| I would imagine that most of the small to medium size deployments forget about or do not see a need to enable SSL certificates but they are wrong. Without SSL, username and password information is sent from the client to the web server in clear text that gives anyone the ability to compromises user credentials. Another misconception is that working with SSL certificates is a difficult thing. It is not. All you need to remember is that every web certificate (private key) needs a root certificate (public key). This is why I highly recommend using a certificate generated from a public CA. Certificates generated from a public CA already has a root certificate installed in most popular browsers thus requiring zero administration on the workstation. Without this, you would be required to manually install the root certificate on every device that would be connecting to the web server. The following is a list of just a few public Certificate Authorities. http://www.entrust.com http://www.geotrust.com http://www.instantssl.com/ http://www.verisign.com/products/site/ With this in mind you need to secure the Web Interface and Secure Access Manager web server(s) with an SSL certificate. The following procedures assist with the installation and maintenance of SSL certificates.
In order to obtain a SSL certificate from a certificate authority you must first generate a Certificate Signing Request (CSR) file for use in generating the web server certificate. When you have completed this process, you will need to send it to your CA or follow the CAs instructions for generating a certificate. The following defines how to generate a CSR file for a Microsoft Internet Information Server (IIS) 5.0 Web site. 1. Click Start click Programs click Administrative Tools click Internet Information Services. 2. Select the computer and web site (host) that you wish to secure. Right mouse-click to select Properties. 
3. Select the Directory Security tab and click the Server Certificate button under Secure Communications 
4. Click Next to continue 
5. Click the Create a new certificate radio button and click Next. 
6. Click the Prepare the request now, but send it later radio button. Click Next. 
7. At the Name and Security Settings screen, fill in the [friendly] name field for the new certificate. Select bit length. We recommend using 1024-bit length. Click Next. 
8. Enter an Organization name (The exact legal name of your organization. Do not abbreviate your organization name) and Organizational Unit (Section of the organization) and click Next. Note: The following characters can not be accepted: < > ~ ! @ # $ % ^ * / \ ( ) ?&. This includes commas. 
9. Enter the Common Name (The fully qualified domain name for your web server. This must be an exact match) 
10. Enter the Country/Region (The two-letter ISO abbreviation for your country), State/province (The state or province where your organization is legally located. Cannot be abbreviated) and City/locality (The city where your organization is legally located). Click Next. 
11. Enter a path and file name for the CSR. 
12. Verify your request and then click Next. 
13. At the Completing the Web Server screen, click Finish.
Note: DO NOT REMOVE the pending request or the .crt file will not match and your certificate will not install. 
14. Submit your CSR to the public CA of choice and wait to receive your SSL certificate. When you receive your SSL certificate from the CA you will need copy the certificate from the body of the email and paste it into a text editor (such as notepad) to create a text file. The following documents how to install your new SSL Web Server Certificate. 1. Click Start Programs Administrative Tools Internet Services Manager 2. Right click on the web site you want to secure and click Properties. 
3. Click the Directory Security tab and click the Server Certificate button 
4. The Welcome to the Web Server Certificate Wizard windows opens. Click OK. 
5. Click the Process the pending request and install the certificate radio button and Click Next. 
6. Enter the location for the certificate file you received from the CA and Next. 
7. Verify the Certificate Summary to make sure all information is accurate.
Click Next. 8. Select Finish. Test your certificate by connecting to your server. Use the https protocol directive (i.e., https://web_server/) to indicate you wish to use secure HTTP. The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.
The following details how to create and install a SSL certificates with Microsofts Certificate Server. Note: You will need to install the Certificate Server in your domain 1. Click Start Programs Administrative Tools Internet Infromation Services Expand web server Right click on he web site (Default Web Site) you want to SSL enable Click Server Certificates button 
2. Click Next 3. Click Create a new certificate Click Next 4. Click Prepare the request now, but send it later Click Next
5. Enter the name of the web server (www.dabcc.com) in the Name: test box and select a Bit Length of at least 1024 and click Next 
