» Home     » How To…   » Site Map   » Contact Us 
 Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
Your location: Home > Windows support > Configure IIS SSL
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » E-mail & netnews 
 » Networking 
 » Printing 
 » Purchasing 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Macintosh support 
 » Unix/Linux support 
 » Windows PC support 

Configuring IIS SSL (Secure Sockets Layer)

Note: Certificates will be granted only to machines in SCS-controlled DNS space and only when requested by the person listed as equipment or administrative contact. Client browsers, in turn, must have the Carnegie Mellon Root CA certificate installed in order to access an SSL-enabled site seamlessly.

Request an SSL/Webserver Certificate

  1. Start IIS, right-click "Default Web Site," and select "Properties" on the menu
  2. On the "Properties" window, click the "Directory Security" tab
  3. Click "Server Certificate" and follow the onscreen wizard
  4. Select "Prepare the request now, but send it later"
  5. For the certificate name, enter the machine's FQDN (fully-qualified DNS name) or the site's URL
  6. Select bit length "1024"
  7. For "Organization," enter Carnegie Mellon University
  8. For "Organizational Unit," enter SCS - <your Department> (eg. ISRI, HCII, ETC, ...)
  9. For "Common Name," enter the machine's FQDN or the site URL
  10. Enter the country, state, and city information (check spelling). "Pennsylvania" must be spelled out in full
  11. Save the request file
  12. Request a certificate by forwarding your file to <certificates@cs.cmu.edu>
  13. Generate an MD5 checksum on the request file (search the Web on "MD5 checksum" to find a current tool)
  14. Have the checksum handy to verify machine and requester identity when an SCS Facilities staff member calls

Install your Certificates

When the issuance email arrives, it will contain two certificates: a "chained" certificate for the machine and a server certificate for the site.
  • Copy the chained certificate into a text editor, such as notepad, and save as chain.cer
  • Copy the webserver certificate into a text editor, such as notepad, and save with your site name as <yourdomain>.cer

Creating your Snap-in Management Console

Certificate snap-ins for the "Microsoft Management Console" (MMC) are not preconfigured. You (system administrator) must configure a console before you can specify functionality.

On your webserver machine, open the MMC "Certificates" snap-in as follows1:

  1. From your desktop, go to "Start" > "Run"
  2. Type mmc and click "OK" to bring up a console
  3. From the "File" menu, select "Add/Remove Snap-in"
  4. On the "Add/Remove Snap-in" window, click "Add"
  5. In the "Add Standalone Snap-in" window, select "Certificates" and click "Add"
  6. Select "Computer Account" > "Next" > "Finish"
  7. "Close" the "Add Standalone Snap-in" box and click "OK" in the "Add/Remove Snap-in"

Now install the chained certificate

MMC certificates window Expand the MMC "Certificates" entry and right-click "Intermediate Certification Authorities," as shown at right:
  1. Select "All Tasks" > "Import."
  2. Complete the Import wizard, identifying your chained certificate (chain.cer) when prompted for "Certificate file to import"
  3. Ensure that the chained certificate appears under "Intermediate Certification Authorities"

Finally, install your webserver certificate

Site properties window
  1. Start IIS and right-click "Default Web Site" and select "Properties" from the pulldown menu, as shown at right.
  2. When the "Properties" window appears, click on the "Directory Security" tab
  3. Click on "Server Certificate" and follow the onscreen wizard:
    1. Ensure that you select "Process the pending request and install the certificate." Click "Next"
    2. Specify the "yourdomain.cer" file when prompted to locate your webserver certificate. Click "Next."
      Website properties window
    3. Review the summary screen and ensure that you are processing the correct certificate. Click "Next"
    4. Click "Next" on the confirmation screen.
    5. Right-click "Properties" for your website and check the "SSL port" box, as shown at right. Confirm that you have assigned "443" as the https port for your site.

Note: You must restart your physical machine to complete the install.

Backing your key/pair file

  1. Open the MMC as in "Creating your Snap-in," above
  2. In the left panel, select the Console Root\Certificates(Local Computer)\Personal\Certificates folder
  3. Right-click on the certificate to export.
  4. Select "All Tasks" > "Export"
  5. On the "Welcome to the Certificate Manager Import Wizard" window, click "Next"
  6. Select "Yes, export the private key" and click "Next"
  7. Make sure the "Personal Information Exchange - PKCS #12(.pfx)" box is selected
    Warning: Make sure that the "Delete the private key if the export is successful" is NOT checked.
  8. Check the "Enable strong protection requires IE5.0, NT4.0 SP4 or above" box and select "Next"
  9. Check the "Include all certificates in the chain" box
  10. Enter and confirm your export password
    Note: The password field can be left blank, but we recommend using a good password for security.

    Warning: If you lose the password, you must request a new certificate.

  11. Save the file to a disk or other stable device. Choose a medium from which you can recover, should your system need rebuiding, and save the device in a secure location. If you have problems or questions, contact the SCS HelpDesk, <help+@cs.cmu.edu> or x8-4231.

Notes

1 These instructions apply to the Windows XP interface, which may differ slightly from that of Vista



 This site is maintained by SCS Computing Facilities; send comments to help@cs.cmu.edu.
 Accessibility information  © Carnegie Mellon School of Computer Science