Manage SSL certificates with IIS6

!WARNING!
WE STRONGLY ADVISE YOU NOT TO USE THIS METHOD. (se we don't support it either)
Microsoft uses MS-specific cryptographic providers which will most likely cause compatibility problems. We thought this was a good method until we ran into compatibility problems that could not easily be fixed.
We suggest you manage all SSL keys with OpenSSL and convert them to pkcs12 if you want to import them into IIS.

Table of contents

• Introduction
• Generate private key and Certificate Signing Request
• Import signed certificate
• Export private key

Introduction

To secure any http connections (=https protocol) you have to use SSL certificates. We recommend using certificates that are signed by a commercial CA. When these are used for the webserver, a browser-user does not get an annoying security popup (because the root CA that signed your certificate is -by default- in the truststore of the browser). For the Shibboleth software we recommend using the same certificates because this will save you money and prevent a lot of possible trust problems. We suggest you use GlobalSign to sign the public certificates for use within our federation.

Generate private key and Certificate Signing Request

1. We will be using the "Web Server Certificate Wizard" in the IIS manager:
   • right click on the web to be secured (eg "Default Website") and select Properties
   • select the "Directory Security" tab
     
   • click "Server Certificate"
     • click "Next"
     • choose "Create a new certificate", click "Next"
     • choose "Prepare request now but send it later", click "Next"
     • enter a meaningful name for your web site, select your encryption level and click "Next"
     • enter your Departmental Information, click "Next"
     • enter a valid and full DNS name to your web site, click "Next"
     • enter your Country, City, State, click "Next"
     • save the file to your computer  (c:\pki\SUBDOMAIN.kuleuven.be.csr), click "Next"
     • review your entries, click "Next" and finish the wizard
   • click ok to close the "properties" window
2. Submit the new .csr file at https://www.globalsign.net/digital_certificate/serversign/request.cfm to be signed by Globalsign
   note: this will cost you money
3. Wait for a reply with your new public certificate. That will take some time (typically a day or two). When you receive it, save the signed certificate to c:\pki\SUBDOMAIN.kuleuven.be.crt

Import signed certificate

1. Save the received certificate to c:\pki\SUBDOMAIN.kuleuven.be.crt
2. You have to use the "Web Server Certificate Wizard" in the IIS manager again to install the new certificate:
   • Right click on the same web that you made the CSR for in the previous step and select "Properties..."
   • Select the "Directory Security" tab
   • Click on "Server Certificate"
     • click "Next"
     • choose "Process the pending request", click "Next"
     • enter the path to the signed certificate that you received (c:\pki\SUBDOMAIN.kuleuven.be.crt), click Next
     • 443 is the standard port for SSL, click "Next"
     • review the "Certificate Summary", click "Next"
     • if you used a CA that is in your truststore, there should be no questions about security, click "Finish"
   • click ok to close the "properties" window
3. your IIS webserver is now listening on port 443, you can try https://localhost/Shibboleth.sso (again, localhost might not be the correct hostname for the mapping of this request to the Shibboleth handler)

Export private key

1. Export the private key:
   (you can also do this in the IIS management console, but that gives you less options)
• "Start">"Run...", type mmc, click "OK"
• in the menu bar, choose "File">"Add/Remove Snap in"
• click on "Add", a new windows pops up:
  • doubleclick on "Certificates"
  • choose "Computer Account" and click "Next"
  • choose "Local Computer" and click "Finish"
  • Close the "Add Standalone Snap-in" box
• in the "Console Root" tree, go to "Certificates (local Computer)">"Personal">"Certificates"
  certificates that are not signed yet are in "Certificates (local Computer)">"Certificate Enrollment Requests">"Certificates"
• right click on the key-file you want to export and choose "All Tasks">"Export...", the "Certificate Export Wizard" pops up:
  
  • select to export the private key
    
  • the defaults for export are ok (strong encryption is ok), click "Next"
  • the password is not that important since you should keep these files in a safe place anyway, however you will need it to access the keystore later
  • choose to save the file as c:\pki\SUBDOMAIN.kuleuven.be.pfx
  • review settings and click "Finish", you should get a message that the export was successful (you can close the mmc window now)
2. Convert the keystore to seperate key (and certificate):
• run the OpenSSL command to export an unencrypted key from this keystore you just created. (If you only need OpenSSL for this conversion you can get a binary at this location:http://shib.kuleuven.be/download/openssl_windows_binary_0.9.7g/. Save openssl.exe in c:\pki\)
  Running the next command will produce SUBDOMAIN.kuleuven.be.key which is a text file that contains the unencrypted private key:
  
  c:\pki\openssl pkcs12 -in SUBDOMAIN.kuleuven.be.pfx -out SUBDOMAIN.kuleuven.be.key -nodes -nocerts
  
  
• If the signed certificate SUBDOMAIN.kuleuven.be.crt is not yet saved in c:\pki\, you can extract the certificate from this keystore in a similar way:
  
  c:\pki\openssl pkcs12 -in SUBDOMAIN.kuleuven.be.pfx -out SUBDOMAIN.kuleuven.be.crt -nodes -clcerts -nokeys
  
  note: if you didn't import a matching signed certificate into IIS yet, this keystore will contain a certificate that is not signed yet!
  
  
3. You now have two seperate files in c:\pki\: one containing your private key and one containing the matching public certificate
4. These two files will be specified in the configuration of the Shibboleth software.
   Note that this information is used to encrypt and/or sign all network communication. Therefore you should take great care in protecting access to these files! Only the webserver and the Shibboleth deamon need read access.