Implementing a PKI, Part II: Configuring IIS 6.0

In my previous article “Implementing a Public Key Infrastructure (PKI) – Windows Server 2003, Part I” I described the procedure you have to follow in order to set your own Public Key Infrastructure using Windows Server 2003. Now, it is time to move on to explain how you can configure your IIS 6.0 Web server and Web browser to use the digital certificates issued by your own PKI. After all, our goal is to implement an encrypted channel between the Web server and the browser so that they can exchange data in a secured way.

Security Enhancements on IIS 6.0

In an effort to provide an enhanced level of security, Windows Server 2003 includes a redesigned IIS. IIS 6.0 is far more secure than previous versions of IIS. Many new features are included to enhance the security provided for Web communication. Below is a list of the features we are most concerned when implementing a PKI.

  • Not installed by default on Windows Server 2003: Why have something installed on your PC if you don’t need it, especially if this will put your system at risk? Based on this concept, IIS 6.0 is not installed by default on Windows Server 2003. If you need it you must explicitly select and install it. By the way, we need it to operate the CA, so please find the time to install it.

  • Installs in a locked down state: The default installation of IIS 6.0 exposes only minimal functionality. Only static files get served and overall other functionality (such as ASP and ASP.NET) has to be enabled explicitly by you. In this way, people must think what they really want to configure based on the task they want to perform.

  • SSL improvements:
    • Performance. SSL operation places a constraint on the system’s performance due to the cryptographic services it must perform. Microsoft improved the SSL implementation and made it faster, achieving better performance and scalability.

    • Selectable Cryptographic Service Provider (CSP). In an effort to enhance the performance of the system when using SSL, you are able to select a specific CSP. There are hardware-based accelerator cards that enable the offloading of the cryptographic computations to hardware. Cryptographic Service Providers can then plug their own Crypto API provider into the system. With IIS 6.0, you have the ability to select such a third-party Crypto API provider.

    • Remotable Certification Object. In IIS 5.0, administrators cannot manage SSL certificates remotely because the CSP certificate store cannot be used remotely.  With IIS 6.0 you are able to do this through the CertObject.

{mospagebreak title=Configuration Details}

Moving on, I’m listing a variety of steps you have to follow to configure the IIS Web server and the client’s Web browser to communicate securely using digital certificates. 

Enable Web Service Extensions

In order for Certificate Services Web pages to run correctly, ASP extension must be set to Allowed.

  • Go to Start->Administrative tools->IIS Manager->Web Service Extensions.

  • Select Active Server Pages, right-click and then select Allow.

Check Internet Explorer

It is essential to verify that your Internet Explorer is using a 128-bit encryption. To check this:

  1. Go to Internet Explorer->Help->About Internet Explorer.

  2. Verify that the Cipher Strength value appears as 128-bit. This is the level of encryption supported by your browser.

  3. If the Cipher Strength is anything less than 128-bit, download the Internet Explorer High Encryption Pack to your computer’s hard disk, and then install it.

Enable Secure Communication

To enable secure communication between your Web server and your clients, you must take the following steps:

  • A Server certificate must be installed on the Web server machine.

  • A client certificate must be installed on the client’s machine.

  • The CA’s certificate must be installed in the Trusted Root Certification Authorities store on the Web server and the client’s machine. This allows the Web server and Web client browser to trust the server’s certificate installed on the IIS Web site and the client’s certificate installed on the client’s machine, respectively.

{mospagebreak title=Request a Server Certificate through Web Enrollment Support}

  1. Open Internet Explorer and connect to http://servername/certsrv, where servername is the name of the Web server where the certificate authority you want to access is located.

  2. On the Welcome page, click Request a certificate.
     
    Implementing a PKI Configuring IIS 6 Part II

  3. On the Request a Certificate page, click Advanced certificate request.

  4. Click Create and submit a request to this CA.

  5. Fill in any information requested and any other options you require.

    The form contains the following fields:
    1. Identifying Information:
      • (Common) Name. You must identify the fully qualified domain name for your Web server. For example, if you intend to secure the URL https://secure.mysite.com, then your common name must be secure.mysite.com.

      • Company. The exact legal name of your organization. Do not abbreviate your organization name.

      • Department.

      • City: The city where your organization is legally located.

      • State: The state where your organization is legally located. Do not abbreviate the state.

      • Country/Region: The two-letter ISO abbreviation for your country i.e. CY= Cyprus.

