On IIS 6.0, how do I configure my website to use SSL?
By default, web browsing is being performed by use of the HTTP protocol, i.e. a connection between the client computer (using a web browser) to the web server (using IIS, Apache or any other sort of web server program). HTTP relies on TCP (Transmition Control Protocol) and uses port 80 on the listening server.
The main security issue with HTTP is the fact that all the traffic between the client and the server is done as clear text, meaning that anyone could potentially "listen" to your talk and grab frames and valuable information from the net.
To secure the transmission of information between your web server running IIS 6.0 on Windows Server 2003 and your browser clients, you can encrypt the information being transmitted by using SSL (Secure Sockets Layer).
Note: The procedure for applying SSL on IIS 5.0 (on Windows 2000) and IIS 5.1 (on Windows XP) is quite the same.
In order to successfully use SSL you need to obtain a Server Certificate. In this article I will only focus on obtaining a certificate from a local CA or importing an already existing certificate. However, it is possible (and in many cases preferred) that you obtain the Server Certificate from a trusted 3rd party CA such as Verisign or Thawte.
To configure SSL for your website on IIS 6.0 (running on Windows Server 2003) complete the following steps:
Note: Although the screenshots are made with IIS 6.0 on Windows Server 2003, the same procedure applies for IIS 5.0 and IIS 5.1.
Note: It’s possible that the site you’ve created was stored under a different virtual server. If your website is not stored within the Default Web Site, right-click your own web site and click Properties.
Note: You can also import an already existing certificate. Do do so follow these steps:
Note: If you don’t have a Certificate Authority (CA) installed on your server or on a different server on the network you can prepare the request but you’ll need to manually send it to the CA.
Note: You will need a different certificate for each website you’ll run on this server, so make sure you provide the exact server URL.
Important note – Internet use: You must make sure that either the Name or the Common Name fields (one of them or both of them) exactly match the external FQDN of the website. For example, if your server’s NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, but it will host a website that will require users to enter WWW.KUKU.CO.IL to reach it, you must then use WWW.KUKU.CO.IL as the Name or Common Name in the certificate request wizard, and DO NOT use SERVER1.MYINTERNALDOM.LOCAL.
Important note – Intranet use: For Intranet-only purposes you CAN use the internal FQDN of the server, or even just it’s NetBIOS name. For example, if your server’s NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, you can use SERVER1.MYINTERNALDOM.LOCAL or just SERVER1 for the Name or the Common Name fields.
You can also change the Bit Length for the encryption key if you want.
Note: SSL can only listen once on port 443, requiring you to either select a different SSL port for each SSL protected website you’re about to host on the server, or, even better, use a different static IP for each site, and share port 443 amongst them.
Note: It’s possible that the site you’ve created was stored under a different virtual server. If your website is not stored within the Default Web Site, right-click your own web site and click Properties.
Note: It’s also possible that you might not wish to protect the entire website, but merely one or two pages within the large website. In fact, this scenario is highly probable for most site operators that would only like to protect a couple or important pages, such as an online store or registration form. In that case you do NOT need to SSL-protect the entire site, so do NOT right-click the entire site. Right-click only the directory or pages within the site.
Note: Using a requirement of 128-bit encryption should pose no problem to current operation systems and web browsers, but keep in mind that older OSs might not be able to connect to your site.
Note: You are NOT required to disable anonymous access, this is just a security measure. It might be likely that your site is supposed to allow anonymous access, while still using SSL as the encryption method. This is true for websites that offer online shopping carts where surfers are supposed to enter their credit card numbers. You might not want to restrict these online shops only for people that hold a username and password. In that case keep the Enable Anonymous Access check boxes selected.
To test your new settings connect your open a browser and type your server’s FQDN (or NetBIOS name, if on the LAN) in the address bar (for example: http://server200 for your Intranet, or http://www.kuku.co.il for the Internet).
Note: Make sure you’ve followed the important note in step #9 above.
Since you still used HTTP (plain text http, using TCP port 80) you’ll get the following error message:
Now re-type the URL by using HTTPS instead of HTTP. You should be able to view the OWA website.
You’ll receive a Security Alert window. Click Ok.
If configured correctly, you should be able to connect to your now SSL-protected website.
To verify that you’re using SSL try to find a small yellow lock icon on the browser lower right corner . Double click the lock icon.
A Certificate window will open. Review the information that is entered into the certificate and click Ok.
Note: Make sure you renew your certificate a few weeks before it expires in order to prevent mishaps like this one: Expired SSL Website Certificate.
You might also want to read the following related articles: