Configuring SSL with IIS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

now something else that is also very important is the ability to provide security and this is where we get into secure socket layer is good old SSL as you know with SSL we're going to be using port 443 we are going to use digital certificates and this is going to set up an encrypted session with whomever we're communicating with and as I've pointed out many times before you want to make sure that when you're doing these types of sessions that you're using a public issued certificate somebody from a trusted environment like Verisign or thought or GoDaddy so that if you're trying to sell something to somebody they're not going to have a big pop up that says oh it's an untrusted certificate or even worse with the default settings of Internet Explorer you may run into where I just want to show the website and unless they can scale that back it's not going to work so if you're going to be doing anything with the public get a trusted third party certificate otherwise you can use group policy to drop it down in there so how do I go in and set up my certificates well let's go back out to my machine and we're going to do is we're going to get into our is and we're going to select our particular server and you'll notice that we have the ability to go in and drop down into our site and let's say that this is our website here we can go in and we can select bindings and inside of our bindings we have HTTP if I hit edit notice that I'm able to select the SSL certificate this SSL certificate can be you know different ones if I wanted to and let's say that I went and I purchased one from GoDaddy well then what I need to do is I need to make sure that I can do the request for that certificate they talked about this over on page 203 one of the most important things is when you're requesting a brand new certificate you have to go in and you have to put in what's called the common name and by the way this is exam worthy as well what the common name is is it's the host name of a particular server one of the real basics that these browsers will do to verify the validity of a server is does the hostname match the common name now I understand that's not necessarily the most secure thing because how hard is it to change a hostname but it is sort of the first step for when you request a certificate make sure that the common name you fill out is going to match your particular hostname so you need to make sure that that's set up in there so let's go in and check this out I'm going to close this off we'll go in and we'll select our server and what we want to do is we want to go through and we want to look at the certificates on my particular machine you want to make sure that all the pieces are in there and that we're going to be able to go in and grab the right certificate now we would go into the server certificates and inside of server certificates these are the list of certificates that we already have on our particular system so what I'm going to do is I'm going to create a certificate request and here's that all-important common name and if you don't know what your host name is what you could do is you can open up the command prompt and simply type host name and it'll tell us LCB PDC 0 1 so I'll say SLC PDC 0 1 and then I would fill out all the rest of stuff your organization your common 8 organizational unit I'm just going to put some junk in here and we're going to be and we'll say CA us and then it's going to say well what type of cryptographic service provider this is not the cryptographic service provider for your digital certificate this is the cryptographic service provider that's going to encrypt your request that you're going to send to whomever you you send this off to so if you're sending off to verify your thought they're going to be able to decrypt that and here's the bit link but this is not the actual cryptographic provider for the certificate itself then you'll give it a file name for example I could say C colon backslash my cert request and I'll say finish and what this will do is it will make a file that I would give to Verisign or thought or go to a dear whoever and then I would actually go in and and get that certificate issued to me so it's not the actual certificate is the request for the certificate then what I would do is I would go in once I get the certificate and I would import the certificate and they would send me a file it's a pfx file and typically there's going to be a password for me to import this particular certificate when you request a certificate you can have different file sizes different bit lengths but realize the longer the bit length yes the more secure it is but it's also going to take a lot more processing power to go through and encrypt that particular tunnel and I mean you're not storing the nuclear secrets here so anything more than about 1024 is kind of overkill you can also get what's called an SSL accelerator card what an SSL accelerator card does is allows you to go through and have secure socket layer x' but you are not going to you're not going to have the processor do the SSL for you instead what happens is is the network adapter inside of your card has the SSL or inside of your computer has the SSL certificate built into it so it does all the encryption decryption for you which which works out really well SSL accelerator card would be a pretty decent thing to have so how do we enable SSL on our particular website well I've already shown you we would go into our bindings and after we've imported the certificate we would go into HTTPS and we would just select whichever certificate we happen to have imported so you just want to make sure that you have that set up in there and if you need to move certificates from one server to another remember the common name requirement that you have to have in there what you can do is you can just export a certificate and then you can go ahead and re import a certificate if you would like and they talked about that on page 206 207 you push a button for export you push a button for import and away it goes also when you have your website you have this button here called SSL settings what SSL settings does is allows you to require SSL now of course if they come in on port 443 it's going to be SSL but we also had port 80 so we may want to remove the binding from port 80 and just go up in here and say hey we're going to require that we're using secure socket layer x' now you'll also notice we have this client certificate this client certificate is if we want to authenticate based upon a X dot 509 certificate that is installed on a client so we can have a machine based certificate or user base certificate and we would use that for authentication for them to come in and we can say you know ignore it accept it or actually require you

Info

Channel: StormWind Studios

Views: 129,349

Rating: undefined out of 5

Keywords: Windows, 2008, R2, MCITP, Free, Training, Certification, Applications, SSL, IPSEC, Encryption, 443, TLS, Sniff, Hack, clear, text, security, commerce, IIS, Internet, Information, compromise, packet, x.509, verisign, server

Id: UCgpxct9eLQ

Channel Id: undefined

Length: 7min 27sec (447 seconds)

Published: Wed Nov 09 2011