Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Microsoft Internet Information Services (IIS)

Integration with CipherTrust Manager

search

Integration with CipherTrust Manager

This section outlines the steps to integrate Internet Information Services (IIS) with the CipherTrust Manager.

Installing SafeNet ProtectApp

To install SafeNet ProtectApp:

  1. Run the SafenetProtectAppKSPInstaller.exe installer file.

  2. Enter the KeySecure user name.

  3. Enter the KeySecure user's password.

The SafeNet ProtectApp provider is installed successfully. Next, you need to configure the properties file, ProtectAppICAPI.properties, as described below.

Configuring ProtectAppICAPI.properties

To configure the properties file:

  1. Open the ProtectAppICAPI.properties file. This file is stored at the installation directory, C:\Program Files\SafenetProtectAppKSP.

  2. Set the following parameters:

    • NAE_IP: IP address of the CipherTrust Manager.

    • NAE_Port: Port of the CipherTrust Manager.

    • Protocol: Protocol to use for communication, tcp or ssl.

  3. Save the properties file.

Creating a Certificate Request

IIS Manager does not support the creation of certificates protected by CNG Keys and these need to be created using the Microsoft command line utilities.

To generate a request for an SSL certificate linked to an RSA key:

  1. Create a request.inf file with the following information:

    [Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "C=IN,CN=IIS.com,O=Thales,OU=HSM,L=Noida,S=UP"
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "SafenetProtectApp Key Storage Provider"
KeyUsage = 0xf0
MachineKeySet = True
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1

    • Specify the subject details of the Domain Controller that issues the certificate.

    • Specify the key algorithm and key length (e.g. RSA).

    • Specify the Provider name as SafenetProtectApp Key Storage Provider

    • Save the file.

  2. Create the certificate request for the Certification Authority (CA) using the following command:

    certreq.exe –new request.inf request.csr

    This creates a certificate request file request.csr that can be sent to a Certificate Authority.

  3. Submit the CSR file to a CA such as VeriSign or Entrust. The CA authenticates the request and returns a signed certificate or a certificate chain.

    This can also be done using a self-signed certificate for testing purpose, using the following commands:

    openssl genrsa -aes256 -out SelfSignedCA.key 2048
openssl req -new -x509 -days 365 -key SelfSignedCA.key -out SelfSignedCA.crt
openssl x509 -req -days 365 -in request.csr -CA SelfSignedCA.crt -CAkey SelfSignedCA.key -CAcreateserial -out IISCert.crt

Importing the Self-signed Certificate into the Windows Trusted Root Certification Authorities

  1. Copy self-signed certificate to your Windows server.

  2. On the Windows server, open Control Panel.

  3. Select Manage Computer Certificates.

  4. On the Certificates - Local Computer window, double-click Trusted Root Certification Authorities.

  5. Right-click Certificates and select All Tasks > Import.

  6. On the Certificate Import wizard, click Next.

  7. Click Browse to select your self-signed certificate, and click Open.

  8. Click Next.

  9. In Certificate Store, select Place all certificates in the following store. Ensure that Trusted Root Certification Authorities is selected for Certificate store.

  10. Click Next and then Finish.

Install the Certificate

To make the certificate available for use with IIS, you need to install the certificate. To do so, execute the following command:

certreq.exe –accept somecert.cer

Where, somecert.cer is the binary signed certificate received from the CA.

Binding the Certificate with a Secure IIS Web Server

To bind the certificate with a secure IIS Web Server:

  1. Open the IIS Manager from Start > Administrative Tools > Internet Information Services (IIS) Manager.

  2. Select the desired Website from the Sites screen and click Bindings.

  3. Click Add on the Site Bindings window.

  4. Select the Protocol as https.

  5. From the IP Address drop-down list, select the IP address of the machine on which IIS is running.

  6. From the drop-down list, select the desired certificate.

  7. Click OK to complete the certificate binding for SSL connection.

  8. Open a browser and type https://<machinename>:443. If required, accept the certificate in the browser to continue with SSL connection to the IIS Web Server.

On this page