Enabling SSL encryption for SwyxWare WebAdministration (kb3624)
The information in this article applies to:
- SwyxWare Web Administration v6.10
Configuring SSL encryption for Internet Information Services (IIS) to allow secured communication with SwyxWare Web Administration.
Secure Sockets Layer (SSL) certificates contain information used in establishing identities over a network, a process called authentication. Similar to conventional forms of identification, certificates enable Web servers and users to authenticate each other before establishing a connection.
Server certificates contain information about the server that allows the client to positively identify the server before sharing sensitive information. Client certificates contain personal information about the clients requesting access to your site that allow you to positively identify them before allowing them access to the site.
You can obtain server certificates from an outside certification authority (CA), or you can issue your own server certificates by using Microsoft Certificate Services.
To issue your own server certificate
Use Microsoft Certificate Services to create a customizable service for issuing and managing certificates. You can create server certificates for the Internet or for corporate intranets, giving your organization complete control over certificate management policies.
Use the Web Server Certificate Wizard to request and install your server certificate.
To obtain a server certificate from a certification authority
1. Find a certification authority that provides services that meet your business needs and then request a server certificate.
Use the Web Server Certificate Wizard to create a certificate request, which you can send to the certification authority.
2. After the certificate has been processed and returned to you, use the Web Server Certificate Wizard to install the certificate.
More info: http://technet2.microsoft.com/windowsserver/en/library/055049b9-b277-48bb-9dc9-b4e85c5d914c1033.mspx
The following procedure showing how to issue your own server certificate using Microsoft Certificate Services.
Step 1: Installing Microsoft Certificate Services
To issue your own server certificate install a stand-alone root certification authority
1. Log on to the system as an Administrator, or if you have the Active Directory directory service, log on to the system as a Domain Administrator.
2. Click Start, point to Settings, and then click Control Panel.
3. Double-click Add or Remove Programs and then click Add/Remove Windows Components.
4. In the Windows Components Wizard, select the Certificate Services check box. A dialog box appears to inform you that the computer cannot be renamed and that the computer cannot be joined to or removed from a domain after Certificate Services is installed. Click Yes. Also select Internet Information Services check box if it was not already selected and then click Next.
5. Click Stand-alone root CA.
6. (Optional) Select the Use custom settings to generate the key pair and CA certificate check box, and then click Next to specify customized setting.
When you are done, click Next.
7. Type the common name of the certification authority. None of this information can be changed after the CA setup is complete.
8. In Validity period, specify the validity duration for the root CA. See the note below about considerations when setting this value. Click Next.
9. Specify the storage locations of the certificate database, the certificate database log, and the shared folder. Click Next.
10. If Internet Information Services (IIS) is running, you will receive a request to stop the service before proceeding with the installation. Click OK.
11. If prompted, type the path to the Certificate Services installation files.
More info: http://technet2.microsoft.com/windowsserver/en/library/36d03e33-c9e8-4eca-b948-addab1e22c531033.mspx
Step 2: Creating a new server certificate request
1. Start IIS Manager. From the Start menu, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In IIS Manager, double-click the local computer, and then double-click the Web Sites folder.
3. Right-click the Web site or file for which you want to request a certificate, and then click Properties.
4. On the Directory Security or File Security tab, under Secure communications, click Server Certificate.
5. In the Web Server Certificate Wizard, click Create a new certificate.
6. On the Delayed or Immediate Request page, click Prepare the request now, but send it later. By default, the certificate request file is saved as C:\Certreq.txt, but the wizard allows you to specify a different location.
7. Complete the rest of the steps in the Web Server Certificate Wizard and then click Finish.
Step 3: Submitting certificate request
1. Open Internet Explorer.
2. In Address, type http://servername/certsrv, where servername is the name of the Windows server where the certification authority (CA) you want to access is located.
3. Click Request a certificate, and then click advanced certificate request.
4. Click Submit a certificate request using a base64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
5. Open the C:\Certreq.txt file. Copy its contents to Clipboard. On the Web page, click in the edit box. Paste the contents of certificate request into the Saved request edit box.
6. If you are connected to an enterprise CA, choose the certificate template you want to use.
7. Click Submit.
Step 4: Issuing certificate
1. Start Certification Authority. From the Start menu, point to Administrative Tools, and then click Certification Authority.
2. Expand your domain Pending Requests.
3. Right-click the pending certificate request that was submitted. Select All Tasks, and click Issue.
Step 5: Downloading issued certificate
1. In Internet Explorer, open http://servername/certsrv, where servername is the name of the Web server running Windows Server 2003 where the certification authority you want to access is located.
2. Click View the status of a pending certificate request.
3. If there are no pending certificate requests, you will see a message to that effect. Otherwise, select the certificate request you want to check, and download and save certificate (certnew.cer).
Step 6: Installing certificate
1. In IIS Manager, double-click the local computer, and then double-click the Web Sites folder.
2. Right-click the Web site or file for which you want to install a certificate, and then click Properties.
3. On the Directory Security or File Security tab, under Secure communications, click Server Certificate.
4. In the Web Server Certificate Wizard, Select Process the pending request and install the certificate. Click Next.
5. Type the location where you saved the certificate (certnew.cer). Click Next.
6. Complete the rest of the steps in the Web Server Certificate Wizard and then click Finish.
Step 7: Configuring SSL on IIS
1. In IIS Manager, double-click the local computer, and then double-click the Web Sites folder.
2. Right-click the Web site or file for which you have installed a certificate, and then click Properties.
3. On the Directory Security or File Security tab, under Secure communications, click Edit.
4. In the Secure Communications box, select the Require secure channel (SSL) check box.
5. Click OK to close dialog.
Now you can access SwyxWare Web Administration using https://servername/WebAdmin where servername is a name of Server with IIS and WebAdministration installed. You will get a message that server certificate is not issued by a trusted certificate authority asking if you wish to continue using this web site. Ignore the warning and proceed with browsing web site e.g. by clicking Yes in Internet Explorer 6 or clicking “Continue to this website (not recommended)” in Internet Explorer 7.
In order to prevent browsers from displaying warning message every time you open the web site you have to do the following:
- in Internet Explorer 6 when the Security Alert dialog appears click View Certificate. Open Certification Path tab. Select the top node of the tree (marked with red sign) and click View Certificate. Click Install Certificate and proceed by clicking Next on all wizard’s pages,
- in Internet Explorer 7 it’s almost identical procedure to Internet Explorer 6 except that at first you have to click “Continue to this website (not recommended)”. When the page is loaded click on the red Certificate Error field at right side of the address bar and click View certificates. Follow the procedures described for Internet Explorer 6,
- in Mozilla Firefox when the warning dialog appears you have to simply select “Accept this certificate permanently” option and click OK.
Note: To be able to install a certificate for IE6 and IE7 the server with the Certification Authority installed and used for issuing a certificate must be accessible from the computer where you try to install the certificate. Otherwise you have to acquire a CA root certificate from a Certification Authority and install it as a Trusted Root Certification Authority. To acquire a root certificate, open http://servername/certsrv, where servername is the name of the Web server running Windows Server 2003 with the certification authority installed, click “Download a CA certificate, certificate chain, or CRL” and then again click Download CA certificate. Save the certificate anywhere on the disk. After that, you can open the saved certificate by double-clicking it, click Install Certificate and proceed with the wizard or open Internet Options from the Internet Explorer or the Control Panel, open the Content tab, click Certificates, and open Trusted Root Certification Authorities, click Import, complete the wizard with browsing for the saved CA root certificate.
To acquire a trusted certificate use the third party certificate authority such as VeriSign (http://www.verisign.com).