To prepare for an SSL installation, the following resources are necessary:
• Windows 2000 Active Directory Domain
• Windows 2000 Server running IIS 5.0
Step 1 – Installing the Certification Authority
The first step to installing SSL is to install and configure the Certification Authority (CA), the service which issues and maintains the server certificates. In this lab, the CA will be installed on the Windows 2000 Domain Controller. To install the CA, follow the steps below:
1. Open ‘My Computer’ > ‘Control Panel’ > ‘Add/Remove Programs’
2. Choose ‘Add/Remove Windows Components’
3. Place a check in the box next to ‘Certificate Authority’ and click ‘Yes’ when the warning appears.
4. Click ‘Next’.
5. When prompted for the CA type, choose ‘Stand-alone root CA’
Note: this will differ in actual environments depending on planning and any existing CAs.
6. Complete the ‘CA Identifying Information’ dialog with information specific to your environment and click ‘Next’. Example information, that can be used for testing is below:
7. Verify the ‘Data Storage Location’ is suitable for your server and click ‘Next’.
8. Click ‘Ok’ when warned that IIS services will be stopped and click ‘Finish’ when setup has completed copying files.
Step 2 – Generating a certificate request
The next step is to request a certificate for the web server. This is done from the server that will have MMIS v1.5 installed on it. To request a certificate, follow the steps below:
1. Click on ‘Start’, ‘Programs’, ‘Administrative Tools’ and open the ‘Internet Services Manager’ MMC snap-in.
2. Expand the server name, right-click on ‘Default Web Site’, and choose ‘Properties’.
3. Select the ‘Directory Security’ tab and click ‘Server Certificate’.
4. Click ‘Next’ to begin the wizard and choose ‘Create a new certificate’ and click ‘Next’.
5. Choose ‘Prepare the request now, but send it later’ and click ‘Next’.
6. Click ‘Next’ to accept the default values on the ‘Name and Security Settings’ dialog.
7. On the ‘Organization Information’ dialog, enter a name and organizational unit for your certificate and click ‘Next’.
8. Enter the FQDN of your server on the next dialog (for example, mmis.domain.com) and click ‘Next’.
9. Enter the country, state/province and city/locality that your server is located in and click ‘Next’ (for state/province, standards suggest you do not abbreviate but rather spell out the name, such as Washington, as opposed to WA).
10. Specify where you would like the request saved, and click ‘Next’, then ‘Next’ again and ‘Finish’ completing the request generation.
Step 3 – Submitting the certificate request
The next step is to submit the certificate request to the CA that was created in Step 1. This is also done from the server that will have MMIS v1.5 installed on it. To submit the request, follow the steps below:
1. Start Internet Explorer and enter the following URL (replace ‘CAserver’ with the name of the server the Certification Authority was installed on), http://CAserver/certsrv.
2. Choose ‘Request a certificate’ and click ‘Next’.
3. Select ‘Advanced request’ and click ‘Next’.
4. Choose the second option, ‘Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file.’ and click ‘Next’.
5. Open the file that was saved in #10 in the previous step using Notepad (by default, this file is C:\certreq.txt). It will appear similar to below:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICnjCCAkgCAQAwgY0xIzAhBgNVBAMTGm1vYmlsZS1tbWlzLm1vYmlsZWNvcnAu
Y29tMRcwFQYDVQQLEw5XaXJlbGVzcyBHcm91cDETMBEGA1UEChMKTW9iaWxlY29y
cDESMBAGA1UEBxMJQ234ahcmxvdHRlMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEL
MAkGA1UEBhMCVVMwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAz+nnFAupbS2PIkcE
zu+nl1kAwxtz60eF/I+HZO/Mo6ztWrhBu4iQVmYLQYh9uE3PHGRIB+YwGII38jKp
IgmniwIDAQsfdsUzAaBgorBgEEAYI3DQIDMQwWCjUuMC4yMTk1LjIwNQYKKwYB
BAGCNwIBDjEnMCUwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMB
MIH9BgorsdfeEEAYI3DQICMYHuMIHrAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABS
AFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABp
AGMAIABQAHIAbwB2AGkAZABlAHIDgYkAjuYPzZPpbLgCWYnXoNeX2gS6nuI4osrW
HlQQKcS67VJclhELlnT3hBb9Blr7I0BsJ/lguZvZFTZnC1bMeNULRg17bhExTg+n
UovzPcJhMvG7G3DR17PrJ7V+egHAsQV4dQC2hOGGhOnv88JhP9Pwpso3t2tqJROa
5ZNRRSJSkw8AAAAAAAAAADANBgkqhkiG9w0BAQUFAANBAFD/X5SZwqMG8hbPGYNS
LVZvbmL8H1hbiRqYkeoYPghq2XfQre/ifA+zaMAl1rdQMVMGl9CrW/a5e02gRaUb
nko=
-----END NEW CERTIFICATE REQUEST-----
6. Select the text after the first line through to the end of the request (do not include the beginning and ending comments, then paste that text into the field labeled ‘Base64 encoded Certificate Request’ and click ‘Next’.
The request has now been submitted and is awaiting approval from the Certificate Authority. This is covered in the next section.
Step 4 – Issue the requested certificate
The next step is to issue the requested certificate. This is done on the machine that is running the Certification Authority. To issue the certificate, follow the steps below:
1. Click on ‘Start’, ‘Programs’, ‘Administrative Tools’ and open the ‘Certification Authority’ MMC snap-in.
2. Expand the name of the CA in the left window pane and select the ‘Pending Requests’ folder. The pending certificate request will appear in the right pane.
3. Right-click on the pending request, select ‘All Tasks’ followed by ‘Issue’ to issue the certificate.
The certificate has now been issued and it must be installed on the web server.
Step 5 – Installing the certificate
Now the certificate will be installed on the server that will run MMIS v1.5. To do so, from the member server running IIS 5.0, follow the steps below:
1. Start Internet Explorer and enter the following URL (replace ‘CAserver’ with the name of the server the Certification Authority was installed on), http://CAserver/certsrv.
2. Click ‘Check on a pending certificate’ and click ‘Next’.
3. Select the certificate request that was made in Step 3, and click ‘Next’.
4. Click ‘Download CA certificate’ and when prompted, save the certificate locally on the server, then close Internet Explorer.
5. Click on ‘Start’, ‘Programs’, ‘Administrative Tools’ and open the ‘Internet Services Manager’ MMC snap-in.
6. Expand the server name, right-click on ‘Default Web Site’, and choose ‘Properties’.
7. Select the ‘Directory Security’ tab and click ‘Server Certificate’ and click ‘Next’ to begin the wizard.
8. Choose ‘Process the pending request and install the certificate’ and click ‘Next’.
9. Browse to the location of the saved certificate, select it and click ‘Open’ followed by ‘Next’.
10. The certificate information will appear, click ‘Next’ to install the certificate and ‘Finish’ to complete the wizard.
That completes the certificate installation. To test, navigate to https://localhost and verify that SSL is working correctly.
Note: You may be prompted with a warning that the certificate name does not match the server name. This appears because of the way the server name was entered on the certificate request. If you entered an FQDN, the warning will not appear if you enter the URL as an FQDN as is the case when a NetBIOS name is specified in the certificate request.
