Enabling SSL in IIS on Windows XP Professional

Enabling SSL on IIS is not as simple as clicking a checkbox setting, especially on Windows XP Professional. This site describes how to use OpenSSL to create a self-signed certificate that will freely enable SSL encryption for testing and private purposes.

Update 9/5/2003. See Create a self-signed SSL certificate with IIS 6.0 Resource Kit SelfSSL for a much simpler method.

Running IIS on Windows XP Professional

Many people do not know that Windows XP Professional includes a fully functional web server, Microsoft IIS 5.1. For a small office or home, this is incredibly convenient. If you're a developer who wants to try web development with HTML, Javascript, Active Server Pages (ASP), or VBScript, having IIS can allow you to experiment quickly with files on your local system. Of course, you could always download and install the free and robust Apache web server, but IIS is somewhat simpler and the documentation is better. [begin heated debate...]

You don't need to buy the more expensive Windows XP Advanced Server or Windows 2000 Server to run IIS. However, the XP Professional standard EULA (license) states that at most 10 computers may connect to your machine for IIS, File/Printing services, and remote access. That means you would be violating the license if you ran a web server using IIS from your house or office, and more than 10 people connected to it at once. If you want a free solution and don't need ASP, you could also run Apache+PHP on your XP Professional machine. The duo is free, unrestricted, and serves the same purpose.

Installing IIS on Windows XP Professional

The Internet Information Server (IIS) is not installed by default on Windows XP. To install it, one must log in under an account with administrator priviledges, and go to "Control Panel"->"Add Remove Programs"->"Add/Remove Windows Components." Just check the "Internet Information Services" checkbox and complete the installation. (Note, if you click the "Details..." button, you can also install Microsoft's free FTP server.)

Once that finishes, you will have a directory called c:\Inetpub\wwwroot on your hard drive that contain the files that your web server will serve. To test your server, use Internet Explorer or Mozilla and type in "http://localhost" or "http://127.0.0.1" in the URL. You will see either an "Under Contruction" page or a Microsoft page that says your web service is now running. These are default files installed by IIS in the wwwroot directory, and it is safe to delete them if you want a barebones IIS installation. Create a text file called "Default.asp", type something in it, and save it to the wwwroot directory. When you reload your site again, you will see the file you just made displayed in the browser. Now you are free to experiment with HTML, Javascript, CSS, etc. If you don't want to learn ASP, you can download and install the free and powerful PHP scripting engine, which integrates into IIS easily. PHP is an up-and-coming all-star in web server-side scripting; it is used by Yahoo!, CBS, and other large corporations. For example, one can create custom GIF images on the fly using one of the PHP function libraries. There are dozens of other useful function libraries in PHP. Furthermore, the documentation is superb.

Requirements for Installing Self-Signed Certificate

Now that you have IIS running and have set up some pages, let's say you would like to share your documents or web application securely, making sure everything is encrypted during its transmission over the wild, wild web. Encryption on the web is possible using a technology called SSL (Secure Sockets Layer). However, enabling SSL on IIS is not as simple as clicking a checkbox setting. In particular, enabling SSL independently on Windows XP Professional is not possible. This site describes a method of creating a self-signed certificate to enable SSL encryption for testing and private purposes. For businesses, novices, and individuals who don't have time to mess with server settings, you should hire an expert. I recommend you skim through this entire site before attempting the procedure, because it is fairly advanced. The requirements are below.

• OpenSSL i386 binary and source distributions (free)
• Active Perl (free)
• Basic knowledge of how to use the command shell "cmd"
• Ability to use a text editor

IIS Directory Security

First open the IIS configuration console. To do this the easy way, right click on the "My Computer" on your desktop and select "Manage". You can also get to it via "Control Panel"->"Administrative Tools"->"Computer Management". Expand through the following heirarchy: "Services and Applications"->"Internet Information Services"->"Web Sites"->"Default Web Site."

Right click on "Default Web Site", and select "Properties". Then click on the "Directory Security" tab.

Prepare a Certificate Request

Click on the "Server Certificate..." button. This will open the Web Server Certificate Wizard. Click "Next". At this point, you have the options of "Create a new certificate", "Assign an existing certificate", and "Import a certificate from a Key Manager backup file." Select "Create a new certificate" and click Next. (Update 9/5/2003. See Create a self-signed SSL certificate with IIS 6.0 Resource Kit SelfSSL for a much simpler method.)

