificate on a Microsoft IIS4 or IIS5 web server. For the purposes of this guide, a basic understanding of SSL certificates is assumed.

2. IIS4 Web Server

2.1. System Requirements

To use Microsoft IIS4 you must:

• be using the Windows NT4.0 platform.

• have installed Option Pack 4 on your machine.

• have installed the most recent Microsoft service pack. (Service packs are the means by which Windows NT product updates are distributed. They keep the product current, and extend and update your computer’s functionality. Service packs include updates, system administration tools, drivers, and additional

(2)

2.2. How to generate a key pair

IIS4 generates two files during the key generation process:

a. A text file, called the CSR (Certificate Signing Request), which is sent to Thawte. The CSR file is saved to your hard drive. The CSR file is the public portion of the private/public key pair and is sent back to you as a certificate file, once Thawte has issued your SSL certificate.

b. A NET format file, which is your private key. The private key is stored in your registry, and is accessible (and visible) through the Key Manager utility in IIS4. The private key is represented by a key icon. Thawte does not handle the private key at all and is therefore not responsible for its management. If you lose the private key, or the password used to protect it, you will need to buy a new certificate. Please be sure to make a backup copy of the private key file and save it in a secure location. You must also remember the password used to protect the private key file (or document the password in a safe place). The password is the one you would have specified during the request process.

You’ll find a step-by-step key generation guide for IIS4 at: http://www.thawte.com/certs/server/keygen/iis4.html

2.3. Test Certificate for IIS4

To familiarize yourself with the workings of a Thawte certificate on an IIS4, you can set up a test certificate on your web server as follows:

a.Generate the private key and CSR files: Follow the step-by-step key generation guide at:

http://www.thawte.com/certs/server/keygen/iis4.html, to generate your public/private key pair.

b.Generate a test certificate:

Go to https://www.thawte.com/cgi/server/test.exe and paste in your CSR (Certificate Signing Request). Within minutes, you should receive an “un-trusted” test certificate in e-mail. Save it to a file called “testcert.crt”.

You can get your browser to “trust” that test certificate by clicking on

http://www.thawte.com/servertest.crt and installing the Test Certificate CA (Certificate Authority) root into your browser.

c. Install the Test Certificate:

• Go to Key Manager and right click on the private key from which the CSR was generated.

• Select “Install Key Certificate”.This will tie the certificate to the key.

• Tie the IP address of the website and port 443. To do this, right click on the key and select “Properties”. This will launch a dialog box in which you can specify these settings.

Later, when you request a Trusted Certificate, you will follow the same steps to install the certificate. The “testcert.crt” certificate will simply be overwritten.

(3)

3. IIS5 Web Server

3.1. System Requirements

To use Microsoft IIS5 you must:

• be running either a Windows 2000 server, or a Windows 2000 advanced server.

• add the certificate snap-in to your MMC (Microsoft Management Console). To do this go to Start > Run > MMC > Console > Add/Remove Snap-in. Add the snap-in to your console root.

• use the Installation Wizard to select the certificate snap-in and save the changes you have made before exiting the MMC. All the request files you generate and their corresponding certificates will be installed in this Certificate folder.

3.2. How to generate a key pair

All the key generation and certificate installation procedures for IIS5 are handled by a Certificate Wizard. You access the IIS5 Certificate Wizard by going into IIS > Website > Website Properties > Directory Security > Server Certificate.

The Certificate Wizard generates two files:

a. A text file, called the CSR (Certificate Signing Request), which is sent to Thawte. The CSR file is saved to your hard drive. The CSR file is the public portion of the private/public key pair and is sent back to you as a certificate file, once Thawte has issued your SSL certificate.

b. A NET format file, which is your private key. The private key is not accessible

through this interface, and is not visible to the user. Thawte does not handle the private key at all and is therefore not responsible for its management. If you lose the private key, or the password used to protect it, you will need to buy a new

certificate. Please be sure to make a backup copy of the private key file and save it in a secure location. You must also remember the password used to protect the private key file (or document the password in a safe place). The password is the one you would have specified during the request process.

Please note that for IIS5 you cannot backup the private key until the certificate has been installed.

