Preparing IIS 5.x or 6.0 with a server certificate

The final goal of this exercise is to work with client certificates. But client certificates will not work unless you set up the web server with a server certificate. Even though there are loads of instructions to be found, let me add mine to the stack for the sake of completeness.

I assume that you do not necessarily have a server certificate from one of the large Certificate Authorities (CAs) out there, such as Verisign or Thawte. Instead you want to issue your own certificates for the server and your browser clients later on. You will need to set up your own Certificate Authority service on one of the servers you have control over to make that happen.

Make sure you have a Certificate Services installed on a server.
You can check that in Control Panel, Add or Remove Programs, Add/Remove Windows Components:

When installed correctly you should be able to start the MMC Snap-in for Certification Authority. 

Install a server certificate for the web server that will read client certificates

Detailed instructions on how to do so can be found here or this combo here and here. Never mind that it is for IIS 5.0 and Windows 2000, because the process is the same for IIS 6.0 and Windows 2003.

There are actually two ways to issue a certificate from Certificate Services. One is outlined by KB290625 and uses the website of Certificate Services.

Alternatively, if you have access to the Certificate server you can fire up the Certification Authority MMC.

  • Right-click the root node of the CA and choose All Tasks, Submit new request.
  • Provide the certificate request file (usually certreq.txt)
    The request will end up in the Pending Requests folder.
  • Issue the certificate by right-clicking the request and selecting Issue request.
  • Go to Issued Certificates and open the new request. Go to the second tab with Details and click the Copy to File button. Save the certificate (*.cer) file.

Test the server certificate with SSL

At this point you have a server certificate installed in your web server. That also means you have enough set up for a SSL connection. Try to reach the server using the https scheme instead of http. You should might get a dialog (on IE 6.0 or lower) or web page (in IE 7.0) showing the following:

In a later post I will talk about why these dialogs appear and how to prevent them. If you select Yes or Continue you should have a secure connection.

From here on

With the server certificate installed we can make the next step to use client certificates. Read more in the next post.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s