Digression: The Certificate Business

Though it's labelled "Create," this step actually means to request a certificate from a "certificate authority," and requires some elaboration. There is this thing called the Public Key Infrastructure (PKI), which is basically a group of companies that have agreed to trust each other, and a set of mechanisms for validating that trust. It is similar to the Kerberos system developed at MIT. Practically, this means that Windows comes pre-installed with the certificates of trusted companies. These certificates can be viewed by running certmgr.msc from a command window, and updated using Windows Update. For any certificate in the list of trusted certificates, your programs, particularly Internet Explorer, will not give you warning when you access their website with SSL enabled. If the web server uses a certificate that is not issued by a trusted company (a.k.a Certificate Authority or CA), then Internet Explorer will warn you that the certificate is not automatically trusted, and you should proceed with caution.

To the end-user of the website, it's the difference between having a security warning and not having one. Everything sent over SSL is encrypted regardless of whose certificate is used, whether it is one you cooked up on your own machine or one you're paying $400 per year for. The upshot is that when you request a certificate the traditional way, you are requesting it from the administrator of a 'trusted' party, who has the power to deny your request. For websites, this is almost always a company like Verisign or Thawte, whose trusted certificates are installed in almost all web browsers. They keep the trust by charging you a fee, which they use to monitor that no one who has been granted a certificate signed by them is doing anything illegal or untrustworthy.

To create your own certificate, you can pretend to be a certificate authority. The software that allows one to be a certificate authority in Windows is called "Certificate Services", but Windows XP Professional does not include an option to install it. If you have XP Advanced Server, then you can use the certificate generation procedure described on the IISFaq.com SSL page. Alternatively, you could also request a certificate from the administrator of a server running Certificate Services on your domain, if you are so lucky.

For the poor man who does not have money to spend on a trusted certificate or to buy XP advanced server, you can follow these steps to use the freeware OpenSSL tools to create your own certificate. This is the way I figured out after rummaging around on the Internet today, and may not be the easiest way in town.

Create the Self-Signed Certificate using OpenSSL

Continuing on in the wizard, choose "Prepare the request now, but send it later." The next four dialogs will ask you about the names that should be in the certificate. You can leave the defaults, or enter a name and location for your company. Finally, the wizard will ask you to save the certificate request to a file named certreq.txt.

In order to create a private key and sign the certificate, you will need to download the free OpenSSL for Windows Binaries and Source packages, courtesy of the GnuWin32 project on SourceForge. From the GnuWin32 project downloads page, download the two OpenSSL zip files labeled as "src" and "bin" for i386.

To make the process easier, you will also need to download and install the free ActivePerl. Download and install this so you will be able to run Perl scripts on your machine, independently or as scripts on IIS.

Next, unzip both of the OpenSSL packages to temporary folders. From the binaries package "bin" folder, copy the files "openssl.exe" and the two DLLs into the source package's "apps" folder. In the "apps" folder is a file called CA.pl. Open this perl script in a text editor and change the line $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; to read $SSLEAY_CONFIG="-config openssl.cnf";. (Alternatively, you can change the individual occurrences. Change $CA="openssl ca $SSLEAY_CONFIG"; to $CA="openssl ca -config openssl.cnf"; and $REQ="openssl req $SSLEAY_CONFIG"; to $REQ="openssl req -config openssl.cnf";.) Now copy the certreq.txt file you made above into this "apps" directory, and rename it to "newreq.pem".

Next, open a command prompt window in the apps directory, and run the following commands:

• perl CA.pl -newca
• perl CA.pl -signreq

Install the Certificate

If all is successful, you should have a file called "newcert.pem" in the "apps" directory, which contains your certificate. Open this file in a text editor and remove everything before the -----BEGIN CERTIFICATE----- line.

Go back into the "IIS management console"->"Directory Security" tab and click "Server Certificates". In the wizard, select "Process the pending request and install the certificate" and press Next. Browse to and open the newcert.pem file in the "apps" directory. (Note, you will have to set the file filter to "all files" in order to see the .pem file.) Click next to complete the process.

