Integration with CipherTrust Manager
This section outlines the steps to integrate Internet Information Services (IIS) with the CipherTrust Manager.
Installing SafeNet ProtectApp
To install SafeNet ProtectApp:
Run the
SafenetProtectAppKSPInstaller.exe
installer file.Enter the KeySecure user name.
Enter the KeySecure user's password.
The SafeNet ProtectApp provider is installed successfully. Next, you need to configure the properties file, ProtectAppICAPI.properties
, as described below.
Configuring ProtectAppICAPI.properties
To configure the properties file:
Open the
ProtectAppICAPI.properties
file. This file is stored at the installation directory, C:\Program Files\SafenetProtectAppKSP.Set the following parameters:
NAE_IP: IP address of the CipherTrust Manager.
NAE_Port: Port of the CipherTrust Manager.
Protocol: Protocol to use for communication,
tcp
orssl
.
Save the properties file.
Creating a Certificate Request
IIS Manager does not support the creation of certificates protected by CNG Keys and these need to be created using the Microsoft command line utilities.
To generate a request for an SSL certificate linked to an RSA key:
Create a request.inf file with the following information:
[Version] Signature= "$Windows NT$" [NewRequest] Subject = "C=IN,CN=IIS.com,O=Thales,OU=HSM,L=Noida,S=UP" HashAlgorithm = SHA256 KeyAlgorithm = RSA KeyLength = 2048 ProviderName = "SafenetProtectApp Key Storage Provider" KeyUsage = 0xf0 MachineKeySet = True [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1
Specify the subject details of the Domain Controller that issues the certificate.
Specify the key algorithm and key length (e.g. RSA).
Specify the Provider name as SafenetProtectApp Key Storage Provider
Save the file.
Create the certificate request for the Certification Authority (CA) using the following command:
certreq.exe –new request.inf request.csr
This creates a certificate request file request.csr that can be sent to a Certificate Authority.
Submit the CSR file to a CA such as VeriSign or Entrust. The CA authenticates the request and returns a signed certificate or a certificate chain.
This can also be done using a self-signed certificate for testing purpose, using the following commands:
openssl genrsa -aes256 -out SelfSignedCA.key 2048 openssl req -new -x509 -days 365 -key SelfSignedCA.key -out SelfSignedCA.crt openssl x509 -req -days 365 -in request.csr -CA SelfSignedCA.crt -CAkey SelfSignedCA.key -CAcreateserial -out IISCert.crt
Importing the Self-signed Certificate into the Windows Trusted Root Certification Authorities
Copy self-signed certificate to your Windows server.
On the Windows server, open Control Panel.
Select Manage Computer Certificates.
On the Certificates - Local Computer window, double-click Trusted Root Certification Authorities.
Right-click Certificates and select All Tasks > Import.
On the Certificate Import wizard, click Next.
Click Browse to select your self-signed certificate, and click Open.
Click Next.
In Certificate Store, select Place all certificates in the following store. Ensure that Trusted Root Certification Authorities is selected for Certificate store.
Click Next and then Finish.
Install the Certificate
To make the certificate available for use with IIS, you need to install the certificate. To do so, execute the following command:
certreq.exe –accept somecert.cer
Where, somecert.cer
is the binary signed certificate received from the CA.
Binding the Certificate with a Secure IIS Web Server
To bind the certificate with a secure IIS Web Server:
Open the IIS Manager from Start > Administrative Tools > Internet Information Services (IIS) Manager.
Select the desired Website from the Sites screen and click Bindings.
Click Add on the Site Bindings window.
Select the Protocol as https.
From the IP Address drop-down list, select the IP address of the machine on which IIS is running.
From the drop-down list, select the desired certificate.
Click OK to complete the certificate binding for SSL connection.
Open a browser and type
https://<machinename>:443
. If required, accept the certificate in the browser to continue with SSL connection to the IIS Web Server.