If you want to secure your website or any other web interface on a server running under Windows Server, you need to ask and add a SSL certificate to your IIS web server.
- Create a certificate signing request (CSR)
- Generate a SSL certificate using the Windows Server Certification Authority
- Add the certificate to IIS to enable HTTPS for your website
To create a certificate request, open the Internet Information Services (IIS) Manager, select your web server on the left and click on "Server Certificates" in the center.
In the right column, click the "Create a certificate request" link.
Note : for a test web server, you may click on the "Create a self-signed certificate" link. That said, a self-signed certificate will not work with Citrix technologies, RemoteApp, ...
For the certificate request, specify :
- a common name : the domain name for your website. Examples: www.my-site.com or *.my-site.com (this certificate will be valid for all subdomains of "my-site.com" but it is often more expensive)
- Organization : Organization : your company name or the name of your site
- Organizational unit : what you want
- City/locality : the city where the site owner or the company is located
- State/province : Same but for the region or the department
- Country/region : the country in which you are.
IMPORTANT : If you wish to obtain a valid certificate from a trusted certification authority, such information must be correct. Otherwise, the certification authority will probably refuse your certificate request.
Note : in our case, we will create the SSL certificate with our certification authority created under Windows Server, so the city / region and the country will not be checked.
Then, select the size of the encryption key.
This choice depends on the certification authority (CA) that will generate your SSL certificate.
The higher is this value, higher is the encryption. However, check with the desired CA to know what key size are supported.
Finally, click the "..." button to save the certificate request to a file.
Then, click "Finish".
As you can see, the certificate request is encrypted and begins/ends with lines "-----... NEW CERTIFICATE REQUEST-----".
To obtain a valid SSL certificate, you have several options :
- register on a paid CA as Symantec SSL (formerly VeriSign) or GeoTrust. In this case, your SSL certificate will be valid on any PC and any network device.
- register on a free CA as StartSSL. In this case, your SSL certificate is also valid on all PCs, ...
- use a Linux certification authority or a Windows Server certification authority to avoid paying SSL certificate. In this case, SSL certificates will be valid only on desired PCs.*
* When you use a CA that you create on your server, the generated certificates will be considered invalid by computers around the world, because the certificate of your CA is not in trusted certification authorities by default in Windows. To solve this problem, you must add the certificate of your authority in your certificates of trusted authorities of computers on your network.
So, this solution is useful for a test environment or an intranet. This will allow you to secure connections for Citrix technologies, RemoteApp, ... with no problem. Indeed, if your setup is good, Citrix solutions and RemoteApp will consider your certificates as valid.
In our case, we will generate our certificate with our Windows Server Certification Authority.
For this, we access to the address "https://ad-server.informatiweb.lan/certsrv" and connects with the admin account of the "ad-server" server.
- Paste the contents of the certificate request file (with "-----... NEW CERTIFICATE REQUEST-----" lines) in the box
- Select "Certificate template : Web Server"
- Click on Submit
After generating the certificate, we see that :
- ce certificate is valid for the domain : iw-web-server.informatiweb.lan
- it was issued by the certification authority : InformatiWeb CA
- It is valid from 06/09/2015 to 06/08/2017
- the certificate is considered valid (as there is no error displayed) because the certificate of our authority has been added to the server's trusted authorities using a GPO.
Finally, you must first add the generated SSL certificate in the IIS server certificates.
For this, just click on the link "Complete Certificate Request" in the right column.
Select the certificate generated by the certification authority (which is called here : the certification authority response).
Then, specify a friendly name (what you want to give a name for this certificate).
And select a certificate store for this certificate. This choice doesn't matter.
Then, go to the "View" menu and click on "Refresh" for the certificate is displayed.
Now, your certificate is in the IIS server certificates.
Finally, you must add the https protocol (https binding in IIS).
To do this, select the website to secure over SSL (https protocol), and click on "Bindings" in the right column.
Add the "https" type for the "443" port.
Enter the domain name of this website.
Then, select the SSL certificate that we just added.
As you can see, our website "iw-web-server.informatiweb.lan" is protected by a SSL issued by the "InformatiWeb CA" certification authority for the https protocol.