Client SSL Authentication for Microsoft IIS 6.0 Part 1: Obtaining and installing a server certificate

Data confidentiality and user authentication are often important design requirements when implementing web applications, particularly within a corporate Intranet.  If a PKI is in place within an organization, these two goals can be achieved by enabling the web server to use SSL with client certificate authentication.  The SSL encryption layer protects data in transit, while the client certificate authentication component requires users to present proof of identity before allowing access.

In order to require client certificate authentication, first the web server must obtain an SSL server certificate.  This certificate may be obtained from any trusted certification authority, including an internal issuer or a public issuer such as VeriSign.  First, you must create the Certificate Request using the following steps:

• Start the Internet Services Manager by selecting Start -> Administrative Tools -> Internet Services Manager.  (Note: in various versions of Windows, this shortcut may contain a slightly different path in the start menu)
• Right-click the web site node in the IIS manager, and open the Properties dialog.  Select the Directory Security tab
• Click the Server Certificate… button to open the Web Server Certificate Wizard
• The Welcome to the Web Server Certificate Wizard screen will appear.   Click Next
• The Server Certificate screen will appear.  Select the Create a new certificate option and click Next
• Click Next again. The Delayed or Immediate Request screen will appear.  Select the Prepare the request now, but send it later option.
• The next few pages will ask for some information about the certificate, such as a nickname, key size, and the name of your organization.   Fill this information out in the wizard.
• When prompted for the Common Name of the certificate, ensure that you enter the fully qualified domain name of the site.   If your certificate is for https://www.myapplication.com/, then you must enter www.myapplication.com as the common name.  Otherwise, visitors to your site will be shown errors in the browser because the site’s address does not match the common name in the certificate.
• Once all of the certificate request information is obtained, you will be prompted to save the request to a specific location.  This request file does not contain the private key information for the certificate – that is stored securely in CAPI.

The next step in enabling SSL is submitting the certificate signing request (CSR) to a Certification Authority (CA) so you can obtain a web server certificate.  As stated previously, you may obtain a server certificate from your organization, or you may obtain a certificate from a public CA such as VeriSign.  For publicly accessible, internet-facing sites, obtaining a certificate from a public certification authority is preferable, as this will require no additional configuration for your visitors to trust the SSL certificate.

Once the certification authority issues the certificate, it must be installed in IIS.  This is done through using the following steps:

• Start the Internet Services Manager by selecting Start -> Administrative Tools -> Internet Services Manager.  (Note: in various versions of Windows, this shortcut may contain a slightly different path in the Start menu.)
• Right-click the web site node in the IIS manager, and open the Properties dialog.  Select the Directory Security tab
• Click the Server Certificate… button to open the Web Server Certificate Wizard
• The Welcome to the Web Server Certificate Wizard screen will appear.   Click Next
• The Server Certificate screen will appear. Select the Process the pending request and install the certificate option and click Next
• Select the file location where you have saved the certificate, and click through the rest of the wizard to complete the certificate installation

Now that the certificate is installed, there is one final step required to enable SSL: IIS must be configured to require secure connections.

• Start the Internet Services Manager by selecting Start -> Administrative Tools -> Internet Services Manager.
• Right-click the web site node in the IIS manager, and open the Properties dialog.  Select the Directory Security tab
• Click the Edit button in the Secure Communications section of the property page
• Check the Require Secure Channel and Require 128 bit Encryption check boxes, and click OK.
  

Your web site is now set up to require secure SSL communication.  When testing, don’t forget to use the https prefix instead of http!

In the next part of this series, we will discuss setting up mutual authentication for client connections and obtaining information from client certificates in ASP.NET.