Not logged in - Login

SSL Certificate Signing and Configuration

Overview

An SSL certificate enables encrypted web traffic over HTTPS. The certificate contains RSA keys for encrypting web traffic. When browsing over HTTPS the browser will attempt to validate a server's SSL certificate with a third party called a certifying authority or CA. In order for a browser to accept a server's certificate the server's domain name must match the domain name registered with the CA for that certificate. SSL certificates may be "self signed" but they will only be accepted by a web browser which is configured to explicitly trust the server.

SSL certificates are issued for each domain name served. Sites or web applications which share a common domain can also share an SSL certificate.

The procedure for enabling HTTPS is as follows:

  1. Create a Certificate Signing Request (CSR) on the server
  2. Submit the CSR to a Certifying Authority
  3. Receive a .cer certificate file from the CA
  4. Register the certificate on the web server
  5. Configure the server to use HTTPS with the signed certificate.

Creating a Certificate Signing Request in IIS

  1. Launch IIS
  2. Select the server node under connections
    ie the node above Sites
  3. Double Click Server Certificates under the IIS section
  4. Click Create certificate request in the actions sidebar
  5. Enter values. Common name should be the domain name. Must end in colostate.edu
  6. Click Next
  7. Select RSA provider
  8. Select 2048 bit length
  9. Click Next
  10. Enter file path for CSR. This is a text file containing encoded information about the server and the encryption key

Submitting a CSR via CSU-ACNS

  1. Open the CSR file and copy the text content
  2. Visit CSU-ACNS InCommon Certificate Request page
  3. Sign in with CSU eid
  4. Enter Parameters
    1. Contact Email - The email address where the certificate will be sent
    2. Cert Type :Basic SSL (SHA-2)
    3. CSR: Text copied from CRS file generated using IIS
    4. FQDN: Server domain name ending in colostate.edu
    5. Term: 3 years
    6. Server Software: Microsoft IIS 5.x +
  5. Click Check CSR and resolve any errors
  6. Click Send Request
  7. Await email with URL to download certificate
    Many forms of the certificate are given. Download the one labeled as X509 Certificate only, Base64 encoded

Registering a certificate with IIS

Method 1

Note: This is the preferred method but may result in an error
  1. Download the certificate labeled as X509 Certificate only, Base64 encoded
  2. Copy the downloaded .cer file to the server
  3. Launch IIS
  4. Select the server node under Connections
  5. Double click Server Certificates under the IIS section
  6. Click Complete Certificate Request in the Actions sidebar
  7. Enter the path to the .cer file
  8. Enter a friendly name for the certificate
  9. Click OK. If an error occurs proceed to Method 2

Method 2

  1. Download the certificate labeled as X509 Certificate only, Base64 encoded
  2. Copy the downloaded .cer file to the server
  3. Right click the .cer file.
  4. Click Install Certificate
  5. Proceed through dialog using default options

Configuring IIS to use HTTPS

  1. Launch IIS
  2. Select the web site for which to enable HTTPS
  3. Click Bindings in the Actions side bar
  4. Select HTTPS in the listing
    1. If HTTPS is not listed click add
  5. Set the following parameters
    Type: https
    IP address: All Unassigned
    Port: 443
    SSL Certificate: Appropriate certificate for the domain
  6. Click OK
  7. Click Close
  8. Navigate to the site using HTTPS. If the Certificate configuration is invalid you'll receive a warning from the browser.

Require HTTPS for all connections

  1. Launch IIS
  2. Select the web site for which to require HTTPS
  3. Double Click SSL Settings
  4. Check Require SSL
  5. Click Apply in the Actions side bar