SSL Setup Confussion

Hi All,

I have been researching this problem for a while and have not found any answers. What I am tring to do is setup ssl on a webserver so that when installed on a site the web developer can decide whether or not to secure a page by changing the link from http to https. I have seen this done on other site but can find no documentation on this. Here are the facts:

Windows 2000 advanced server
not running virtual directory


I have found a lot of info on how to secure an entire site or folder but not on how to do this. What do you have to do differently from the directions below to get this to work.

1. Generate a Certificate Request
This procedure creates a new certificate request, which can be sent to a Certificate Authority (CA) for processing. If successful, the CA will send you back a file containing a validated certificate.

To generate a certificate request

Start the IIS Microsoft Management Console (MMC) snap-in.
Expand your Web server name and select the Web site for which you want to install a certificate.
Right-click the Web site, and then click Properties.
Click the Directory Security tab.
Click the Server Certificate button within Secure communications to launch the Web Server Certificate Wizard.
Note If Server Certificate is unavailable, you probably selected a virtual directory, directory, or file. Go back to Step 2 and select a Web site.
Click Next to move past the welcome dialog box.
Click Create a New Certificate, and then click Next.
The dialog box has the following two options:
Prepare the request now, but send it later
This option is always available.

Send the request immediately to an online certification authority
This option is available only if the Web server can access one or more Microsoft Certificate servers in a Windows 2000 domain configured to issue Web server certificates. Later on in the request process, you are given the opportunity to select an authority from a list to send the request to.

Click Prepare the request now, but send it later, and then click Next.

Type a descriptive name for the certificate in the Name field, type a bit length for the key in the Bit length field, and then click Next.
The wizard uses the name of the current Web site as a default name. It is not used in the certificate but acts as a friendly name to help administrators.

Type an organization name (such as Contoso) in the Organization field and type an organizational unit (such as Sales Department) in the Organizational unit field, and then click Next.
Note This information will be placed in the certificate request, so make sure it is accurate. The CA will verify this information and will place it in the certificate. A user browsing your Web site will want to see this information in order to decide if they should accept the certificate.
In the Common name field, type a common name for your site, and then click Next.
Important The common name is one of the most significant pieces of information that ends up in the certificate. It is the DNS name of the Web site (that is, the name that users type in when browsing your site). If the certificate name doesn't match the site name, a certificate problem will be reported when users browse to the site.
If your site is on the Web and is named www.contoso.com, this is what you should specify for the common name.
If your site is internal and users browse by computer name, enter the NetBIOS or DNS name of the computer.
Enter the appropriate information in the Country/Region, State/province, and City/locality fields, and then click Next.
Enter a file name for the certificate request.
The file contains information similar to the following.

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDZjCCAs8CAQAwgYoxNjA0BgNVBAMTLW1penJvY2tsYXB0b3 Aubm9ydGhhbWVy…
-----END NEW CERTIFICATE REQUEST-----

This is a Base 64 encoded representation of your certificate request. The request contains the information entered into the wizard and also your public key and information signed with your private key.

This request file is sent to the CA. The CA then uses your public key information from the certificate request to verify information signed with your private key. The CA also verifies the information supplied in the request.

After you submit the request to a CA, the CA sends back a certificate contained in a file. You would then restart the Web Server Certificate Wizard.

Click Next. The wizard displays a summary of the information contained in the certificate request.
Click Next, and then click Finish to complete the request process.
The certificate request can now be sent to a CA for verification and processing. After you receive a certificate response from the CA, you can continue and install the certificate on the Web server, once again by using the IIS Certificate Wizard.

2. Submit a Certificate Request
This procedure uses Microsoft Certificate Services to submit the certificate request generated in the previous procedure.

To submit a certificate request

Use Notepad to open the certificate file generated in the previous procedure and copy its entire contents to the clipboard.
Start Internet Explorer and navigate to http:// hostname/CertSrv, where hostname is the name of the computer running Microsoft Certificate Services.
Click Request a Certificate, and then click Next.
On the Choose Request Type page, click Advanced request, and then click Next.
On the Advanced Certificate Requests page, click Submit a certificate request using a base64 encoded PKCS#10 file, and then click Next.
On the Submit a Saved Request page, click in the Base64 Encoded Certificate Request (PKCS #10 or #7) text box and press CTRL+V to paste the certificate request you copied to the clipboard earlier.
In the Certificate Template combo box, click Web Server.
Click Submit.
Close Internet Explorer.
3. Issue the Certificate
To issue the certificate

Start the Certification Authority tool from the Administrative Tools program group.
Expand your certificate authority, and then select the Pending Requests folder.
Select the certificate request you just submitted.
On the Action menu, point to All Tasks, and then click Issue.
Confirm that the certificate is displayed in the Issued Certificates folder, and then double-click it to view it.
On the Details tab, click Copy to File, and save the certificate as a Base-64 encoded X.509 certificate.
Close the properties window for the certificate.
Close the Certificate Authority tool.
4. Install the Certificate on the Web Server
This procedure installs the certificate issued in the previous procedure on the Web server.

To install the certificate on the Web server

Start Internet Information Services, if it's not already running.
Expand your server name and select the Web site for which you want to install a certificate.
Right-click the Web site, and then click Properties.
Click the Directory Security tab.
Click Server Certificate to launch the Web Server Certificate Wizard.
Click Process the pending request and install the certificate, and then click Next.
Enter the path and file name of the file that contains the response from the CA, and then click Next.
Examine the certificate overview, click Next, and then click Finish.
A certificate is now installed on the Web server.

5. Configure Resources to Require SSL Access
This procedure uses Internet Services Manager to configure a virtual directory to require SSL for access. You can require the use of SSL for specific files, directories, or virtual directories. Clients must use the HTTPS protocol to access any such resource.

To configure resources to require SSL access

Start Internet Information Services, if it's not already running.
Expand your server name and Web site. (This must be a Web site that has an installed certificate.)
Right-click a virtual directory, and then click Properties.
Click the Directory Security tab.
Under Secure communications, click Edit.
Click Require secure channel (SSL).
Client's browsing to this virtual directory must now use HTTPS.

Click OK, and then click OK again to close the Properties dialog box.
Close Internet Information Services.

Any help would be much appreciated.

Did you get this resolved? I don't know the answer, sorry.

No. I'm still doing a lot of research but have not come up with anything.

There are some iis sites like www.iisfaq.com that might have something for you. Maybe the support at your certificate vendor has some ideas.