To begin this work I decided to configure HTTPS access for one of my test environments. I found a few certificate authorities who offer free SSL certificates:Comodo and RapidSSL are two. To get your free certificate you must first generate an SSL CSR, or rather an SSL Certificate Signing Request.
To generate a CSR within IIS6:
- go to Internet Services Manager
- expand until you find the website which you wish to secure
- right-click the website and select Properties
- navigate to the Directory Security tab
- click the Server Certificate button which will then present you with the Web Server Certificate Wizard
- click next, ensure Create a New Certificate is selected and click again next
- ensure Prepare the request now, but send it later is selected and click next
- enter a name for the certificate and set bit length to at least 2048 - (the Certificate Authority Browser Forum requires a minimum of 2048-bit keys for end entity certificates that expire after 31 December 2010.)
- click next, enter your organization name and organization unit name (I used my company name and 'web') and click next again
- now enter the common name for your site. In my case I entered our test site in the notation: test.mydomain.com, click next
- fill in your country, state/province, and city information. This will all be visible in your certificate. Click next
- finally, specify the file name that you want your CSR to be written to. Click next, next again and then finally finish.
When you sign up for your free (or not) certificate you will be asked to provide your CSR. Open the text file you specified in the last step, copy its contents to your clipboard and paste them in the textbox provided. Continue along and you will eventually end up with your certificate.
Once you have your certificate you will need to install it in order to use it. Remember, you have to install the certificate on the server from which the CSR was generated. In my example I had to install it in IIS6 on the same server I had begun with. To complete the installation you will have to:
- open IIS
- find and right-click the website which you generated the CSR for, select Properties
- click the Directory Security tab
- click the Server Certificate button
- click next, select Process the pending request and install the certificate and click next
- click the browse button. If the "files of type" extension doesn't match the format which your CA provided then change it to "All files *.*" and proceed to locate your certificate and click open. If done correctly your certificate should be installed. If you get an error you may need to have your CA export your certificate in a different format, readable by IIS6.
Now, because all traffic passes through our firewall (ISA Server 2006) I had to install the certificate there as well. There are three steps to accomplishing this. The first is exporting the certificate we just installed, the second is installing the certificate on the ISA server and the third is registering the certificate within the web listener object itself.
To export the certificate from IIS6, you will:
- open IIS
- right-click your website and select Properties
- click the Directory Security tab
- click the View Certificate button
- select the Details tab
- click the Copy to File button in the bottom right corner, this will now start the certificate export wizard
- click Next
- select “Yes, export the private key”
- select “Personal Information Exchange” and check “Include all certificates” and “Enable strong protection”, click Next
- create a password for your export and click next
- enter a file name and click next and then click finish
To install the certificate on the ISA server, you will perform the following while logged on to the firewall server:
- click start, run, enter “mmc” and click enter
- go to File, Add/Remove Snap-In
- Click the Add... button
- select Certificates and press Add
- Select Computer Account and press Next
- Select Local Computer and press Finish
- close the Add Standalone Snap-In window
- click OK and we should be back to our mmc console
- expand Certificates, Personal, and then right-click the Certificates folder and select “All Tasks” and then “Import...”. You will then be presented by the Certificate Import Wizard
- press Next
- specify the file name or Browse and then click Next
- select “Place all certificates in the following store”, set your store to Personal click Next and click Finish.
Now we've imported our certificate into our ISA Server and we're ready to configure our web listener to use it for all HTTPS sessions handled by that web listener. While still logged on to our firewall server we do this by:
- opening ISA Server Management
- go to Firewall Policy
- open the right-hand side task pane and select the Toolbox tab
- select the Network Objects pane
- expand Web Listeners
- right-click the web listener you will be using and select properties
- select the Connections tab and make sure that “Enable SSL (HTTPS) connections on port: (default 443)” is checked off or ISA will ignore all HTTPS requests on this listener
- navigate to the Certificates tab and select “Use a single certificate for this Web Listener”. Then click “Select Certificate...”
- You should now see the certificate we just imported listed among the available certificates on this machine account. Highlight it and press the Select button to use it
- Click the OK button to complete the configuration operation
- click Apply on the ISA Server Management header to apply the configuration changes you have just made. Ensure that you add a description so that you can easily roll back changes if need be
At this point you should now be able to navigate to your web site via HTTPS. If you do not have a lock icon or you receive a message saying the connection is not secure you may want to ensure that all script links are also using HTTPS.
A tidbit I'd also like to add is about ISA's web listener's. Each listener can only use a single certificate, and listeners cannot overlap IP addresses. It's very important to know this prior to developing your HTTPS strategy in order to minimize headaches. It was for this reason alone that I decided to purchase a wildcard certificate since I had 4 sub-domains to secure. If you have multiple sub-domains and there is the possibility of more in the future you should seriously consider purchasing one. If you did purchase a wildcard certificate than you should modify the steps when generating your CSR. Instead of writing your common name in the notation of: test.mydomain.com you will write: *.mydomain.com. This is the only difference. Good luck and thanks for reading!
Ps: I'll include the pricing information I gathered prior to doing the work myself. Based on cost and the fact that each of these products is virtually identical, I recommended Go Daddy.
Go Daddy: $199 / yr; $358 / 2yr; - unlimited add. server licenses
Digicert: $495 / yr, $890 / 2yr unlimited add. server licenses
RapidSSL: $796 / yr; $995 / 2yr add. server licenses fees figured in
Thawte: ~$2,000 / yr; ~$3,400 / 2yr add. server licenses fees figured in
GeoTrust: ~$2,500 / yr; ~$3,300 / 2yr add. server licenses fees figured in
Global Sign: $849 / yr; $1528 / 2yr - most likely additional fees for server licensing
TrustCenter: $840 / yr; $1,471.53 / 2yr - most likely additional fees for server licensing
StartCom: $49.90 / 2yr – does not appear to be any additional licensing fees
Verisign: Prices not listed but Verisign will cost more than any other listed here.
0 comments:
Post a Comment