The steps for configuring Secure Sockets Layer (SSL) for a site are the same in IIS 7 and above and IIS 6.0, and include the following:
This document provides some basic information on SSL, then shows how to enable SSL in many several different ways:
This article contains the following sections:
The implementation of SSL changed from IIS 6.0 to IIS 7 and above. In IIS 6.0 on Windows Server 2003, all SSL configuration was stored in the IIS metabase, and encryption/decryption occured in User mode (requiring a lot of kernel/user mode transitions). In IIS 7 and above, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections in IIS 7 and above than that experienced in IIS 6.0.
Using SSL in kernel mode requires storing SSL binding information in two places. First, the binding is stored in %windir%\System32\inetsrv\config\applicationHost.config for your site. When the site starts, IIS sends the binding to HTTP.sys, and HTTP.sys starts listening for requests on the specified IP:Port (this works for all bindings). Second, the SSL configuration associated with the binding is stored in the HTTP.sys configuration. Use thenetsh command at a command prompt to view SSL binding configuration stored in HTTP.sys as in the following example:
netsh http show sslcert
When a client connects and initiates an SSL negotiation, HTTP.sys looks in its SSL configuration for the IP:Port pair to which the client connected. The HTTP.sys SSL configuration must include a certificate hash and the name of the certificate store before the SSL negotiation will succeed.
Troubleshooting Tip: If you're having trouble with an SSL binding, verify that the binding is configured in ApplicationHost.config, and that the HTTP.sys store contains a valid certificate hash and store name for the binding.
When choosing a certificate, consider the following: Do you want end users to be able to verify your server's identity with your certificate? If yes, then either create a certificate request and send that request to a known certificate authority (CA) such as VeriSign or GeoTrust, or obtain a certificate from an online CA in your intranet domain. There are three things that a browser usually verifies in a server certificate:
If one or more of these checks fails, the browser prompts the user with warnings. If you have an Internet site or an intranet site where your end users are not people you know personally, then you should always ensure that these three parameters are valid.
Self-signed certificates are certificates created on your computer. They're useful in environments where it's not important for an end user to trust your server, such as a test environment.
You cannnot request or create a certificate by using AppCmd.exe. You also cannot use AppCmd.exe to create an SSL binding.
You can use AppCmd.exe to configure a site to accept only server HTTPS connections by modifying thesslFlags attribute in the Access section. For example, you can configure this setting for the "Default Web Site" in the ApplicationHost.config file (for example, commitPath:APPHOST) by using the following command:
% windir % \system32\inetsrv > AppCmd set config "Default Web Site" - commitPath : APPHOST - section : access - sslFlags : SslIf successful, the following message is displayed:
Note: To require 128-bit SSL, change the sslFlags value to Ssl128.
The following example demonstrates how to view the <access/> section settings for the Default Web Site. ThesslFlags attribute has been set successfully.
%windir%\system32\inetsrv>AppCmd list config "Default Web Site" -section:access
Executing the command results in the following entry in the ApplicationHost.config file:
<system.webServer> <security> <access flags="Script, Read" sslFlags="Ssl" /> </security> </system.webServer>
You cannot request or create a certificate by using the WebAdministration WMI namespace.
The following script demonstrates how to create a new SSL binding and how to add the appropriate configuration for both HTTP.sys and IIS:
Set oIIS = GetObject("winmgmts:root\WebAdministration")
''''''''''''''''''''''''''''''''''''''''''''' ' CREATE SSL BINDING ''''''''''''''''''''''''''''''''''''''''''''' oIIS.Get("SSLBinding").Create _ "*", 443, "4dc67e0ca1d9ac7dd4efb3daaeb15d708c9184f8", "MY"
''''''''''''''''''''''''''''''''''''''''''''' ' ADD SSL BINDING TO SITE ''''''''''''''''''''''''''''''''''''''''''''' Set oBinding = oIIS.Get("BindingElement").SpawnInstance_ oBinding.BindingInformation = "*:443:" oBinding.Protocol = "https" Set oSite = oIIS.Get("Site.Name='Default Web Site'") arrBindings = oSite.Bindings ReDim Preserve arrBindings(UBound(arrBindings) + 1) Set arrBindings(UBound(arrBindings)) = oBinding oSite.Bindings = arrBindings Set oPath = oSite.Put_
Note: The certificate hash and store must reference a real, functional certificate on your server. If the certificate hash and/or store name are bogus, an error is returned.
The following script demonstrates how to set SSL settings by using the IIS WMI provider. You can find this value in the IIS_Schema.xml file.
CONST SSL = 8Select the server node in the treeview and double-click the Server Certificatesfeature in the listview:
Click Create Self-Signed Certificate... in the Actions pane.
Enter a friendly name for the new certificate and click OK.
Now you have a self-signed certificate. The certificate is marked for "Server Authentication" use; that is, it uses as a server-side certificate for HTTP SSL encryption and for authenticating the identity of the server.
Select a site in the tree view and click Bindings... in the Actions pane. This brings up the bindings editor that lets you create, edit, and delete bindings for your Web site. ClickAdd... to add your new SSL binding to the site.
The default settings for a new binding are set to HTTP on port 80. Select https in the Type drop-down list. Select the self-signed certificate you created in the previous section from theSSL Certificate drop-down list and then clickOK.
Now you have a new SSL binding on your site and all that remains is to verify that it works.
In the Actions pane, under Browse Web Site, click the link associated with the binding you just created.
Internet Explorere (IE) 7 and above will display an error page because the self-signed certificate was issued by your computer, not by a trusted Certificate Authority (CA). IE 7 and above will trust the certificate if you add it to the list of Trusted Root Certification Authorities in the certificates store it on the local computer, or in Group Policy for the domain.
Click Continue to this website (not recommended).
Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates. Click the site node in the tree view to go back to the site's home page. Double-click theSSL Settings feature in the middle pane.
In this walkthrough, we successfully used the command-line tool AppCmd.exe, the scripting provider WMI, and IIS Manager to set up SSL on IIS.