That’s it! Now you have IIS set up with an SSL certificate. To turn on SSL, make sure in the "IIS configuration"->"Web Site tab"->"Advanced"->"Multiple SSL identities for this Web Site", you have a default IP address registered on port 443. If you want to only allow SSL encrypted connections from web browsers, click the "Edit" button in the "Secure Communications" section of the "Directory Security" tab, and check the "Require secure channel (SSL)" checkbox.

Results of Installing the Certificate in IE

Whenever anyone visits your web server using the https:// prefix in Internet Explorer (6.0), they will see the dialog shown below.

The first sentence of the IE dialog says Information you exchange with this site cannot be viewed or changed by others, which means that the data is being encrypted. However, because the certificate was not signed by a CA in the trust heirarchy, the warning is displayed. Therefore, this procedure is not recommended for any businesses collecting sensitive data from the public at-large, such as e-commerce. However, for testing and private use, you may find it useful. This certificate could be permanently installed as trusted by the client, and the warning would thereafter be automatically bypassed for that client.

TEXT: Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. * The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. * The security certificate has expired or is not yet valid. * The name on the security certificate is invalid or does not match the name of the site.

Results of Installing the Certificate in Netscape

In Phoenix/Mozilla/Netscape, they would see a similar dialog.

TEXT: Website Certified by an Unknown Authority, Unable to verify the identity of xyz as a trusted site. Possible reasons for this error: * Your browser does not recognize the Certificate Authority that issued the site's certificate. * The site's certificate is incomplete due to a server misconfiguration. * You are connected to a site pretending to be xyz, possibly to obtain your confidential information.

Encryption in Exchange 2000 with Outlook Web Assistant

Jeremy, from JD Technology, points out that these instructions are almost identical to the steps needed to create and install a certificate for Exchange 2000 with IIS5, (or for just IIS5 on Windows 2000 for that matter). The only difference is that the Directory Security section is in the Internet Services Manager in Administrative Tools.

In a typical Exchange 2000/IIS5 with Outlook Web Access configuration behind a firewall, the admin will need to open ports 25 (SMTP), 80 (HTTP), 1025-1028 (MAPI), 500-5020 (RPC), 53 (DNS), 135 and 139 (RPC Listening Ports), and perhaps 88, 110, 143, 189, 445, 636, 993, 995, 3268, 3269 for various other protocols. With an SSL configuration, only port 443 to the Exchange server needs to be opened. The only hurdle is to create and sign a certificate.

Note that if your Windows 2000 server is acting as a domain controller, you could also generate certificates by installing Certificate Services from the installation CD. Please search for the Windows 2000 Certificate Services White Paper or visit IISFAQ.com for more information.

SSL-Related Links

• Someone wrote these Security notes, where I figured out that the .pem file must be stripped for IIS to recognize it as a certificate. See the section titled "Signing IIS keys with OpenSSL".
• You can read about the CA.pl script - a friendlier interface for OpenSSL certificate programs.
• Here is the main OpenSSL site
• AnalogX PortMapper is a small freeware program that allows one to enable IP address restriction for a server.
• CIS164: Introduction to Managing a Web Server - A course on using web servers with online lessons.
• securityspace.com publishes a monthly research report on the top SSL Certificate CAs
• IIS FAQ is a premiere site for resources on installing, configuring, and troubleshooting IIS.

Companies that Sell SSL Certificates

These companies sell secure certificates. Note that even for 'free' certificates, the companies will require some form of validation that you are who you claim to be. This is because those certificates are at some level automatically trusted by web browsers. A self-signed certificate will not be trusted automatically by anyone, but is also completely unrestricted.

• Verisign - the 400 lb gorilla of security certificates
• Thawte - purchased by Verisign in Dec. 1999, but retains its brand
• Quality SSL - a smaller player (cheaper)
• Instant SSL - offers 30-day free trusted trial certificates
• GeoTrust - another established company
• FreeSSL - offers first-year free certificate for low volume & transaction commercial sites
• Trustwave - secure certificates and security software vendor
• Go Daddy SSL - Fully validated, low cost, secure SSL Certificates
• CACert.org - a community-operated service that offers certificates free of cost
• Network Solutions - Offers low volume and high volume options