Monday, March 09, 2009

Creating a certificate in IIS

This is an easy one and really specific to developers who need to do this and only this, but essentially I found the answers by googling "SelfSSL" and "IIS certificate"...
You will need to do this if you want a website hosted in your local IIS which uses HTTPS.

[EDIT: 21/04/2009] If you need a network certificate from an online (or your company's domain) authority, you should Request a Certificate. Microsoft provide fairly easy instructions for this here: http://support.microsoft.com/kb/228821

If you can't locate SelfSSL.exe on your own machine, I've a compressed version you can download here: http://home.freeuk.com/eudoxus/selfssl.rar

[EDIT:01/04/2009] I've just located the download page for this, along with some helpful articles:
For a site I setup recently, I used the following line:
selfssl.exe /N:CN=mytestsite /K:1024 /V:1000 /S:30412573 /P:443 /T

Broken down thus:
selfssl.exe
/N:CN=(sitename - doesn't have to match anything)
/K:(certificate size in bytes)
/V:(expiration period in days)
/S:(site id, found by selecting 'Web Sites' in IIS and checking the 'Identifier' field on the right)
/P:(https port number, leave it at 443)
/T (adds the certificate to the trusted sites list)

Once this is finished, open the Properties panel for the website you've just added a certificate to and go to: Web Site -> Advanced -> Multiple SSL identities for this Web site

In this area you should see that the IP address is 'Default' and the SSL port is '443'. Double click this row (or select and click Edit) and replace the 'Default' IP address entry with the IP address of the web site you created.

This last piece means that when the browser goes to the site looking for a secure page IIS will direct it towards the same site, ie the same IP address, rather than the default (the machine address.) You could create two sites, under different IP's, one secure and one not, but that will make your site building harder as you'll have to cater for this in various ways (that I won't go into.)

Have fun.

[EDIT:18/03/2009] It is my experience (Windows 2003 Server R2, IIS 5.2) that occasionally IIS will need the certificate recreating. I don't know why, but I'll try to document it here if I find out.

[EDIT:01/04/2009] Just been sent this: http://support.microsoft.com/kb/260096
The issue being wrestled with here is that (since version 5.0) when IIS starts up it begins listening for all sites on ports 80 and 443 (standard web and SSL) for incoming connections. This is known as socket pooling. This means that only the first site with SSL (ie: the last site to have a certificate registered) will receive requests on HTTPS. This can be turned off by following the link in the second section (of the above page), which you can also find here: http://support.microsoft.com/kb/259349/EN-US/ Please read both these pages to be fully informed, but for brevity, here are the steps to disable socket pooling:
  • At a command prompt, switch to the "C:\InetPub\AdminScripts" folder.
  • Type the following command:
    CSCRIPT ADSUTIL.VBS SET W3SVC/DisableSocketPooling TRUE
You can also read more about this at: http://support.microsoft.com/kb/238131/EN-US/

Just for reference, I've switched off socket pooling on my machine using the article above and it looked something like this:
C:\>cd Inetpub

C:\Inetpub>cd AdminScripts

C:\Inetpub\AdminScripts>CSCRIPT ADSUTIL.VBS SET W3SVC/DisableSocketPooling TRUE
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

DisableSocketPooling : (BOOLEAN) True

C:\Inetpub\AdminScripts>

No comments:

Post a Comment