Windows Tutorials

Introduction

The high-level steps for configuring SSL are the same in IIS 7.0 and IIS 6.0:

Get an appropriate certificate
Create an HTTPS binding on a site
Test by making an request to the site
Optionally configure SSL options, e.g. making SSL a requirement

This document provides some helpful information, then shows how to enable SSL in many different ways:

Using the IIS Manager GUI
Using the appcmd command line tool
Programmatically through Microsoft.Web.Administration
Through WMI scripts

This article contains:

SSL Configuration

The implementation of SSL has changed from IIS 6.0 to IIS 7.0. On Windows Server 2003, all SSL configuration was stored in the IIS metabase and encryption/decryption happened in user mode (required a lot of kernel/user mode transitions). On Windows Vista and Windows Server® 2008, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections.

Moving SSL to kernel mode requires storing SSL binding information in two places. First, the binding is stored in %windir%\system32\inetsrv\applicationHost.config for your site. When the site starts, IIS 7.0 sends the binding to HTTP.sys and HTTP.sys starts listening for requests on the specified IP:Port (this works for all bindings). Second, SSL configuration associated with the binding is stored in HTTP.sys configuration. Use netsh to view SSL binding configuration stored in HTTP.sys:

netsh http show sslcert

When a client connects and initiates an SSL negotiation, HTTP.sys looks in its SSL configuration for the IP:Port pair that the client connected to. The HTTP.sys SSL configuration must include a certificate hash and the name of the certificate's store for the SSL negotiation to succeed.

Troubleshooting Tip: If you're having trouble an SSL binding, verify that the binding is configured in applicationHost.config and that the HTTP.sys store contains a valid certificate hash and store name for the binding.

Choosing a Certificate

Do you want end users to be able to verify your server's identity with your certificate? If yes, then either create a certificate request and send that request to a known CA like VeriSign or GeoTrust, or get a certificate from an online CA in your intranet domain. There are three things that a browser usually checks for in a server certificate:

The current date/time is with the "Valid from" and "Valid to" dates on the certificate
The certificate's "Common Name" (CN) matches the host header in the request, e.g. if the client is making a request to http://www.contoso.com/, then the CN must also be http://www.contoso.com/
The Issuer is a known and trusted CA

If one or more of these checks fails, the browser prompts the user with warnings. If you have an internet site or an intranet site where your end users are not people you know personally, then you should always ensure that these three parameters check out.

Self-signed certificates are certificates created by your computer. They're useful in environments where it's not important for an end user to trust your server, a test environment for example.

AppCmd

You cannnot request or create a certificate using appcmd. You also cannot create an SSL binding.

Configure SSL Settings

You can use appcmd to configure a site to server-only https connections by modifying the sslFlags attribute on the access section. For example, configure this setting for the "Default Web Site" in the applicationHost.config file (i.e. –commitPath:APPHOST):

D:\Windows\system32\inetsrv>appcmd set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:Ssl

Applied configuration changes to section "system.webServer/security/access" for
"MACHINE/WEBROOT/APPHOST/Default Web Site" at configuration commit path "MACHINE
/WEBROOT/APPHOST"

To require 128-bit SSL, change the sslFlags value to Ssl128.

The sample below shows how to view the section settings for the Default Web Site. The sslFlags attribute has been set successfully:

D:\Windows\system32\inetsrv>appcmd list config "Default Web Site" -section:access

IIS Manager

Obtain a Certificate

Select the server node in the treeview and double-click the Server Certificates feature in the listview:

Click Create Self-Signed Certificate... in the Actions pane.

Enter a friendly name for the new certificate and click OK.

Now you have a self-signed certificate. The certificate is marked for "Server Authentication" use; i.e. use as a server-side certificate for HTTP SSL encryption and for authenticating the identity of the server.

Create an SSL Binding

Select a site in the treeview and click Bindings... in the Actions pane. This brings up the bindings editor that lets you create, edit, and delete bindings for your website. Click the Add... button to add your new SSL binding to the site.

New bindings default to http on port 80. Select https in the Type drop-down. Select the self-signed certificate you created earlier from the SSL Certificate drop-down and click OK.

Now you have a new SSL binding on your site and all that remains is to verify that works.

Verify the SSL Binding

Look in your site's Actions pane for a link that will browse your site over your new HTTPS binding. Click this link to test your new binding.

IE7 will show you a error page because the self-signed certificate was issued by your machine, not a trusted Certificate Authority (CA). IE7 will trust the certificate if you add it to the list of Trusted Root Certification Authorities in the certificates store on the local machine or in Group Policy for the domain. Click Continue to this website (not recommended).