SSL Overview: Part 4, Approve the pending certificate

Continuing through the overview, we're at the point where we need to Approve the pending request.

1) Open the Certificate Authority MMC snap-in form the Administrative Tools menu. Click “Pending Requests”. Right-click the new request, and click “Issue”.
2) From a web-browser, connect to your Certificate Service site (http:///certsrv/”).
3) Click “View the status of a pending certificate request”.
4) Click on the “Saved-Request Certificate”.
5) Download the certificate, choosing “DER encoded”, saving it to your local system (by default this will be called “certnew.cer”)

SSL Overview: Side note, Failed to create ‘Certificate Authority Request”

So you've been following the online, but you put the CA on the same IIS server as your SUS server. That or, being a dilligent sysadmin you ran IIS lockdown tool on your IIS server (good for you, by the way!). Well if you've done the above, then your at the point where you're getting the error...

Failed to create ‘Certificate Authority Request”

Pain in the neck, right? Well, don't worry... it's actually not too bad.

To resolve this error, perform the following steps:
1) Open IIS, go to the properties page for the site where certsrv is installed (e.g. “Default Web Site).
2) Go to the “home directory” tab, and click “Configuration”.
3) Click the options tab, and put a check in the “Enable session state box”, and choose 20 minutes. Now restart IIS (command prompt, type “iisreset”).



Now go ahead and resubmit the request to your CA. It should work just fine now.

SSL Overview: Part 3, Submit the certificate request

If you've been following along with the previous posts, you'll see that we're progressing through the original outline. We've already created a certificate request using the IIS MMC, and we're at the point where we need to submit the request to a Certification Authority (CA).

The first thing you need to do is to make sure that you already have a Certification Service installed on a server. From an architecture standpoint, you may want to consider placing this on an internal box running IIS, as opposed to an Internet facing system. There are also some considerations to take into account as far as using an AD-integrated CA, or a stand-alone CA. In this scenario I have used a stand-along CA.

In any case, it's time to go through the approval process.

1) Using IE (internet explorer) browse to your certificate server (http://server-name/certsrv).
2) Click “Request a Certificate”
3) Click “Advanced certificate request”.
4) Choose to “Submit a certificate request by using a base-64-encoded…”
5) Browse to the certificate request you created earlier (e.g. “c:\certreq.txt”), and open it in notepad. Copy the entire contents of the file (including the “-----Begin--- and ----END--… lines), and past it into the certificate request box.

Reference this link for further details.

6) Click Submit.
7) You should see a message indicating that your Certificate request has been received, and that you must wait for an administrator to approve.

Side Note: If you receive an error to the effect of "Failed to Create Certificate Authority Request", this seems to be caused by SUS (and the IIS lockdown tool).

I will be following up with a work-around for this error, as well as the remaining posts detailing the original outline.

SSL Overview: Part 2, Requesting a Certificate

To follow-up on the outline posted in my SSL Overview posting, I will be digging into this process to break things down into a step-by-step approach.

Creating a certificate request isn't too difficult. So to get to the point, you need to launch the IIS MMC and connect to the server that is (or will be) hosting the site that needs the certificate...

1) Launch IIS as a domain administrator
2) Open the Default web site, and right-click properties
3) Select the Directory Security tab, and click “Server Certificate”



4) Select "Create a new certificate", click Next.
5) Select prepare the request now, but send it later. Click Next.
6) Choose identifying information (e.g. “Default Web Site”), bit-length 1024., Next. Again, enter more identifying information, click next.
7) The most important part of the certificate request is to choose the correct naming for the site.

• For instance, if this site is only going to be available internally, you can choose either the netbios name (e.g. servername) or full-DNS name (servername.domainname.local).
• If this site is going to be available externally, use the full external DNS name. (e.g. “intranet.domainname.com”)

8) Type more identifying information, click Next.
9) Choose the filename for the certificate request (c:\certreq.txt is fine). Click Next. Click Next. Click Finish.
That's all there is too it. The next step is to submit the request to a CA (Certification Authority), which I will cover is a follow-up post.

SSL Overview for SQL Reporting Services

I’m often surprised by how many people aren’t aware that you can create and install SSL certificates without going to a publicly trusted Certificate Authority (CA). Windows 2000/2003 has everything you need built right in, so take advantage of it!

Maybe you want to use SSL to encrypt login credentials for accessing your corporate intranet, or for providing secure access to web services... think SQL Reporting Services, and Exchange/OWA. If the business-situation warrants it, take advantage of what Microsoft already offers!

When circumstances permit, use IIS and the built-in Windows Certification Authority make and approve certificate requests.

Overview

1. Create a certificate request using the IIS MMC
2. Submit the certificate request to a CA (Certification Authority) the CA’s web-interface.
3. Approve the certificate request using the CA MMC4
4. Download the certificate from the CA web-interface, and then install the certificate for the web site you need, using the IIS MMC.

I’m in the process of documenting this more extensively, and will follow-up as time allows. But the key takeaways are outlined above, and if you think through the process, this should provide a good starting point.

One last thing, there certainly are times when a certificate from a publicly trusted CA makes sense… especially when dealing with services that will be exposed to end-customers! In these cases, a publicly trusted certificate should be easy to justify in terms of cost.