6. Select or type your organizations name and your organizational unit and click Next. 
7. Enter the common name for your web site. This would be the FQDN such as www.dabcc.com Click Next 
8. Enter your geographical information and click Next 
9. Enter the filename and path for the certificate request file (c:\certreg.txt) click Next 
10. The next screen you are presented with informs you of the settings you have confiured for your approval. Verifiy everything is correct and Click Next. 11. Open Internet Explorer and browse to the the server you installed Microsoft Cerificate Server/certserv (http://db2kad2/certserv) 12. Click Request a certificate Click Next 
13. Click the Advanced request radio button and click Next 
14. Click the Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file radio buton click Next 
15. Click Start click Run type Notepad click File Open open the file you saved in step 9 Select the text inbetween the dashjesd and click Edit Click copy 
16. Copy the selected text in to the Base64 Encoded Certificate Request text box select Web Server from the Certificate Template drop down box click Submit 
17. Select the Base 64 encoded radio button click the Download CA certificate hyperlink 
18. Save the certificate with the name of the web server 
19. Right click on the certificate file you downloaded in step 18 and click Install Certificate 
20. Click Next 21. Click Next 22. Click Finish 23. Click OK 24. Return to the Internet Information Services management Console and click the Server Certificate button 
25. Click Next 26. Click the Assign an existing certificate radio button Click Next 27. Highlight the certificate you installed above and click Next 
28. Click Next 29. Click Finish 30. Click OK You have now successfully setup you web server for https (SSL) communication.
The Certificate Microsoft Management Console (MMC) console snap-in is not preconfigured. You will need to configure the Snap-in before you can perform any Export/Import functionality. The following details how to add the Certificates MMC snap-in. 1. Click Start click Run type: mmc click OK 2. Click Console Add/Remove Snap-in 
3. Click Add 
4. Highlight Certificates from the available snap-ins. Click Add 
5. Click the Computer account radio button and click Next. 
6. Select the computer you want to select and click Finish. 
7. Click OK You are now ready to use your new SSL certificates but first you will need to back it up for use if you will be reinstalling the server or moving it to another server with the same FQDN name. Now that you have installed you certificate it is very important to back it up. A backup is also needed if you want to move the certificate to a new server or if you will be reinstalling the OS the certificate resides on. Note: Remember certificates a specific to the device and operating system they were created. The only way to more or restore it is from backup! How to Backup a SSL Certificate of Windows 2000 and IIS 5.0 The following defines how to backup a SSL certificate on a Microsoft Windows 2000 Server running IIS. 1. Go to the Microsoft Management Console (MMC) and add the Cerficates snap-in as documented above. 2. Drill down to the Certificates folder. ( Console Root Certificates(Local Computer) Personal Certificates ) 
3. Right click on the Certificate All Tasks Export 
4. The Welcome to the Certificate Manager Import Wizard window opens Click Next. 
5. Click the Yes, export the private key and Click Next. 
6. Make sure the Personal Information Exchange- PKCS # 12(.PFX) radio button is selected and check the box Enable strong protection requires IE5.0, NT4.0 SP4 or above. Select Next. Warning: Make sure that the Delete the private key if the export is successful is NOT checked. 
7. Type and confirm your export password. Warning: If you lose the password, you might need to purchase another. 
8. Specify a name and path for the backup SSL cerficiate and click Next. 
9. Verify you have entered the information correctly and click Finish. 
You have now successfully backup your SSL certificate. I highly recommend making multiple copies and store them in different locations.
If you need to rebuild your web server or move the certificate to a new server with the same fully qualified domain name then you will need to backup and restore your SSL certificate. The following details how to restore a backup copy of a SSL certificate. 1. Double click on the backup SSL certificate 2. The Welcome to the Certficate Import Wizard open. Click Next to continue. 
3. Enter the location of the certificate you want to import and click Next. 
4. Enter the password that was entered when the certificate was backed up and click Next. 
5. Click the Place all certficates in the following store radio button and then click Browse. 
6. Click the Personal folder and click OK. 
7. Verify the settings are correct and click Finish. 
8. Click OK
9. Follow the procedures documented in How to Add the Certificates MMC snap-in except for step 5 where you will want to click the My user account radio button as shown below. Click Finish. 
10. Once you have finished adding the plug-in you will want to verify the certificate is located in the proper location. In most cases, you will find it located in the Current User Personal Certificates folder. If this is the case, you will need to drag it to the Certificates Personal Certificates folder. 
11. Click Start click Programs click Administrative Tools click Internet Services Manager 12. Right click on the web site you want to add the certificate too and click Properties 13. Click on the Directory Security tab and click the Server Certificate button. 14. Click Next. 15. Click the Assign an existing certificate radio button and click Next. 
16. Select the certificate you want to apply and click Next. 
17. Verify the certificate is correct and click Next. 
18. Click Finish. 
You are now ready to utalize SSL security of your web server.
|