Securing your Microsoft IIS Web Server with a
Thawte Digital Certificate
Contents
1. Overview
2. IIS4 Web Server
2.1. System Requirements 2.2. How to generate a key pair 2.3. Test certificate
3. IIS5 web Server
3.1. System Requirements 3.2. How to generate a key pair 3.3. Test certificate
4. Requesting certificates for IIS4 and IIS5 5. Getting your certificate for IIS4 and IIS5 6. Securing virtual hosts
7. Useful URLs 8. Contact Thawte
1. Overview
This guide will take you through the steps for generating a key pair, requesting a Thawte digital certificate and installing the certificate on a Microsoft IIS4 or IIS5 web server. For the purposes of this guide, a basic understanding of SSL certificates is assumed.
2. IIS4 Web Server
2.1. System Requirements
To use Microsoft IIS4 you must:
• be using the Windows NT4.0 platform.
• have installed Option Pack 4 on your machine.
• have installed the most recent Microsoft service pack. (Service packs are the means by which Windows NT product updates are distributed. They keep the product current, and extend and update your computer’s functionality. Service packs include updates, system administration tools, drivers, and additional
2.2. How to generate a key pair
IIS4 generates two files during the key generation process:
a. A text file, called the CSR (Certificate Signing Request), which is sent to Thawte. The CSR file is saved to your hard drive. The CSR file is the public portion of the private/public key pair and is sent back to you as a certificate file, once Thawte has issued your SSL certificate.
b. A NET format file, which is your private key. The private key is stored in your registry, and is accessible (and visible) through the Key Manager utility in IIS4. The private key is represented by a key icon. Thawte does not handle the private key at all and is therefore not responsible for its management. If you lose the private key, or the password used to protect it, you will need to buy a new certificate. Please be sure to make a backup copy of the private key file and save it in a secure location. You must also remember the password used to protect the private key file (or document the password in a safe place). The password is the one you would have specified during the request process.
You’ll find a step-by-step key generation guide for IIS4 at: http://www.thawte.com/certs/server/keygen/iis4.html
2.3. Test Certificate for IIS4
To familiarize yourself with the workings of a Thawte certificate on an IIS4, you can set up a test certificate on your web server as follows:
a.Generate the private key and CSR files: Follow the step-by-step key generation guide at:
http://www.thawte.com/certs/server/keygen/iis4.html, to generate your public/private key pair.
b.Generate a test certificate:
Go to https://www.thawte.com/cgi/server/test.exe and paste in your CSR (Certificate Signing Request). Within minutes, you should receive an “un-trusted” test certificate in e-mail. Save it to a file called “testcert.crt”.
You can get your browser to “trust” that test certificate by clicking on
http://www.thawte.com/servertest.crt and installing the Test Certificate CA (Certificate Authority) root into your browser.
c. Install the Test Certificate:
• Go to Key Manager and right click on the private key from which the CSR was generated.
• Select “Install Key Certificate”.This will tie the certificate to the key.
• Tie the IP address of the website and port 443. To do this, right click on the key and select “Properties”. This will launch a dialog box in which you can specify these settings.
Later, when you request a Trusted Certificate, you will follow the same steps to install the certificate. The “testcert.crt” certificate will simply be overwritten.
3. IIS5 Web Server
3.1. System Requirements
To use Microsoft IIS5 you must:
• be running either a Windows 2000 server, or a Windows 2000 advanced server.
• add the certificate snap-in to your MMC (Microsoft Management Console). To do this go to Start > Run > MMC > Console > Add/Remove Snap-in. Add the snap-in to your console root.
• use the Installation Wizard to select the certificate snap-in and save the changes you have made before exiting the MMC. All the request files you generate and their corresponding certificates will be installed in this Certificate folder.
3.2. How to generate a key pair
All the key generation and certificate installation procedures for IIS5 are handled by a Certificate Wizard. You access the IIS5 Certificate Wizard by going into IIS > Website > Website Properties > Directory Security > Server Certificate.
