Implementing SSL on IIS 5.0

Netscape designed the Secure Sockets Layer (SSL) protocol to encrypt communications traveling over the Internet. You can use SSL to encrypt email messages and files as well as to further secure Web sites that use Basic authentication, and to encrypt sessions between client browsers and Web servers. SSL is fairly complex, but if you want more information about it, see "Related Reading," page 10.

Why would you want to SSL-enable your Web site? If you're running an e-commerce site, a corporate intranet, or a site that stores any personal information, you might want an SSL certificate for two major reasons: to protect your business and to protect your customers or users. My aim is to help you get a secure IIS 5.0 Web site running as quickly and painlessly as possible.

Keep in mind that SSL alone isn't enough to secure your Internet operations. Think of SSL as the armor on an armored car carrying sensitive data. If you use SSL to collect credit card information from your customers but then store the data in a plaintext file on your server, you might very well be defeating the purpose of using SSL in the first place.

SSL Costs
A legitimate question to ask when considering SSL is, how much will it cost? Perhaps the biggest cost is the CPU cycles SSL will burn up on your system. Adding SSL will have minimal effect on your programming work, forms, and scripting, and implementing SSL on IIS 5.0 is simple (assuming, of course, that you read this article first).

Table 1 shows the monetary cost of a 40-bit SSL certificate from several Certificate Authorities (CAs). You can also purchase a more secure 128-bit solution, but the added security will cost you more. VeriSign is the most expensive, but it's also the best-known CA, so I trust it to protect my data and business. Another good reason to go with a big name in the business is that browsers will likely support it. To see the list of CAs that Microsoft Internet Explorer (IE) 5.0 recognizes and automatically trusts, choose Internet Options from the Tools menu. On the Content tab, click Certificates. The Certificates dialog box's Intermediate Certification Authorities tab and Trusted Root Certification Authorities tab each displays a list of CAs. Figure 1 shows the Trusted Root Certification Authorities tab.

Requesting a Certificate
After you decide on a CA, you're ready to begin the process of generating a certificate signing request (CSR). The first step is to open Internet Services Manager (ISM) in Windows 2000's Administrative Tools folder. Right-click the Web site for which you want to create a CSR, and select Properties, as Figure 2 shows. Select the Directory Security tab, and click Server Certificate to start the Web Server Certificate Wizard, which guides you through these six steps:

1. At the first screen, select the option to create a new certificate.
2. Supply a certificate name and a bit length for the certificate's encryption key. The name is for display purposes and can be anything you want, but it should describe the Web site. The goal is to differentiate this certificate from any other certificates you might have. The default bit length for the key is 512, but I recommend using 1024 bits or higher. VeriSign also recommends using a 1024-bit length key because 512-bit keys have been cracked. For more information about the vulnerability of 512-bit keys, see http://www.verisign.com/cus/srv/faq/512/index.html.
3. Supply an organization name and an organizational unit (OU) name. Like the certificate name, these descriptors are handy if you manage many certificates. Stick to alphanumeric characters and spaces; avoid characters such as commas and semicolons.
4. Supply the common name (CN) for the Web site. Type the URL that users enter to access the site. For example, if your site is Amazon.com, your CN is www.amazon.com. If the site is your intranet, which runs only on a LAN with NetBIOS, your CN might just be intranet. The key here is to enter exactly what you intend users to enter to access the site.
5. Supply your city and state. Enter the complete names—some CAs don't recognize two-letter state abbreviations.
6. Finally, choose a filename (IIS 5.0 typically assumes a .cer extension for certificate filenames) and location in which to save the CSR, click Next, then click Finish to generate the CSR file.

   Previous  [1]  2  Next