Sunday, April 27, 2008

Configuring 2-way SSL on IIS website

Follow the steps below to configure 2-way SSL:
1) To configure a web site on IIS over 2-way SSL, we need two certificates per environment 1) Server Certificate 2) Client Certificate. These two certificates can be obtained via an existing process of obtaining e.g. fromVerisign etc . For testing purpose, we will be using utility makecert.exe provided by .NET SDK.
2.) Creating Server Certificate: A self-signed server certificate can be created using following command:·
makecert -r -pe -n "CN=" -b -e -sky exchange -ss my (local personal store).
Make sure server name or dns name must match the server address used in URL of the site/service.
The above command creates a self-signed certificate and stores it on the Personal Certificate store of the user executing the command.
Once certificate is generated, export the certificate including “private key” from certificate manager console into *.pfx file.
3. ) Creating Client Certificate: A self-signed client certificate can be created using following command·
makecert -r -pe -n "CN=" -b -e -sky exchange -eku 1.3.6.1.5.5.7.3.2 -ss my
The above command will create a client certificate and will store it in current user personal certificate store.
Export the certificates in two files 1) with private+public keys [*.pfx] and 2) without private keys [*.cer]. The *.pfx file is the client certificate installed on consumer machine’s personal store of the user who wants to consume the services. The *.cer file will be installed on Server “Trusted Root Certification Authorities” under local machine.
4.) Setup the web site for SSL as follows:· Go to website properties
Go to Directory Security
Under the “Secure Communication”, go to “Server Certificate”: Use the Server Certificate wizard to import the server certificate created in step2. Use the port available e.g. 8002 on the IIS server and configured with DNS name entry.
Come back to Directory Security tab
Client on “Edit” just under “View Certificate”
Enable “Require Secure Channel (SSL) option” and “Require 128-bit encryption”. Under Client Certificate option on same page, select “Require Client Certificate”.
Set the Website authentication to “Basic Authentication” as follows:·
Go to web site properties
Go to Directory Security
Under the “Authentication and access control” group, click on Edit·
Uncheck “Enable Anonymous access” option 1 Check only “Basic Authentication” option, rest all must be unchecked.
In “Default domain” text box type, the domain.
5.) Once Server configuration is completed, the site can be accessed using https:
Note: In order to configure SSL for multiple sites on same IIS server, you would need a separate server certificate and hence DNS entries are required so that each website on same server is uniquely identified and certificate can be created such that it is unqique to the web site we need it for. Also you need separate SSL port i.e. already used SSL port can not be used to configure another site with same SSL port.

No comments: