The purpose of this document is guide of how to create and configure the digital certificates.
Digital certificate is an encrypted file, containing user or server identification information that is used to verify identity, also called an authentication certificate. When it is issued to users, a digital certificate is called a client certificate. When it is issued to a server administrator, it is called a server certificate.
The organization that can issues, manages, and revokes certificates called “Certificate Authority”. Usually certificate authorities are banks in Saudi Arabia
To generate digital certificate follow below steps:
- Generating a certificate request file for the digital certificate:
- 1.1. Click Start button à Settings à Control Panel
- 1.2. Double click “Administrative Tools”
- 1.3. Double click “Internet Information Services (IIS) Manager”
- 1.4. Expand the “local computer”
- 1.5. Expand the “Web Sites”
- 1.6. Select “Default Web Site” à right click “Properties”
- 1.7. Select “Directory Security”
- 1.8. Click “Server Certificate” à click “Next” à choose “Create a new certificate” à click “Next”
- 1.9. Choose “Prepare the request now, but send it later” à click “Next”
- 1.10. Type your certificate name in the Name text box (e.g. MyCertificate) à click “Next”
- 1.11. Type the organization name in the “Organization” and “Organizational unit” text boxes (e.g. My Company) à click “Next”
- 1.12. Type the machine name in the “Common name” text box (e.g. Kahwaji) à click “Next”
- 1.13. Choose “JO(Jordan)” in the “Country/Region” combo box. In the “State/province” and “City/locality” write the city name (e.g. Irbed) à click “Next”
- 1.14. Browse the place you want to save the certificate request file à click “Next”
- 1.15. Check the information in the Request File Summary à click “Next” à click “Finish”
- 1.16. Close the “Default Web Site Properties” à Close the IIS
- 1.17. Now the certificate request file is generated, and the private certificate is stored in the server
- Send the “certificate request file” to a certificate authority, (usually the certificate authority is a bank)
- The certificate authority will send you back (after one or two days) the certificate file with extension “cer” or “crt”. Change the file extension to “cer”
- To process the certificate in the server:
- 4.1. Click Start button à Settings à Control Panel
- 4.2. Double click “Administrative Tools”
- 4.3. Double click “Internet Information Services (IIS) Manager”
- 4.4. Expand the “local computer”
- 4.5. Expand the “Web Sites”
- 4.6. Select “Default Web Site” à right click “Properties”
- 4.7. Select “Directory Security”
- 4.8. Click “Server Certificate”à click “Next”à choose “Process the pending request and install the certificate” (to bind the certificate file with the private key in the server) à click “Next”
- 4.9. Browse the certificate file you got from the certificate authorityà click “Next”
- 4.10. The SSL port you want (i.e. the default port is 443) à click “Next”
- 4.11. Check the information in the “Certificate Summary” à click “Next” à click “Finish”
- 4.12. Click the “View Certificate” in “Directory Security” tab of the “Default Web Site” properties. A certificate page will open, you must see at the bottom of the page a key image followed by “You have a private key that corresponds to this certificate” statement. (If you do not see it, that means you do not have the private key) à click “OK”
- 4.13. Close the “Default Web Site Properties” à Close the IIS
- 4.14. Now your certificate is ready to be used
Now everything is ready to secure our HTTP and/or SOAP communication, through securing the virtual directories of them. Please follow below steps to secure the virtual directories:
- Click Start button à Settings à Control Panel
- Double click “Administrative Tools”
- Double click “Internet Information Services (IIS) Manager”
- Expand the “local computer”
- Expand the “Web Sites” à expand the “Default Web Site”
- Select “Default Web Site” à right click “Properties”
- Select “Directory Security”
- The “View Certificate” button should be enabled à click on “View Certificate” to double check that you have a valid certificate to the server
- Click “OK” à click “OK”
- Select the virtual directory you want to secure à right click “Properties”
- Select “Directory Security” tab à click “Edit..”
- Select “Require secure channel (SSL) check box, “Accept client certificates” radio button, and click “OK”, à click “OK”
- You can browse your virtual directory using HTTPS without adding additional information (if you changed the default port of the SSL, you should write the port in the URL like https://localhost/MyVirtualDirectory/HelloWorld.html)
- 14. Close the IIS
To grant access to the client/server certificate, we should give an access to NetworkService user in the windows 2003 (or ASPNET user in the windows XP). There is a Microsoft Windows HTTP Services (WinHTTP) certificate configuration tool to install the certificate and grant access to the users (i.e. administrators group have grant access to the certificates), such as the NetworkService user. In our case we want to grant access to the Network Service user.
How to use WinHttpCertCfg.exe tool:
- You can download the WinHttpCertCfg.exe tool from Microsoft Download Center at http://go.microsoft.com/fwlink/?linkid=20506 and install it on the server.
- Run the following command from a command window. (by default the WinHttpCertCfg utility is located in \program files\windows resource kit\tools):
[WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "CertificateIssuedTo" -a "ServerName\NetworkService"]
Q1: Can I change the IP address of the server after generating the certificate request file?
A1: Yes you can
Q2: Can I change the server name after generating the certificate request file?
A2: No you cannot
Q3: How we can install the same certificates in two machines to do NLB clustering?
A3: For that case, the way of generating the certificate is different; you should request this kind of certificate from the certificate authority, and you should add a line to the hosts file of the windows 2003 (\WINDOWS\system32\drivers\etc\host), [“ServerIP” “CertificateIssuedTo”]
Q4: In some articles they certificate files with “pfx” extension, what is the difference between a certificate with “cer”/”crt” and a certificate with “pfx” extensions?
A4: The certificate files with “cer”/”crt” extension contains only public key of the certificate, but the certificate files with “pfx” contains both private and public keys of the certificate
Q5: How I can install the certificate file with “pfx”?
A5: Either by double clicking the file and following the instructions; or importing it in the certificate repository of the server under “Personal” sub node
Q6: Why I need certificates?
A6: There are many reasons that depend on the purpose of it:
- Ensures the identity of a remote computer
- Proves your identity to a remote computer
- Protects e-mail messages
- Allows secure communication on the Internet
- Ensures software came from software publisher
- Protects software from alteration after publication
- Allows data to be signed with the current time
Q7: Can the same certificate used for more than one purpose?
A7: Yes it can
Q8: Why I need SSL?
A8: To secure the communication between the client and server machines
Q9: What if I deleted the certificate request file, should I create another file and send it to certificate authority?
A9: No, you can generate another certificate request file with the same information of the deleted file, but without sending it again to certificate authority. Then when the certificate authority gives you the certificate file (of the deleted file) you can process it without problems
Q10: Where I can change the SSL port number?
A10: In the IISà (local computer)à ”Web Sites”à ”Default Web Site”à right click “Properties”
Q11: What should I do to allow the BizTalk server to recognize the certificate?
A11: You should add a line to the hosts file of the windows 2003 (\WINDOWS\system32\drivers\etc\host) [serverIP “CertificateIssuedTo”], and you should use the “CertificateIssuedTo” instead of IP address of the server (i.e. do not use https://10.0.0.144/Site/WebServ.asmx , but use https://Kahwaji/Site/WebServ.asmx )