Configuring an IIS Web Server to use SSL
(prerequisite to configuring user certificate authentication for IIS)
To make your Fermilab IIS web server use SSL, the server requires an OSG PKI service certificate. This is independent of the CA(s) you plan to trust regarding user certificates such as OSG PKI. Instructions for getting a service certificate are provided at How to get an OSG Certificate for Fermilab Hosts or Services (Grid and Web).
You will then need to convert the certificate file to the appropriate format, import the certificate into your IIS server and configure it. Currently you need to do this manually (a semi-automatic certificate generation process is coming soon), as described on this page. You cannot use the default IIS certificate request wizard because it does not permit access to certain fields which the OSG PKI site requires.
If you wish to require client certificates (OSG PKI) for inbound access by individuals, hosts or services, you'll need to see the 'Configuring User Certificate Authentication for IIS' documentation after completing the steps on this page.
We assume you've followed the instructions at How to get an OSG PKI Certificate for Fermilab Hosts or Services (Grid and Web) and now have a PEM file. You'll need to convert this new PEM file into a PKCS #12 file to be imported into your Windows IIS server. To do so, run the following command on a machine that has OpenSSL installed (this may be your Windows machine). For the sample command, we assume you pick a good password (password is optional but recommended), your fully-qualified host name is faz.dhcp.fnal.gov, and the PEM file is in the current directory (if not, provide path to it):
openssl pkcs12 -export -passout pass:"<enter a good password>" -in <faz.dhcp.fnal.gov>.pem -out <faz.dhcp.fnal.gov>.p12 -name "<faz.dhcp.fnal.gov>"
You should now have the p12 file, e.g., faz.dhcp.fnal.gov.p12. Make sure you protect this file. Remember your password!
- Open the Microsoft Management Console (MMC) and add the Certificates snap-in.
- Select the Computer account radio button and click Next>.
- Select either the local computer or the remote computer where the certificate will be installed.
- Click Finish.
- Navigate to the Certificates (Local Computer) > Personal > Certificates folder.
- Right click in the right side pane and click All Tasks > Import...
- This will start the import wizard. Click Next >.
- Browse for the .p12 file you just created (e.g. faz.dhcp.fnal.gov.p12). When you browse for the file, make sure you change the 'Files of type' drop down list from X.509 Certificate (*.cer, *.crt) to Personal Information Exchange (*.pfx, *.p12).
- If you entered a password to protect the PKCS #12 file (when you ran the openssl command to convert the file to PKCS#12 format), enter it here. Click Next >.
- In order to import the certificate into your Personal store, browse for Personal and click Next>.
- Check the information and then click Finish to complete the import.
- Your certificate is now imported and available for IIS to use. (In our example, this is shown in the following image as "faz.dhcp.fnal.gov")
Now you need to configure your certificate properties.
- Go to your IIS service manager and navigate to your website. Right click and select Properties.
- Select the Directory Security tab and click Server Certificate...
- This will start the IIS Certificate wizard. Click Next >.
- Select the Assign an existing certificate radio button and click Next >.
- You should see the OSG PKI certificate you imported via the Certificate Manager MMC snap-in. Select it and click Next >.
- You will be presented with the certificate details. If everything is fine, click Next >.
- Click Finish.
- Back at your IIS manager, right click on the directory you wish to protect via SSL (this can either be the root of your web site or just a specific directory). Select Properties.
- Select the Directory Security tab. In the Secure communications section, click Edit...
- Check the Require secure channel (SSL) checkbox. Optionally, you can also force clients to use the 128-bit encryption. Select the Require client certificates radio button in the Client certificates section if you (or a web author using your server) wish(es) to require clients to present an OSG PKI certificate. If you only want to use SSL without client authentication, select the Ignore client certificates radio button (this is the default).
- Click OK. The directory to which you assigned the certificate should now be using SSL.
If you wish to accept OSG PKI client certificates, (that is, if you clicked accept or require client certs) you'll need to configure that. Please see the Configuring User Certificate Authenticatoin for IIS documentation.