This site requires JavaScript to be enabled
44 views

Configuring an IIS Web Server to use SSL
(prerequisite to configuring user certificate authentication for IIS)

Introduction

To make your Fermilab IIS web server use SSL, the server requires an OSG PKI service certificate. This is independent of the CA(s) you plan to trust regarding user certificates such as OSG PKI. Instructions for getting a service certificate are provided at How to get an OSG Certificate for Fermilab Hosts or Services (Grid and Web).

You will then need to convert the certificate file to the appropriate format, import the certificate into your IIS server and configure it. Currently you need to do this manually (a semi-automatic certificate generation process is coming soon), as described on this page. You cannot use the default IIS certificate request wizard because it does not permit access to certain fields which the OSG PKI site requires.

If you wish to require client certificates (OSG PKI) for inbound access by individuals, hosts or services, you'll need to see the 'Configuring User Certificate Authentication for IIS' documentation after completing the steps on this page.

Convert PEM file to PKCS#12 format for Windows IIS Web Server

We assume you've followed the instructions at How to get an OSG PKI Certificate for Fermilab Hosts or Services (Grid and Web) and now have a PEM file. You'll need to convert this new PEM file into a PKCS #12 file to be imported into your Windows IIS server. To do so, run the following command on a machine that has OpenSSL installed (this may be your Windows machine). For the sample command, we assume you pick a good password (password is optional but recommended), your fully-qualified host name is faz.dhcp.fnal.gov, and the PEM file is in the current directory (if not, provide path to it):

openssl pkcs12 -export -passout pass:"<enter a good password>" -in <faz.dhcp.fnal.gov>.pem -out <faz.dhcp.fnal.gov>.p12 -name "<faz.dhcp.fnal.gov>"

You should now have the p12 file, e.g., faz.dhcp.fnal.gov.p12. Make sure you protect this file. Remember your password!

  

Import certificate into IIS server on Windows

 

 

 

 

 

 

 

Now you need to configure your certificate properties.

Configure your certificate properties

 

 

 

Enable SSL Protection on a website

 

Related Documentation

If you wish to accept OSG PKI  client certificates, (that is, if you clicked accept or require client certs) you'll need to configure that. Please see the Configuring User Certificate Authenticatoin for IIS documentation.

 

Authored by Fang Wang
Last modified 4 months ago