    2. Type of certificate needed
      • Select “Server Authentication Certificate” from the drop-down list.

    3. Key options
      • Select “Create new key set.

      • Select from the drop down list of the CSP, “Microsoft Enhanced Cryptographic Provider v1.0.” Have in mind that a CSP is responsible for creating keys, destroying them, and using them to perform a variety of cryptographic operations.

      • Select for Key Usage: Both. This option sets the purpose of the certificate to be used for securely exchanging information and digitally signing messages.

      • Key Size: 1024

      • Select Automatic key container name.

      • Select Mark keys as exportable. When you mark keys as exportable, you can save the public and private key to a PKCS #12 file. This is useful if you change computers and want to move the key pair, or if you want to remove the key pair and secure them in another location.

      • Select Use the local machine store. Select this option if the computer will need access to the private key associated with the certificate when other users are logged on. Select this option when requesting certificates intended to be issued to computers (such as Web servers) instead of certificates issued to people.

    4. Additional options
      • Select Request format: PKCS10.

      • Select Hash algorithm: SHA-1.

      • Give a Friendly name to your certificate. Please use something meaningful.

  6. Click Submit. A dialog appears informing you that the request has been received and you must return to this website within 10 days to retrieve your certificate.
     
    Note: A request must be retrieved by the same user account on the same computer from which it was submitted. The Web page uses a browser cookie to identify the pending request. If browser cookies are blocked or if you use a different computer, retrieve the certificate directly from the CA by using the Certification Authority MMC snap-in.

  7. Return to http://servername/certsrv and click on the View the status of a pending certificate request link. Select to Install the certificate. Note that you must first issue the certificate through the CA’s MMC snap-in to complete this step.

  8. Return to http://servername/certsrv and click on the Download a CA certificate, certificate chain or CRL link. On the Certificate Issued page, click the Download certificate link and save the certificate.

{mospagebreak title=Install CA’s certificate}

This step is performed on BOTH the server’s and client’s machines.

  1. Locate the .cer file you just saved.

  2. Right-click the .cer file and click Install Certificate, and then click Next.

  3. When the Certificate Import wizard opens, click Automatically select the certificate store based on the type of Certificate.

  4. On the Completing the Certificate Import Wizard page, click Finish.

Assign the Server Certificate to the Web Site

  1. Go Start->Administrative Tools->IIS Manager.

  2. In the left pane, click your server and then click Web Sites.

  3. Right-click the Web site you want to assign the certificate to, and then click Properties.

  4. Click Directory Security, and then click Server Certificate.

  5. On the Welcome to the Web Certificate Wizard page, click Next.

  6. On the Server Certificate page, click Assign an existing certificate, and then click Next.

  7. On the Available Certificates page, click the installed certificate you want to assign to this website, and click Next.

  8. On the SSL Port page, configure the SSL port number. The default port of 443 is appropriate for most situations. Click Next.

  9. On the Certificate Summary page, review the information about the certificate and click Next.

  10. On the Completing the Web Server Certificate Wizard page, click Finish, and then click OK.

{mospagebreak title=Configure the Website to Require a Client Certificate}

As I stated in the beginning of the article, the target is to secure the communication between the Web server and the clients. To do this we will configure the website to require a user certificate:

  1. Go Start->Administrative Tools->IIS Manager.

  2. In the left pane, click your server and then click Web Sites. Click on Default Web Site and right click on it. Click Properties.

  3. In the Default Web Site Properties dialog box, click the Directory Security tab.

  4. On the Directory Security tab, click the Edit button in the Secure communications frame.

  5. Place a checkmark in the Require secure channel (SSL) checkbox and put a checkmark in the Require 128-bit encryption checkbox. Select the Require client certificates option in the Client certificates frame. Click OK in the Secure Communications dialog box.

    Implementing a PKI Configuring IIS 6 Part II

  6. Click Apply and then click OK in the Default Web Site Properties dialog box.

Request a Client Certificate through the Web Enrollment Site

The user’s machine must present a client certificate to the Web server before the Web server will accept the user’s credentials. Users can request a client certificate from the Web enrollment site in the same way as I described in section (d). Also, don’t forget to install the CA’s certificate as I described in section (e).

Conclusion

Having described the process of implementing a PKI reminded me that this is not a simple task. You must have the patience to sit down and configure all the necessary settings to enable the correct operation of your Certification Authority. After all, it’s meaningless if you go through all this trouble and forget to require, for example, client authentication.

I have to admit that I lost my patience a couple of times when I was implementing and configuring the CA entity, but as you can see I’m still here. Anyway, I hope I gave you a good starting point on this, and if you need any further information I will be happy to provide you with it.  

[gp-comments width="770" linklove="off" ]