» Home     » How To…   » Site Map   » Contact Us 
 Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
Your location: Home > Windows support > Configuring SSL using Carnegie Mellon Certificates
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » E-mail & netnews 
 » Networking 
 » Printing 
 » Purchasing 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Macintosh support 
 » Unix/Linux support 
 » Windows PC support 

IIS Secure Sockets Layer (SSL) Setup Instructions

Note: Certificates will be granted only to machines in SCS-controlled DNS space, and only when requested by the person listed as the equipment or administrative contact for that machine. Clients will need to have the Carnegie Mellon Root CA certificate installed in their browser in order to seamlessly access the SSL enabled site. Requesting an SSL Certificate / Web Server Certificate  

1. Start IIS and right click Default Web Site and select Properties from the menu.
2. When the Properties appear, click on the Directory Security tab.
3. Click on Server Certificate and follow the on screen wizard.
4. Select Prepare the request now, but send it later.
5. For the name of the cerificate, enter the fully qualified DNS name of the server or site.
6. Select a bit length of 1024
7. For Organization, enter Carnegie Mellon University
8. For Organizational Unit, enter SCS - Your Department (Facilities, ISRI, HCII, Etc.)
9. For Common Name, enter the fully qualified Domain name of the machine or site URL
10. Enter the Country, State and City information (check spelling) the state Pennsylvania must be spelled out in full
11. Save the request file
12. Send the request file to certificates@cs.cmu.edu to request the certificate
13. Run an MD5 checksum on the request file (see the utils folder at \\monolith\pc_dist)
14. Have this checksum handy in order to verify the identity of the machine and person requesting it, a representative from the facilities staff will call you on the telephone Installing your SSL Certificate / Web Server Certificate  When the issuance email arrives there will be two certificates in the email - the server certificate for the site and a chained certificate.

Copy the chained certificate into a text editor such as notepad and save as chain.cer.
Copy your web server certificate into a text editor such as notepad and save as yourdomain.cer.

First install the chained certificate as follows:

 On your webserver open by the Certificates snap-in on the MMC:

1. Click the Start Button then select Run and type mmc
2. Click File and select Add/Remove Snap in
3. Select Add, select Certificates from the Add Standalone Snap-in box and click Add
4. Select Computer Account and click Finish
5. Close the Add Standalone Snap-in box, click OK in the Add/Remove Snap-in

 Return to the MMC:

1. Expand the Certificates entry in the MMC and right click the Intermediate Certification Authorities, select All Tasks, select Import.



2. Complete the import wizard, locating the UTN chained certificate (chain.cer) when prompted for the Certificate file to import.
3. Ensure that the UTN chained certificate appears under Intermediate Certification Authorities

Secondly, install your web server certificate:

 1. Start IIS and right click Default Web Site and select Properties from the menu.



 2. When the Properties appear, click on the Directory Security tab.
3. Click on Server Certificate and follow the on screen wizard:

   . Ensure that you select Process the pending request and install the certificate. Click Next.
   . Locate the yourdomain.cer file when prompted to locate your webserver certificate. Click Next.
    . Review the summary screen and ensure that you are processing the correct certificate. Click Next.
    . Click Next on the confirmation screen.

4. Make sure that you have assigned Port 443 as the SSL port for https for your site. To do this, right click Properties for your website and make sure that 443 has been entered into the SSL port box:

You must restart your physical machine for the install to be completed.

Backing up your key pair file

Creating your Snap-in Management Console

Certificate Snap-in consoles (MMC) are not preconfigured. You will need to configure the Snap-in before you can perform any Export/Import functionality. To configure your Snap-in, follow the steps below. The system administrator will have to create the console.

  1. Go to Start. Select Run, Type mmc and click OK. This will bring up an empty console with no management functionality.
  2. Click on Console select Add/Remove Snap-in.
  3. The Snap-ins added to box will list only the Console Root. Click Add.
  4. Select Certificates and then click Add.
  5. Select Computer Account.
  6. Click on Finish.
  7. Click Close.
  8. Click on OK.

Managing certificates

  1. Go to the Microsoft Management Console (MMC) and add the Snap-in for Certificates.
  2. Select the folders Console Root\Certificates(Local Computer)\Personal\Certificates.
  3. Right click on the certificate to export.
  4. Select All Tasks and Export.
  5. The Welcome to the Certificate Manager Import Wizard window opens.
    Click Next.
  6. Select Yes, export the private key. Click Next.
  7. Make sure the Personal Information Exchange- PKCS # 12 (.pfx) box is selected.

    Warning: Make sure that the "Delete the private key if the export is successful" is NOT checked.
  8. Check the box Enable strong protection requires IE5.0, NT4.0 SP4 or above. Select Next.
  9. Check the box to Include all certificates in the chain.
  10. Type and confirm your export password. (Note: this password field can be left blank, but we recommend using a good password for security)

Warning: If you lose the password, you must request another certificate.

Save the file to a disk or other form of media. You should choose a form of media that you would be able to recover if your system has to be rebuilt. Save this file in a secure location.

If you run into problems or have questions, contact help@cs.cmu.edu

 




 This site is maintained by SCS Computing Facilities; send comments to help@cs.cmu.edu.
 Accessibility information  © Carnegie Mellon School of Computer Science