You’ll find a step-by-step key generation guide for IIS5 at: http://www.thawte.com/certs/server/keygen/msiis5/msiis5.html

3.3. Test Certificate for IIS5

To familiarize yourself with the workings of a Thawte certificate on an IIS5 you can set up a test certificate on your web server as follows:

a.Generate the private key and CSR files:

Use the IIS5 Certificate Wizard to generate your public/private key pair. You must not

use the same CSR to request a TEST certificate and a Trusted certificate. IIS5 is not able to replace the TEST certificate.

b.Generate a test certificate:

(4)

c.Install the test certificate:

Install the certificate using theServer Certificate Wizard which you’ll find in the Directory Security tab. Remember that with IIS5 you cannot use the same CSR to request both a TEST certificate and a trusted certificate, so make sure that you are able to recognize that this request will be used for testing purposes only. Make sure that port 443 is enabled in the website Properties before you try to access the website over SSL. As soon as you are able to access your website using the “https://” prefix and view the TEST certificate successfully, you can proceed to the next step.

4. Requesting certificates for IIS4 and IIS5

Thawte SSL certificates and SuperCerts are requested online. During the certificate request process, you will be asked to copy and paste your CSR (Certificate Signing Request) into a text area on the online enrollment form. (Please ensure that you are submitting the correct CSR, if you have generated more than one.)

You will have to provide all the requested information during the enrollment process, and send us documentation proving your, or your company’s identity (a company registration certificate for instance). You can view detailed instructions for obtaining a Thawte SSL certificate at: https://www.thawte.com/certs/server/request.html

The enrollment process for SuperCerts is basically the same as for SSL certificates. However, during the process you will need to check the box that indicates that you would like a SuperCert. You will also have to generate a 1024-bit key, and make sure your server is 128-bit enabled.

Once you have completed the online request process, Thawte will take a number of steps to verify your identity and the other details you provided in the CSR. Thawte performs a considerable amount of background checking before it issues the certificate. As a result, it could take a few days to verify your company identity and details, and issue the certificate. During that period, you can track the progress of your request on your personal status page at: http://www.thawte.com/cgi/server/status.exe

SuperCerts are SSL certificates that allow “international” browsers to “step-up” to 128-bit encryption. Internet Explorer 5.01, Netscape Communicator 4.7 and later browsers recognize Thawte’s SuperCerts. 128-bit encryption is regarded as being impossible to “crack”. For more information on SuperCerts please see:

http://www.thawte.com/certs/server/128bit/contents.html

5. Getting your Certificate for IIS4 and IIS5

Once the certificate has been issued, you will be able to download it from your personal status page by clicking on the “Fetch Certificate” button (which only appears once the certificate has been issued).

6. Securing virtual hosts

(5)

7. Useful URLs

• Common problems experienced with IIS are dealt with in our FAQs: http://www.thawte.com/support/server/msiis.html.

• You’ll find a key generation guide for IIS4 at:

http://www.thawte.com/certs/server/keygen/iis4.html

• The certificate enrollment process for SSL and SuperCerts begins at: https://www.thawte.com/certs/server/request.html

• How to generate a test certificate: https://www.thawte.com/cgi/server/test.exe

• Installing the test certificate CA root into your browser: http://www.thawte.com/servertest.crt

8. Contact Thawte

References

Download now ( PDF - 5 Page - 32.91 KB )

Related documents

Certificate Request Generation and Certificate Installation Instructions for IIS 5 April 14, 2006

2.9 The Completing the Web Server Certificate Wizard Screen Click Finish to return to the Directory Security tab.. The Completing the Web Server Certificate

Lab 05: Deploying Microsoft Office Web Apps Server

In order to improve the overall experience of Microsoft PowerPoint ® presentations in Lync Server meetings, management has decided to deploy the Microsoft Office Web Apps server

Boundary Encryption Service. MTA Setup Guide

■ About Microsoft Exchange Server 2003 ■ Generating a certificate request ■ Getting a certificate signed ■ Installing the certificate ■ Installing root certificates.. ■

IIS Web Server Hardening

The default Microsoft OS and IIS server are installed with several services you should disable because they pose potential vulnerabilities.. Let’s examine the OS first, since many

ServletExec TM 6.0 Installation Guide. for Microsoft Internet Information Server SunONE Web Server Sun Java System Web Server and Apache HTTP Server

If you’re installing a web server adapter for Apache HTTP Server, SunONE, or SJSWS, the ServletExec/AS installer will prompt you to update the server configuration file.. The

ncipher modules Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services Windows Server bit and 64-bit

Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services 13 j.. Select the existing CA key in Select the key that you want to use for this CA (on

Microsoft IIS Integration Guide

This document is intended to guide security administrators through the steps for Microsoft Internet Information Services (IIS) and Luna HSM integration and also cover

Deploying Microsoft Office Web Apps Server and Experiencing Collaboration Features

In order to improve the overall experience of Microsoft PowerPoint ® presentations in Lync Server meetings, management has decided to deploy the Microsoft Office Web Apps server