IIS Server Security - certificates

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > November 2004 > certificates





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author certificates
Jordan

2004-11-28, 5:49 pm

Hello,

Question, what is the TRUE purpose of having a
certificate for a website? just to prove the
authenticity? saying this is the REAL site?

Regards,
Jordan

Miha Pihler

2004-11-28, 5:49 pm

Hi Jordan,

There are usually at least two reasons. One if what you described -- server
authentication. E.g. I really want to know that I am talking to Microsoft
server when I am downloading patches; or I really want to know that I am
talking to my on-line bank server when I am entering data to access my
account information.

The other purpose is to encrypt the data that is exchanged between the
server and the client. I don't want people to listen in on my conversation
when I am sending information from my computer to bank server -- or when
bank server replies with information.

There are also client side certificates. They are used to authenticate users
to web server. This way server knows who it is talking to (since I am the
only one who is supposed to have the private keys).

I hope this helps,

Mike

"Jordan" <anonymous@discussions.microsoft.com> wrote in message
news:989601c4d59c$8dd72c40$a401280a@phx.gbl...
> Hello,
>
> Question, what is the TRUE purpose of having a
> certificate for a website? just to prove the
> authenticity? saying this is the REAL site?
>
> Regards,
> Jordan
>


Jordan

2004-11-28, 5:49 pm

Thanks for the reply, where can I find more information
regarding how to set this up on some of my websites?

Regards,
Jordan

>-----Original Message-----
>Hi Jordan,
>
>There are usually at least two reasons. One if what you
described -- server
>authentication. E.g. I really want to know that I am
talking to Microsoft
>server when I am downloading patches; or I really want
to know that I am
>talking to my on-line bank server when I am entering
data to access my
>account information.
>
>The other purpose is to encrypt the data that is
exchanged between the
>server and the client. I don't want people to listen in
on my conversation
>when I am sending information from my computer to bank
server -- or when
>bank server replies with information.
>
>There are also client side certificates. They are used
to authenticate users
>to web server. This way server knows who it is talking
to (since I am the
>only one who is supposed to have the private keys).
>
>I hope this helps,
>
>Mike
>
>"Jordan" <anonymous@discussions.microsoft.com> wrote in
message
>news:989601c4d59c$8dd72c40$a401280a@phx.gbl...
>
>
>.
>
Miha Pihler

2004-11-28, 5:49 pm

Hi,

Here is some general information that may help.

How To Set Up an HTTPS Service in IIS
http://support.microsoft.com/?kbid=324069

How To Set Up SSL Using IIS 5.0 and Certificate Server 2.0
http://support.microsoft.com/kb/299525

Setup process depends on:
* version of operating system where IIS is running (Windows 2000, Windows
XP, Windows 2003 Server)
* origin of certificate (will you buy certificate from 3rd party CA
companies (e.g. Verisign, Thawte, ...) or will you issue your own
certificates)

You can issue your own certificates in two ways:
* you can use SelfSSL tool from IIS 6 resource kit (it works on Windows 2003
server and Windows XP
* you can setup your own CA server

IIS 6.0 Resource Kit Tools
http://www.microsoft.com/downloads/...&DisplayLang=en

The problem with your own certificates is that users outside your company
will not be able to recognize them by default like they would recognize e.g.
Verisign certificates. E.g. I have Verisign Root Certificate in my Trusted
Root Store. Therefore I trust any certificate issued by this CA. Since I
don't have your certificate in my trusted root store I would get a warning
that site that I am trying to access is not trusted. I would have an option
to choose whether I want to continue...
http://freeweb.siol.net/mpihler/nottrusted.jpg

Own CA servers are usually used for internal use while 3rd party CA servers
are used when e.g. doing business on-line with large number of people...

Here is additional information about Microsoft CA service

New features:
http://www.microsoft.com/technet/pr...lan/pkienh.mspx
Operations guide:
http://www.microsoft.com/technet/pr...y/ws03pkog.mspx
Managing PKI:
http://www.microsoft.com/technet/pr...ity/mngpki.mspx
Best Practices:
http://www.microsoft.com/technet/pr...y/ws3pkibp.mspx
Certificate templates -
http://www.microsoft.com/technet/pr...y/ws03crtm.mspx
Certificate Autoenrollment in Windows Server 2003
http://www.microsoft.com/technet/pr...y/autoenro.mspx
Key archival -
http://www.microsoft.com/technet/pr...y/kyacws03.mspx
Advanced certificate enrollment:
http://www.microsoft.com/technet/pr...ty/advcert.mspx
web enrollment:
http://www.microsoft.com/technet/pr.../webenroll.mspx
CRLS: http://www.microsoft.com/technet/se...to/tshtcrl.mspx

Feel free to post back with any additional questions...

I hope this helps,

Mike

"Jordan" <anonymous@discussions.microsoft.com> wrote in message
news:98a701c4d5a0$6adb0a00$a401280a@phx.gbl...[vbcol=seagreen]
> Thanks for the reply, where can I find more information
> regarding how to set this up on some of my websites?
>
> Regards,
> Jordan
>
> described -- server
> talking to Microsoft
> to know that I am
> data to access my
> exchanged between the
> on my conversation
> server -- or when
> to authenticate users
> to (since I am the
> message


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com