Domain Name, SSL And IIS Process Integration
Secure Socket Layer (SSL)
- Secure protocol tunnel across the internet.
Transport Layer Security (TLS)
- Secure protocol tunnel across the internet. The successor of SSL.
Public Key Infrastructure (PKI):
- System of servers and protocols that enable the creation, validation, and revocation of digital certificates (electronic identification).
- They can be commercial service or a service that exists entirely inside an organization.
Certificate Authority (CA):
- Is a server that provides the service of a PKI.
- To provide better security and scalability, PKI usually consists of hierarchy of CA’s.
- Root CA.
- Top-level domain CA in PKI.
- Used to authorize one or more intermediates CA’s.
Certificate Signing Request (CSR)
- It is a critical part of applying for an SSL/TLS certificate.
- CA will use the data from the CSR to build the actual SSL certificate.
- Business and website information.
- Public Key that will be included in certificate.
- Information about the key type and length.
- It is a separate file used in the encryption/decryption of data sent between server and clients.
- This key is created with the CSR.
- Private Key and Public Key are mathematical linked.
- It is the single most important component of your SSL certificate.
- Do not let this key get compromised.
- Contains root and intermediate certificates.
- Together, with server certificate, complete the SSL chain of trust.
- Especially useful for older browsers.
- Basic info + public key.
- Implementations: .pem, .crt, .cer, .key.
PKCS 12 standard
- Contains end-entity certificate, matching Private Key, may include “CA_Bundle” and can be protected.
- Implementations: .pfx, .p12.
Maps a domain name to the IP address (Version 4) of the computer hosting the domain.
Is an identification string that defines a realm of administrative autonomy, authority, or control within the Internet.
Buying A Domain Name
The first step is to buy a domain name.
I bought “awesomedefaultwebsite.space”:
If we go ahead and make a request right now we will see the following:
This usually happens because the “A” Record is pointing to a “dummy IP address”, in this case: “126.96.36.199”.
An A record uses a domain name to find the IP address of a computer connected to the internet.
Let us change the “A” record to 188.8.131.52 (“https://www.dell.com/”).
Time To Live will determine somewhat the time that this change will take effect.
I waited a couple of minutes and made another request:
It first enters “awesomedefualtwebsite.space” and then it is redirected to “www.dell.com” as this is the IP that our “A Record” is pointing to.
Generating SSL Certificate
You can generate SSL certificate with various tool such as OpenSSL. I am going to use “sslforfree.com” services.
Create the certificate and verify information
It will ask you to choose a verification method. I chose CNAME option for verification.
It will make you create a CNAME record with a specific name and content.
It will get verified and now you can download it!
- ca_bundle.crt: intermediates certificates.
- certicate.crt: your actual certificate
- private.key: used to encrypt and decrypt data.
Let us send this whole folder to the Server.
At this point, we will need to convert our certificates into “.pfx” format. Remember this format includes private key. For personal uses you can use online SSL converters, such as SSL Converter.
However, as the private key must always remain private, it is best to do this process locally. I am going to use OpenSSL.
[openssl] pkcs12 -export -out [desiredNameWhenExported.pfx] -inkey [NameOfPrivateKey].key -in [YourCertificate].crt -certfile [IntermediateCertificate].crt
Now we need to place the certificate in the Local Computer > Personal > Certificates store. This is where IIS reads.
File >Add/Remove snap in/ Certificates / Add > Computer Account > Next > Finish > OK
There is no need to add this certificate into “Trusted Certificates” as CA of your certificate should already be at your trusted certificates.
Open IIS Manager, choose your site, create a HTTPS binding, set the hostname for which the certificate was issued for and select the correct certificate from the dropdown.
Let us make a request:
• Remember to change the “A Record” so that it points to our VM’s public IP.
• Remember to open PORT 443 at VM level as well.
In this article we review the whole process of buying a Domain Name, generating an SSL certificate, and binding it to IIS. Certificate in the format of “.pfx” is important as it contains the Private Key which the server will use to decrypt the data that the client provided that is encrypted with the Public Key.
Keep in mind:
- Port 443 must be open at VM level.
- “A Record” must be pointing at your desired public IP.
- “CA_Bundle” contains intermediate certificates. They are not mandatory.
- IIS can only read from Local Machine Store.
- Private Key is meant to be private.
- Hostname binding in IIS must match Subject Alternative Name in order for the certificate to be consider as valid.
This is an example of how this process can be done. There are hundreds of different services to achieve same outcome. Regardless, they all share the basic principles and process should be somewhat the same.
Website Domain Names, Online Stores & Hosting - Domain.com
CREATE A WEBSITE From building a simple site to creating an online store, we have everything you need to thrive online…
SSL For Free
Never pay for SSL again. Powered by ZeroSSL with free 90-day certificates. Our free SSL certificates are trusted in…
Google Code Archive — Long-term storage for Google Code Project Hosting.