Enable SSL encryption in Microsoft IIS
Enable Secure Socket Layer (SSL) encryption in Microsoft Internet Information Services (IIS) in order to secure communications between the web server and your thin clients.
Version | …on Operating System |
---|---|
IIS 7 |
|
IIS 8 |
|
For information about enabling SSL on earlier versions of IIS, go to: support.microsoft.com/kb/299875
Also, before you begin this task, you should know whether you are going to use a signed or a self-signed certificate. Both types of certificates are explained below, but since this is not intended to be a complete discussion of Windows server administration, instructions are provided only for creating a self-signed certificate so that you can continue developing and testing your IWS project. For information about requesting a signed certificate, go to: technet.microsoft.com/library/cc732230
Your IWS project has a built-in security system that you can use to control who logs on and what access they have. It does nothing to secure the connection between the server and the client, however, so if your local network is insecure and/or you connect to your server over the Internet, then your communications can be intercepted and possibly compromised.
One way to secure the connection is to use Secure Socket Layer (SSL) encryption to encrypt the packets that are sent between the server and the client. When SSL is enabled on the server, the server offers a certificate that includes proof of the identity of the server and an encryption key. The client — in this case, your web browser — can either accept or reject the certificate, depending on whether it trusts the certificate. If the certificate is trusted, then it is automatically accepted and SSL is turned on; in many web browsers, this is indicated by a padlock icon. If the certificate is not trusted, then an alert message is displayed and the user must choose whether to accept it or reject it.
The criteria for trusting a certificate is typically whether the certificate is signed by a known certificate authority (CA) and is unexpired. However, a signed certificate must be requested and purchased from a CA, so there is also an option to create a free, self-signed certificate. A self-signed certificate is a certificate signed by the server that is offering it, and as long as it is used only on a secure local network where you know and trust all of the other computers, it is sufficient for project development. (Again, for information about requesting a signed certificate, go to: technet.microsoft.com/library/cc732230)
To create a self-signed certificate and enable SSL encryption in IIS:
- Do one of the following:
- Click the Start button, and then on the Start menu, click Control Panel; or
- In Windows 8, swipe in from the right edge of the screen, click/tap Search, and then in the search box, type Control Panel. When Control Panel is displayed in the search results, click/tap it.
The Control Panel window is displayed.
- In the Control Panel window, click System and Security, and then click Administrative Tools. The Administrative Tools window is displayed.
- In the Administrative Tools window, double-click Internet Information Services (IIS) Manager. The IIS Manager window is displayed.
- Create the self-signed certificate:
- In the IIS Manager window, in the Connections list on the left, select your server (typically your own computer).
- In Features view, double-click Server Certificates.
- In the Actions pane, click Create Self-Signed Certificate.
- On the Create Self-Signed Certificate page, in the Specify a friendly name for the certificate box, type a friendly name for the certificate (e.g., IWS), and then click OK.
Your self-signed certificate is added to the list of server certificates.
- Enable SSL for your web site:
- In the Connections list on the left, open your server, open Sites, and then select Default Web Site.
- In the Actions pane, click Bindings.
- On the Site Bindings page, click Add.
- On the Add Site Binding page, in the Type list, select https.
- In the SSL certificate list, select the self-signed certificate that you created.
- Click OK to close the Add Site Binding page, and then click Close to close the Site Bindings page.
- Require clients to connect with SSL:
- In the IIS Manager window, in Features view, double-click SSL Settings.
- Select Require SSL.
This step is optional. If you have problems connecting to the web site, then you may clear this option and try connecting without SSL.
- Restart your web site with the new settings:
- In the Connections list on the left, select Default Web Site again.
- In the Actions pane, click Restart.
- Close IIS Manager.
When you want to deploy your IWS project in a production environment, you should request a signed certificate and reconfigure IIS to use that certificate.