|
Home > Archive > IIS Server Security > January 2004 > SSL and certificates
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSL and certificates
|
|
|
| Are client certificates necessary for SSL or just server
certificates?
The Microsoft help for setting up SSL takes you through
creating a server root certificate and another server
certificate and then installing each on all of the
clients. But other documentation that I have read
suggests that SSL only needs server certificates and that
client certificates are only needed for certificate
authentication. I want to use forms authentication and
don't won't to force our customers to deploy client
certificates if they don't have too.
| |
| Keith W. McCammon 2004-01-24, 1:55 am |
| Only a server certificate is required. The client should have the root
certificate of the issuing CA installed, but in most cases (I.e., public
sites with certificates issued by Verisign, Entrust, etc.) this is already
done, so many folks simply assume that this step doesn't exist.
"Kevin" <anonymous@discussions.microsoft.com> wrote in message
news:0f9a01c3be60$ed204a00$a101280a@phx.gbl...quote:
> Are client certificates necessary for SSL or just server
> certificates?
>
> The Microsoft help for setting up SSL takes you through
> creating a server root certificate and another server
> certificate and then installing each on all of the
> clients. But other documentation that I have read
> suggests that SSL only needs server certificates and that
> client certificates are only needed for certificate
> authentication. I want to use forms authentication and
> don't won't to force our customers to deploy client
> certificates if they don't have too.
| |
|
| So, I guess if you create your own certificates, then you
have to perform an extra step of deploying them on all of
the clients that might access your site?
quote:
>-----Original Message-----
>Only a server certificate is required. The client
should have the rootquote:
>certificate of the issuing CA installed, but in most
cases (I.e., publicquote:
>sites with certificates issued by Verisign, Entrust,
etc.) this is alreadyquote:
>done, so many folks simply assume that this step doesn't
exist.quote:
>
>"Kevin" <anonymous@discussions.microsoft.com> wrote in
messagequote:
>news:0f9a01c3be60$ed204a00$a101280a@phx.gbl...
server[QUOTE][color=darkred]
that[QUOTE][color=darkred]
>
>
>.
>
| |
| Keith W. McCammon 2004-01-24, 1:55 am |
| Unless you want everyone to get an annoying warning every time they visit
your site, yes. It's actually not that bad, though. You can push it out
via SMS, or have them download an auto-installing file from a web site.
"Kevin" <anonymous@discussions.microsoft.com> wrote in message
news:00f101c3be75$056d0df0$a301280a@phx.gbl...[QUOTE][color=darkred]
> So, I guess if you create your own certificates, then you
> have to perform an extra step of deploying them on all of
> the clients that might access your site?
>
> should have the root
> cases (I.e., public
> etc.) this is already
> exist.
> message
> server
> that
| |
| Christopher Haun 2004-01-24, 1:55 am |
|
A server certificate is what you'll want to do encrypted traffic over port
443 between IIS and a client's browser. You can install CA on one of your
IIS boxes and make your own certificates, you can get a temporary sample
certificate for free from Verisign to test with and play with, or you can
purchase one from a certification authority such as Verisign or Thwate or
such.
Client certificates are what you might want to issue to select clients if
you want to control who can and cannot authenticate to an IIS website.
Client certificates give you an alternative to Integrated, Digest, and
Basic authentication and can even be mapped to Active Directory accounts.
It gives you a method of authentication that works as seamlessly as
Integrated authentication but, unlike integrated, will work over multiple
router hops.