The Certificate Wizard generates two files:
a. A text file, called the CSR (Certificate Signing Request), which is sent to Thawte. The CSR file is saved to your hard drive. The CSR file is the public portion of the private/public key pair and is sent back to you as a certificate file, once Thawte has issued your SSL certificate.
b. A NET format file, which is your private key. The private key is not accessible
through this interface, and is not visible to the user. Thawte does not handle the private key at all and is therefore not responsible for its management. If you lose the private key, or the password used to protect it, you will need to buy a new
certificate. Please be sure to make a backup copy of the private key file and save it in a secure location. You must also remember the password used to protect the private key file (or document the password in a safe place). The password is the one you would have specified during the request process.
Please note that for IIS5 you cannot backup the private key until the certificate has been installed.
You’ll find a step-by-step key generation guide for IIS5 at: http://www.thawte.com/certs/server/keygen/msiis5/msiis5.html
3.3. Test Certificate for IIS5
To familiarize yourself with the workings of a Thawte certificate on an IIS5 you can set up a test certificate on your web server as follows:
a.Generate the private key and CSR files:
Use the IIS5 Certificate Wizard to generate your public/private key pair. You must not
use the same CSR to request a TEST certificate and a Trusted certificate. IIS5 is not able to replace the TEST certificate.
b.Generate a test certificate:
c.Install the test certificate:
Install the certificate using theServer Certificate Wizard which you’ll find in the Directory Security tab. Remember that with IIS5 you cannot use the same CSR to request both a TEST certificate and a trusted certificate, so make sure that you are able to recognize that this request will be used for testing purposes only. Make sure that port 443 is enabled in the website Properties before you try to access the website over SSL. As soon as you are able to access your website using the “https://” prefix and view the TEST certificate successfully, you can proceed to the next step.
4. Requesting certificates for IIS4 and IIS5
Thawte SSL certificates and SuperCerts are requested online. During the certificate request process, you will be asked to copy and paste your CSR (Certificate Signing Request) into a text area on the online enrollment form. (Please ensure that you are submitting the correct CSR, if you have generated more than one.)
You will have to provide all the requested information during the enrollment process, and send us documentation proving your, or your company’s identity (a company registration certificate for instance). You can view detailed instructions for obtaining a Thawte SSL certificate at: https://www.thawte.com/certs/server/request.html
The enrollment process for SuperCerts is basically the same as for SSL certificates. However, during the process you will need to check the box that indicates that you would like a SuperCert. You will also have to generate a 1024-bit key, and make sure your server is 128-bit enabled.
Once you have completed the online request process, Thawte will take a number of steps to verify your identity and the other details you provided in the CSR. Thawte performs a considerable amount of background checking before it issues the certificate. As a result, it could take a few days to verify your company identity and details, and issue the certificate. During that period, you can track the progress of your request on your personal status page at: http://www.thawte.com/cgi/server/status.exe
SuperCerts are SSL certificates that allow “international” browsers to “step-up” to 128-bit encryption. Internet Explorer 5.01, Netscape Communicator 4.7 and later browsers recognize Thawte’s SuperCerts. 128-bit encryption is regarded as being impossible to “crack”. For more information on SuperCerts please see:
http://www.thawte.com/certs/server/128bit/contents.html
5. Getting your Certificate for IIS4 and IIS5
Once the certificate has been issued, you will be able to download it from your personal status page by clicking on the “Fetch Certificate” button (which only appears once the certificate has been issued).
6. Securing virtual hosts
7. Useful URLs
• Common problems experienced with IIS are dealt with in our FAQs: http://www.thawte.com/support/server/msiis.html.
• You’ll find a key generation guide for IIS4 at:
http://www.thawte.com/certs/server/keygen/iis4.html
• The certificate enrollment process for SSL and SuperCerts begins at: https://www.thawte.com/certs/server/request.html
• How to generate a test certificate: https://www.thawte.com/cgi/server/test.exe
• Installing the test certificate CA root into your browser: http://www.thawte.com/servertest.crt