SSL


Steps to Enable SSL in IIS

on Windows XP


Enabling SSL in IIS is not as simple as clicking checkbox setting, especially on Windows XP. In this case I will demonstrate how to use OpenSSL to create a self-signed certificate that will freely enable ssl encryption for testing and private purposes.

Installing IIS on Windows XP
The first and basic requirement is that IIS should be installed on the system. To install it you must have administrator privileges. Go to Control Panel ->Add Remove Programs ->Add Remove Windows Components. Just check Internet Information Services checkbox and complete the installation. Once that finishes, you will have a directory called c:\Inetpub\wwwroot on your hard drive that contain the files that your web server will serve.

Requirements for installing Self-Signed Certificate
Encryption on the web is possible using a technology called SSL (Secure Sockets Layer). However, enabling SSL on IIS is not as simple as clicking a checkbox setting. The requirements are below:
  • OpenSSL i386 binary and source distributions (free)
    • These files can be downloaded from these links
    • For bin file follow this link bin folder
    • For source file follow this link source folder
  • Active Perl (free)
    • Active Perl can be downloaded from this link Active Perl
  • Basic knowledge of how to use the command shell "cmd"

IIS Directory Security
Click on Start Menu -> Run and type inetmgr. Expand through following hierarchy ‘Computer-Name’ (local computer) -> Web Sites -> Default Web Site.
Right Click on “Default Web Site” and select “Properties”. Then click on “Directory Security” tab.

Prepare a Certificate Request
Click on the "Server Certificate..." button. This will open the Web Server Certificate Wizard. Click "Next". At this point, you have the options of "Create a new certificate", "Assign an existing certificate", and "Import a certificate from a Key Manager backup file." Select "Create a new certificate" and click Next.



Create the Self-Signed Certificate using OpenSSL
Continuing on in the wizard, choose "Prepare the request now, but send it later." The next four dialogs will ask you about the names that should be in the certificate. You can leave the defaults, or enter a name and location for your company. Finally, the wizard will ask you to save the certificate request to a file named certreq.txt. This file is usually saved at C:\ drive.
Now we will need both OpenSSL files labeled as “src” and “bin” as told to be downloaded before. The Active Perl downloaded and installed will be used to run Perl Scripts on the machine.
Next, unzip both of the OpenSSL packages to temporary folders. From the binaries package "bin" folder, copy the files "openssl.exe" and the two DLLs into the source package's "apps" folder. In the "apps" folder is a file called CA.pl. Open this perl script in a text editor (or you can right click on the file, select open with and then choose WordPad from the list) and change the line $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; to read $SSLEAY_CONFIG="-config openssl.cnf";. Now copy the certreq.txt file you made above into this "apps" directory, and rename it to "newreq.pem".
Next, open a command prompt window in the apps directory, and run the following commands:
  • perl      CA.pl   -newca
  • perl      CA.pl   -signreq

Install the Certificate
If all is successful, you should have a file called "newcert.pem" in the "apps" directory, which contains your certificate. Open this file in a text editor and remove everything before the -----BEGIN CERTIFICATE----- line.
Go Back to IIS Management Console by following the same steps (Start Menu -> Run -> type inetmgr and press Enter). Go to properties of Default Web Site, select Directory Security tab and click Server Certificates. In the wizard, select "Process the pending request and install the certificate" and press Next. Browse to and open the newcert.pem file in the "apps" directory. (Note, you will have to set the file filter to "all files" in order to see the .pem file.) Click next to complete the process.  
That's it! Now you have IIS set up with an SSL certificate. To turn on SSL, make sure in the "IIS configuration"->"Web Site tab"->"Advanced"->"Multiple SSL identities for this Web Site", you have a default IP address registered on port 443. If you want to only allow SSL encrypted connections from web browsers, click the "Edit" button in the "Secure Communications" section of the "Directory Security" tab, in the properties of Default Web Site and check the "Require secure channel (SSL)" checkbox.
To check whether the SSL is enabled or not, open internet explorer and write http://localhost/ in the address bar. You will see a message appearing “The page must be viewed over a secure channel” and “Try again by typing https:// at the beginning of the address you are attempting to reach”. Now add “s” after http and you will be able to view the page after a security message.
Partially SSL Secured Web Pages
The secure pages are opened with URL starting from https instead of http. The extra ‘S’ refers to secure. For access the secure pages, we need to divert the address to http from https and back to http when we are not accessing secure pages. For this go to IIS Console, right click on the properties of the website you want to manage, go to directory security tab and select edit in the secure communications columns. Uncheck Require 128-bit encryption and require secure channel (SSL) check boxes to avoid whole website to be using SSL. It is recommended that pages you want to secure should be kept in a separate directory.
To make changes in the web.config file we may also need to include SSL libraries. A file called “SSLDemo” can be downloaded from this link SSLDemo. Unzip this folder and go to SSLLibrary -> Bin -> Debug, copy both files SSLLibrary.dll and other SSLLibrary file into Bin folder of your project. If Bin folder does not exist, create one. You can create bin folder by right clicking on your project, ASP.NET Folder -> Bin.

Now make the following changes to the web.config file. If there isn’t any web.config file create one. Write the following line under <configSections> tag
<section name ="secureWebPages" type ="SSLLibrary.SecureWebPageSectionHandler, SSLLibrary"/>
After the </configSections> tag write the following lines.
<secureWebPages enabled ="true" secureWebServer="https://localhost">
<file path = "ViewPage.aspx"/>
</secureWebPages>
In this case I have written ViewPage.aspx as the page which is to be secured and localhost as a name for the secureWebServer. It should be changed to whatever the name of the page is that is to be secured and whatever the name of the server is. If more than one page needs to be secured, multiple tags can be added for example:
<file path = "Default.aspx"/>
<file path = "ViewPage.aspx"/>
<file path = "AddPage.aspx"/>
….
….
If any directory is to be secured having number of pages in it, the tag will be changed as follows:
<directory path = “Secure”/>

After the <httpModules> tag write the following lines:
<add name ="SecureWebPage" type ="SSLLibrary.SecureWebPageModule, SSLLibrary"/>
Now run the website and see that secure pages are diverted to URL’s starting with https and when leaving the secure pages, the URL starts with http.

References:
http://www.somacon.com/p41.php
http://www.activestate.com/activeperl/downloads
http://www.blackbearit.com/Download.aspx?id=1020
http://www.youtube.com/watch?v=kccgNFwFf8M&feature=related
Subscribe to: Posts (Atom)