Here is a list of some certificate-related KB articles for your reference:
324069 HOW TO: Set Up an HTTPS Service in IIS
http://support.microsoft.com/?id=324069
299525 HOWTO: Set Up SSL Using IIS 5.0 and Certificate Server 2.0
http://support.microsoft.com/?id=299525
290625 HOW TO: Configure SSL in a Windows 2000 IIS 5.0 Test Environment by
http://support.microsoft.com/?id=290625
257591 Description of the Secure Sockets Layer (SSL) Handshake
http://support.microsoft.com/?id=257591
257587 Description of the Server Authentication Process During the SSL
Handshake
http://support.microsoft.com/?id=257587
257586 Description of the Client Authentication Process During the SSL
Handshake
http://support.microsoft.com/?id=257586
239875 HOW TO: Use ASP to Force SSL for Specific Pages
http://support.microsoft.com/?id=239875
234022 XCLN: Configuring Exchange OWA to Use SSL
http://support.microsoft.com/?id=234022
216907 HOW TO: Obtain a Test Certificate or a Test Client Authentication
http://support.microsoft.com/?id=216907
197306 How to Troubleshoot SSL in Internet Information Server 4.0
http://support.microsoft.com/?id=197306
187504 HTTP 1.1 Host Headers Are Not Supported When You Use SSL
http://support.microsoft.com/?id=187504
228991 How to Create and Install an SSL Certificate in Internet Information
4.0
http://support.microsoft.com/?id=228991
279681 How to Force SSL Encryption for an Outlook Web Access 2000 Client
http://support.microsoft.com/?id=279681
320291 XCCC: Turning On SSL for Exchange 2000 Server Outlook Web Access
http://support.microsoft.com/?id=320291
232136 HOW TO: Back Up a Server Certificate in Internet Information
Services 5.0
http://support.microsoft.com/?id=232136
232137 How to Import a Server Certificate for Use in Internet Information
Services 5.0
http://support.microsoft.com/?id=232137
246072 Certificate Authorities: Using Digital Certificates for
Authentication (in IIS 4.0)
http://support.microsoft.com/?id=246072
289749 Certificate Revocation Lists (CRL) and IIS 5.0: Common Questions
http://support.microsoft.com/?id=289749
281106 How to Use a Certificate for SSL Authentication Within a Web
Publishing (ISA 2000)
http://support.microsoft.com/?id=281106
295281 How To Renew or Create New Certificate Signing Request While Another
(IIS5)
http://support.microsoft.com/?id=295281
310114 HOW TO: Export Certificates in Windows 2000
http://support.microsoft.com/?id=310114
310178 HOW TO: Install Imported Certificates on a Web Server in Windows 2000
http://support.microsoft.com/?id=310178
310389 HOW TO: Request a Certificate by Using the Certificates Snap-In
(Win2k)
http://support.microsoft.com/?id=310389
313071 HOW TO: Configure Certificate Trust Lists in Internet Information
Server 5.0
http://support.microsoft.com/?id=313071
313281 HOW TO: Publish a Certificate Revocation List in Windows 2000
http://support.microsoft.com/?id=313281
320878 HOW TO: Manage Certificates in Windows 2000
http://support.microsoft.com/?id=320878
329508 HOW TO: Install a Server Certificate After a Pending Request Is
http://support.microsoft.com/?id=329508
This step-by-step article describes how to install a server certificate
that you have obtained from a certification authority (such as VeriSign or
Thawte) after you have accidentally deleted a pending request for the
certificate in Internet Service Manager.
816794 HOW TO: Install Imported Certificates on a Web Server in Windows
Server (IIS 6)
http://support.microsoft.com/?id=816794
Download details: SSL Diagnostics Version 1.0 (x86)
Download the Secure Socket Layer (SSL) troubleshooting tool for Internet
Information Services (IIS).
http://www.microsoft.com/downloads/...a1d0-5a10-41bc-
83d4-06c814265282&displaylang=en
SSL Diagnostic Utility Download for IIS - Microsoft Service Providers
Web administrators have a new tool for troubleshooting Secure Sockets Layer
(SSL) configuration problems on IIS servers. SSL Diagnostics Version 1.0
gives administrators a central place to review metabase configurations,
simulate IIS SSL client\server handshakes, and even generate a self-signed
certificate with a single click.
http://www.microsoft.com/servicepro...iag_P133360.asp
How Secure Sockets Layer Works (Support Article)
This article provides an overview of how Secure Sockets Layer (SSL) works.
http://support.microsoft.com/defaul...b;EN-US;q245152
Client Certificates: Mapping, Revocation, etc…
232165 Enabling Certificate Revocation Checking in Internet Information
Server 4.0
http://support.microsoft.com/?id=232165
248058 Error Message: HTTP 403.13 Forbidden: Client Certificate Revoked
(IIS5)
http://support.microsoft.com/?id=248058
313070 HOW TO: Configure Client Certificate Mappings in Internet Information
http://support.microsoft.com/?id=313070
272175 HOW TO: Configure Active Directory Certificate Mapping (IIS5)
http://support.microsoft.com/?id=272175
216906 Comparing IIS 5.0 Certificate Mapping and Native Windows 2000
http://support.microsoft.com/?id=216906
http://msdn.microsoft.com/library/d...-us/vsent7/html
/vxconaspnetdelegation.asp
http://www.microsoft.com/technet/tr...chnet/prodtechn
ol/windowsserver2003/proddocs/standard/sec_auth_mappingcertsone.asp
http://www.vb2themax.com/HtmlDoc.as...s&ID=320&Page=2
|
|
|
|
|