Secure HTTP
server
The following procedure showing how to issue your own server
certificate using Microsoft Certificate Services.
begin by installing iis then
Step 1: Installing Microsoft Certificate Services
To issue your own server certificate install a stand-alone root certification
authority
1. Log on to the system as an Administrator, or if you have the Active
Directory directory service, log on to the system as
a Domain Administrator.
2. Click Start, point to Settings, and then click Control Panel.
3. Double-click Add or Remove Programs and then click Add/Remove Windows
Components.
4. In the Windows Components Wizard, select the Certificate Services check box.
A dialog box appears to inform you that the computer cannot be renamed and that
the computer cannot be joined to or removed from a domain after Certificate
Services is installed. Click Yes. Also select Internet Information Services
check box if it was not already selected and then click Next.
5. Click Stand-alone root CA.
6. (Optional) Select the Use custom settings to generate the key pair and CA
certificate check box, and then click Next to specify customized setting.
When you are done, click Next.
7. Type the common name of the certification authority. None of this
information can be changed after the CA setup is complete.
8. In Validity period, specify the validity duration for the root CA. See the
note below about considerations when setting this value. Click Next.
9. Specify the storage locations of the certificate database, the certificate
database log, and the shared folder. Click Next.
10. If Internet Information Services (IIS) is running, you will receive a
request to stop the service before proceeding with the installation. Click OK.
11. If prompted, type the path to the Certificate Services installation files.
More info:
http://technet2.microsoft.com/windowsserver/en/library/36d03e33-c9e8-4eca-b948-addab1e22c531033.mspx
Step 2: Creating a new server certificate request
1. Start IIS Manager. From the Start menu, point to Administrative Tools, and
then click Internet Information Services (IIS) Manager.
2. In IIS Manager, double-click the local computer, and then double-click the
Web Sites folder.
3. Right-click the Web site or file for which you want to request a
certificate, and then click Properties.
4. On the Directory Security or File Security tab, under Secure communications,
click Server Certificate.
5. In the Web Server Certificate Wizard, click Create a new certificate.
6. On the Delayed or Immediate Request page, click Prepare the request now, but
send it later. By default, the certificate request file is saved as
C:\Certreq.txt, but the wizard allows you to specify a different location.
7. Complete the rest of the steps in the Web Server Certificate Wizard and then
click Finish.
Step 3: Submitting certificate request
1. Open Internet Explorer.
2. In Address, type http://servername/certsrv, where servername
is the name of the Windows server where the certification authority (CA) you
want to access is located.
3. Click Request a certificate, and then click advanced certificate request.
4. Click Submit a certificate request using a base64-encoded CMC or PKCS #10
file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
5. Open the C:\Certreq.txt file. Copy its contents to Clipboard. On the Web page, click in the edit box. Paste the contents
of certificate request into the Saved request edit box.
6. If you are connected to an enterprise CA, choose the certificate template
you want to use.
7. Click Submit.
Step 4: Issuing certificate
1. Start Certification Authority. From the Start menu, point to Administrative
Tools, and then click Certification Authority.
2. Expand your domain Pending Requests.
3. Right-click the pending certificate request that was submitted. Select All
Tasks, and click Issue.
Step 5: Downloading issued certificate
1. In Internet Explorer, open http://servername/certsrv, where servername is the name of the Web server running Windows
Server 2003 where the certification authority you want to access is located.
2. Click View the status of a pending certificate request.
3. If there are no pending certificate requests, you will see a message to that
effect. Otherwise, select the certificate request you want to check, and
download and save certificate (certnew.cer).
Step 6: Installing certificate
1. In IIS Manager, double-click the local computer, and then double-click the
Web Sites folder.
2. Right-click the Web site or file for which you want to install a
certificate, and then click Properties.
3. On the Directory Security or File Security tab, under Secure communications,
click Server Certificate.
4. In the Web Server Certificate Wizard, Select Process the pending request and
install the certificate. Click Next.
5. Type the location where you saved the certificate (certnew.cer). Click Next.
6. Complete the rest of the steps in the Web Server Certificate Wizard and then
click Finish.
Step 7: Configuring SSL on IIS
1. In IIS Manager, double-click the local computer, and then double-click the
Web Sites folder.
2. Right-click the Web site or file for which you have installed a certificate,
and then click Properties.
3. On the Directory Security or File Security tab, under Secure
communications, click Edit.
4. In the Secure Communications box, select the Require
secure channel (SSL) check box.
5. Click OK to close dialog.
Open
tcp port 443 in your firewall
Now you can access Web using https. You will get a
message that server certificate is not issued by a trusted certificate
authority asking if you wish to continue using this web site. Ignore the
warning and proceed with browsing web site e.g. by clicking Yes in Internet
Explorer 6 or clicking “Continue to this website (not recommended)” in Internet
Explorer 7.
In order to prevent browsers from displaying warning message every time you
open the web site you have to do the following:
in Internet Explorer 6 when the Security Alert
dialog appears click View Certificate. Open Certification Path tab. Select the
top node of the tree (marked with red sign) and click View Certificate. Click
Install Certificate and proceed by clicking Next on all wizard’s pages,
in Internet Explorer 7 it’s almost identical
procedure to Internet Explorer 6 except that at first you have to click
“Continue to this website (not recommended)”. When the page is loaded click on
the red Certificate Error field at right side of the address bar and click View
certificates. Follow the procedures described for Internet Explorer 6,
in Mozilla Firefox when the warning dialog
appears you have to simply select “Accept this certificate permanently” option
and click OK.