Updated: December 1996
Previous sections of this chapter have dealt with securing your server from unauthorized access. This section discusses protocols that use cryptography to secure data transmissions to and from your server .
Microsoft Internet Information Server offers a protocol for providing data security layered between its service protocols (HTTP) and TCP/IP. This security protocol, called Secure Sockets Layer (SSL), provides data encryption, server authentication, and message integrity for a TCP/IP connection.
SSL is a protocol submitted to the W3C working group on security for consideration as a standard security approach for Web browsers and servers on the Internet. SSL provides a security "handshake" that is used to initiate the TCP/IP connection. This handshake results in the client and server agreeing on the level of security that they will use and fulfills any authentication requirements for the connection. Thereafter, SSL’s only role is to encrypt and decrypt the byte stream of the application protocol being used (for example, HTTP). This means that all the information in both the HTTP request and the HTTP response are fully encrypted, including the URL the client is requesting, any submitted form contents (such as credit card numbers), any HTTP access authorization information (user names and passwords), and all the data returned from the server to the client.
An SSL-enabled server can send and receive private communication across the Internet to SSL-enabled clients (browsers), such as Microsoft Internet Explorer version 2.0 or later.
SSL-encrypted transmissions are slower than unencrypted transmissions. To avoid reducing performance for your entire site, consider using SSL only for virtual folders that deal with highly sensitive information such as a form submission containing credit card information.
Enabling SSL security on a Web server requires the following steps:
1. Generate a key pair file and a request file.
2. Request a certificate from a certificate authority.
3. Install the certificate on your server.
4. Activate SSL security on a WWW service folder.
Important Keep in mind the following points when enabling SSL security:
As part of the process of enabling Secure Sockets Layer (SSL) security on your Web server, you need to generate a key pair and then acquire an SSL certificate. The new Key Manager application (installed with the product and located in the Internet Server program group) simplifies this procedure.
1. In the Microsoft Internet Server submenu, click Key Manager, or click the Key Manager icon on the Internet Service Manager toolbar.
2. From the Key menu, click Create New Key.
3. In the Create New Key and Certificate Request dialog box, fill in the requested information, as follows:
Key Name
Assign a name to the key you are creating.
Password
Specify a password to encrypt the private key.
Bits
By default, Key Manager generates a key pair 1024 bits long. To specify a key that is 512 or 768 bits long, make the proper selection in this box. The more bits you specify, the greater your security. In international versions, the size of each key you create is 512 bits
Organization
Preferably International Organization for Standardization (ISO)-registered, top-level organization or company name.
Organizational Unit
Your department within your company, such as Marketing.
Common Name
The domain name of the server, for example, www. microsoft.com.
Country
Two-letter ISO Country designation, for example, US, FR, AU, UK, and so on.
State/Province
For example, Washington, Alberta, California, and so on.
Locality
The city where your company is located, such as Redmond or Toronto.
Request File
Type the name of the request file that will be created.
4. After filling out the form, click OK.
5. When prompted, retype the password you typed in the form, and click OK.
An icon appears as the key is being created. When the key has been created, a screen appears giving you information about new keys and how to obtain a certificate.
6. After reading the New Key Information screen, click OK.
7. To save the new key, from the Servers menu choose Commit Changes Now.
8. When asked if you want to commit all changes now, click OK.
Your key will appear in the Key Manager window under the
name of the computer for which you created the key. By
default, a key is generated on your local computer.
Note Do not use commas in any field. Commas are interpreted as the end of that field and will generate an invalid request without warning.
You can set up a key pair on another server and install the certificate there. From the Servers menu, click Connect to Server, and follow the previous procedure under "Generating a Key Pair."
Once you have generated a key pair, you must get a certificate and then install that certificate with the key pair. For information about getting a certificate, see "Acquiring a Certificate" and "Installing a Certificate with a Key Pair."
The key generated by Key Manager is not valid for use on the Internet until you obtain a valid certificate for it from a Certificate Authority, such as VeriSign. Send the certificate request file to the Certificate Authority to obtain a valid certificate. Until you do so, the key will exist on its host computer, but cannot be used. For instructions on acquiring a VeriSign certificate refer to VeriSign’s Web site at http://www.verisign.com/microsoft/.
