General steps and resources for setting up SSL Certificates and PKI infrastructure

Project:

Set up a development web server environment which requires SSL and accepts client certificates.  The client certificates may come from a CA that is not immediately contactable, because the development environment is firewalled out of the CA network.


Using IIS7.5 on a Windows 7 Ultimate workstation.

General steps:
1) Install an SSL certificate for your web server to enable SSL.

    a. I had a Certificate Authority server set up in my development environment.
           Certificate Authority services come with Windows Server 2003 and above. You just need to enable the feature. 

    b. I requested a domain certificate from IIS7.5 Server Certificates feature which is located at the web server level of the IIS Managment Console.
    c. Then I enabled SSL on IIS 7.5 at the web site level.

http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

2) Your client workstation must trust the CA. 
     a) Go to the CA and get a copy of the CAs public key certificate. 
     b) Install that to your trusted root certificates for your Computer and your user account.
              To go to a management console for managing your certificates:

    (Start -> Run "mmc")
                  File -> Add/Remove Snap-in
                  Choose Certificates and Click Add
                  Choose Computer Account and click Finish, select local computer and click Finish


                  Choose Certificates and Click Add
                  Choose My user account and click Finish


Alternatively, you can use GPOs to configure the trusted root certificate authorities for your domain.
http://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx


Also, verify that the CAs for your client certificate are added to the computer account trusted root certificates.

3)  Enable SSL and  Require Certificates under  IIS 7.5 SSL Settings feature for your site.

4) Disable client certificate revocation on IIS 7.0 because you merely want to view the client certificates, and checking for revocation is not possible with the certificate authorities blocked off behind a firewall.
 http://blogs.msdn.com/b/kaushal/archive/2012/10/15/disable-client-certificate-revocation-check-on-iis.aspx




Critical Source Web sites:
http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

http://blogs.msdn.com/b/friis/archive/2011/11/15/troubleshooting-403-7-client-certificate-required-errors-amp-step-by-step-to-make-sure-your-client-certificate-is-displayed-and-selected.aspx

http://blogs.msdn.com/b/kaushal/archive/2012/10/15/disable-client-certificate-revocation-check-on-iis.aspx

http://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx


Comments

Post a Comment

Popular posts from this blog

How To use ASPNET_SetReg to store encrypted data in the registry and then decrypt the data for use in your app

1) You may find it a bit unsecure storing usernames and passwords inside your web.config.  As an alternative to doing this, Microsoft has established a standard way to store that type of info in the registry of your server instead.  Yes, you can encrypt portions of the web.config using aspnet_regiis, but it can become quite a hassle if you need to make changes to some of your appSettings keys or change the account password over a number of different applications.   ( http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx ) 2) You can use a simple command line tool called aspnet_setreg.exe to create your registry entries.     You can find the tool here:              http://support.microsoft.com/kb/329290     The tool will use CryptProtectData to encrypt the values you put in the registry. The example in the article uses the following example: Run the following command...
Read more

Nostalgia for SNL's Il Returno De Hercules

Image
Source: http://snltranscripts.jt.org/86/86nhercules.phtml Now that SNL has an official YouTube channel, I had hoped SNL would add the "Il Returno de Hercules" skit to the channel.  The skit was from from SNL Season 12 Episode 14. I was able to find the script for the skit at snltranscripts.jt.org.  And here it is for your viewing pleasure.  If SNL doesn't put this on YouTube, maybe someone can remake it and put it up. Il Returno de Hercules King Laetes.....Dana Carvey/Tom Davis (voice) Helena.....Nora Dunn/Jan Hooks (voice) Hercules.....Bill Murray Guard.....A Whitney Brown Announcer : [ over SCROLL ] "In the time known as the Heroic Age, many centuries before the birth of Christ, Greece was still a savage and uncivilized land. In these dark times, one man alone defended the helpless - the Mighty Hercules. For many years the mighty Hercules fought for the common people, until at length his rich diet and increasingly sedentary lifesty...
Read more

PowerShell Script to Clean the Windows Installer Directory

Yesterday, I had a case of the Windows folder filling up the OS drive on a server. I already have scripts to archive the event log files in c:\windows\system32\winevt, as well as c:\inetpub\logs for web servers.  So I ran those again, but found the OS drive still down to less than 5 GB in space. Using a program called WinDirStat, I discovered that the Windows Installer directory had gotten pretty big, like over 40GB in size. I began my quest to Google for a solution. I saw one article talking about using DISM to clean up the winsxs directory.  https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder However, that didn't clean up the c:\windows\installer directory at all.  Also, installing the Desktop Experience Feature and using the cleanmgr.exe (Disk Clean up) utility didn't clean up the Installer directory either. Many blogs pointed towards a tool called Patch Cleaner. https://www.winhelponline.com/blog/windows-inst...
Read more