Domain Name, SSL And IIS Process Integration

Basic Concepts

Secure Socket Layer (SSL)

• Secure protocol tunnel across the internet.

Transport Layer Security (TLS)

• Secure protocol tunnel across the internet. The successor of SSL.

Public Key Infrastructure (PKI):

• System of servers and protocols that enable the creation, validation, and revocation of digital certificates (electronic identification).
• They can be commercial service or a service that exists entirely inside an organization.

Certificate Authority (CA):

• Is a server that provides the service of a PKI.
• To provide better security and scalability, PKI usually consists of hierarchy of CA’s.
• Root CA.
• Top-level domain CA in PKI.
• Used to authorize one or more intermediates CA’s.

Certificate Signing Request (CSR)

• It is a critical part of applying for an SSL/TLS certificate.
• CA will use the data from the CSR to build the actual SSL certificate.

Information included:

• Business and website information.
• Public Key that will be included in certificate.
• Information about the key type and length.

Private Key:

• It is a separate file used in the encryption/decryption of data sent between server and clients.
• This key is created with the CSR.
• Private Key and Public Key are mathematical linked.
• It is the single most important component of your SSL certificate.
• Do not let this key get compromised.

CA Bundle:

• Contains root and intermediate certificates.
• Together, with server certificate, complete the SSL chain of trust.
• Especially useful for older browsers.

Certificate formats:

PEM(X.509 standard)

• Basic info + public key.
• Implementations: .pem, .crt, .cer, .key.

PKCS 12 standard

• Contains end-entity certificate, matching Private Key, may include “CA_Bundle” and can be protected.
• Implementations: .pfx, .p12.

“A” Record:

Maps a domain name to the IP address (Version 4) of the computer hosting the domain.

Domain Name

Is an identification string that defines a realm of administrative autonomy, authority, or control within the Internet.

Buying A Domain Name

The first step is to buy a domain name.

I bought “awesomedefaultwebsite.space”:

If we go ahead and make a request right now we will see the following:

This usually happens because the “A” Record is pointing to a “dummy IP address”, in this case: “66.96.162.129”.

An A record uses a domain name to find the IP address of a computer connected to the internet.

Let us change the “A” record to 143.166.83.38 (“https://www.dell.com/”).

Time To Live will determine somewhat the time that this change will take effect.

I waited a couple of minutes and made another request:

It first enters “awesomedefualtwebsite.space” and then it is redirected to “www.dell.com” as this is the IP that our “A Record” is pointing to.

Generating SSL Certificate

You can generate SSL certificate with various tool such as OpenSSL. I am going to use “sslforfree.com” services.

Create the certificate and verify information

It will ask you to choose a verification method. I chose CNAME option for verification.

It will make you create a CNAME record with a specific name and content.

It will get verified and now you can download it!

• ca_bundle.crt: intermediates certificates.
• certicate.crt: your actual certificate
• private.key: used to encrypt and decrypt data.

Let us send this whole folder to the Server.

IIS

At this point, we will need to convert our certificates into “.pfx” format. Remember this format includes private key. For personal uses you can use online SSL converters, such as SSL Converter.

However, as the private key must always remain private, it is best to do this process locally. I am going to use OpenSSL.

[openssl] pkcs12 -export -out [desiredNameWhenExported.pfx] -inkey [NameOfPrivateKey].key -in [YourCertificate].crt -certfile [IntermediateCertificate].crt

MMC

Now we need to place the certificate in the Local Computer > Personal > Certificates store. This is where IIS reads.

File >Add/Remove snap in/ Certificates / Add > Computer Account > Next > Finish > OK

There is no need to add this certificate into “Trusted Certificates” as CA of your certificate should already be at your trusted certificates.

IIS Binding

Open IIS Manager, choose your site, create a HTTPS binding, set the hostname for which the certificate was issued for and select the correct certificate from the dropdown.

Let us make a request:

• Remember to change the “A Record” so that it points to our VM’s public IP.
• Remember to open PORT 443 at VM level as well.

Conclusion

In this article we review the whole process of buying a Domain Name, generating an SSL certificate, and binding it to IIS. Certificate in the format of “.pfx” is important as it contains the Private Key which the server will use to decrypt the data that the client provided that is encrypted with the Public Key.

Keep in mind:

• Port 443 must be open at VM level.
• “A Record” must be pointing at your desired public IP.
• “CA_Bundle” contains intermediate certificates. They are not mandatory.
• IIS can only read from Local Machine Store.
• Private Key is meant to be private.
• Hostname binding in IIS must match Subject Alternative Name in order for the certificate to be consider as valid.

This is an example of how this process can be done. There are hundreds of different services to achieve same outcome. Regardless, they all share the basic principles and process should be somewhat the same.

Resources

Website Domain Names, Online Stores & Hosting - Domain.com

SSL For Free

Google Code Archive — Long-term storage for Google Code Project Hosting.