Security

Enabling SSL

In the context of a Web server, SSL is most effectively used when encrypting only communications that contain private data, such as credit card numbers, phone numbers, or company records. Because SSL uses complex encryption, and because encryption requires considerable processor resources, it takes much longer to retrieve and send data from SSL-enabled directories. Therefore, you should place only those pages that will contain or receive sensitive information into your SSL-enabled directory. Also, keep the pages free of elements that consume resources, such as images.

To use SSL on IIS 5.0

Request and install a server certificate. You can acquire a server certificate from a trusted third party such as VeriSign, or from Certificate Services by using the Web Server Certificate Wizard in IIS 5.0 to request a server certificate. (Web Server Certificate Wizard is the replacement for Key Manager in previous versions of IIS.)
Enable the appropriate settings in the Secure Communications dialog box. This dialog box will not appear unless you have a server certificate installed.
Note When requesting a certificate from Certificate Services, you must decide whether you want the private key to be exportable or not. (The Web Server Certificate Wizard in IIS marks the keys as exportable.)
If you want to be able to back up your key, you must have an exportable private key. However, an exportable key is sometimes viewed as a security risk because the key could be compromised, and having access to the private key means an attacker can pose as the real user.

A Web server can only have one server certificate assigned to it. For example, reskit.microsoft.com can have a certificate labeled reskit.microsoft.com; it cannot have another certificate labeled reskit-10.microsoft.com. This is because a certificate is an identity and a Web server, just as a real person cannot have more than one identity.