After you complete your certificate request, you will receive a signed certificate from the Certificate Authority (consult your Certificate Authority for complete details). The key manager program will create a file similar to the following example:
-----BEGIN CERTIFICATE-----
JIEBSDSCEXoCHQEwLQMJSoZILvoNVQECSQAwcSETMRkOAMUTBhMuVrM
mIoAnBdNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMRwwGgYDVQ
QLExNQZXJzb25hIENlcnRpZmljYXRlMSQwIgYDVQQDExtPcGVuIE1hc
mtldCBUZXN0IFNlcnZlciAxMTAwHhcNOTUwNzE5MjAyNzMwWhcNOTYw
NTE0MjAyOTEwWjBzMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIER
hdGEgU2VjdXJpdHksIEluYy4xHDAaBgNVBAsTE1BlcnNvbmEgQ2VydG
lmaWNhdGUxJDAiBgNVBAMTG09wZW4gTWFya2V0IFRlc3QgU2VydmVyI
DExMDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDU/7lrgR6vkVNX40BA
q1poGdSmGkD1iN3sEPfSTGxNJXY58XH3JoZ4nrF7mIfvpghNi1taYim
vhbBPNqYe4yLPAgMBAAEwDQYJKoZIhvcNAQECBQADQQBqyCpws9EaAj
KKAefuNP+z+8NY8khckgyHN2LLpfhv+iP8m+bF66HNDUlFz8ZrVOu3W
QapgLPV90kIskNKXX3a
------END CERTIFICATE-----
1. In the Internet Server program group, click Key Manager.
2. In the Key Manager window, select the key pair that matches your signed certificate.
If you had backed up the key pair file, you have to load it first. For instructions, see "Loading a Key Pair File" earlier in this chapter.
3. From the Key menu, choose Install Key Certificate.
4. Select the Certificate file from the list (Certif.txt, for example), and click Open.
5. When prompted, type the password that you used in creating the key pair.
The key and certificate are combined and stored in the registry of the server.
6. From the Servers menu, choose Commit Changes Now.
7. When asked if you want to commit all changes now, click OK.
You can back up a key and certificate combination by
following the procedure under "Backing Up Keys" earlier in
this chapter.
Note If you do not specify an IP address while installing your certificate, the same certificate will be applied to all virtual servers created on the system. If you are hosting multiple sites on a single server, you can specify that the certificate be used only for a particular server IP address by adding the IP address, for example:
10.191.28.45
Once you have applied the certificate, you must enable the SSL feature from Internet Service Manager. SSL can be required on any virtual folder available in your Web site and is configured on the Directories property sheet.
1. In Internet Service Manager, double-click the WWW service to display its property sheets, then click the Directories tab.
2. Select the folder that requires SSL security, then click Edit Properties.
3. Select the Require secure SSL channel option, and then click OK.
After creating a key pair, you can use Key Manager to move the key pair to another server.
1. From the Servers menu, click Connect to Server, type the name of the server you want to move the key pair to, and click OK.
The server name appears in the list of servers (the left column).
2. Select the key you want to move.
3. From the Edit menu, click Cut.
4. Select the server you want to move the key pair to.
5. From the Edit menu, click Paste.
You can copy a key pair to another server with the same procedure by substituting the Copy command for Cut.
With Key Manager you download key information from the registry into a file on your hard disk and then copy this file or move it to a floppy disk or tape for safekeeping. You can back up a private key pair file or a key with an installed certificate.
1. From the Key menu in Key Manager, choose Export Key and then Backup File.
2. After reading the warning about downloading sensitive information to your hard disk, click OK.
3. Type the key name in the File Name box, and click Save.
The file is given a .req file-name extension and is saved to your hard disk drive. You can then copy it or move it to a floppy disk or magnetic tape.
You can load backed-up keys or private key pair files into Key Manager with the Import command.
1. From the Key menu in Key Manager, choose Import Key and then Backup File.
2. Select the file name from the list, and click Open.
If you have generated a key pair from the command line with the Keygen.exe command and installed a certificate with Setkey.exe, you can load them into Key Manager with the Import command.
1. From the Key menu in Key Manager, choose Import Key and then KeySet.
2. In the Private Key Pair File box, type the file name for the key pair or click Browse and select the file.
3. In the Certificate File box, type the file name for the certificate or click Browse and select the file.
4. Click OK.
5. Type the password for the private key in the Private Key Password box, and click OK.
Microsoft recommends that you use separate content directories for secure and public content (for example, C:\InetPub\Wwwroot\Secure-Content and C:\InetPub\Wwwroot\Public-Content).
Save your key file in a safe place in case you need it in the future. It is a good idea to store your key file on a floppy disk and remove it from the local system after completing all setup steps. Do not forget the password you assigned to the key file.