Configuring IIS7 (Win2008) with CNG
This section describes how to configure Microsoft Internet Information Services 7 (IIS7) on Windows Server 2008 for use with CNG.
To configure IIS7 on Windows Server 2008 for use with CNG
-
Install and configure your HSM.
-
Install and configure KSP:
-
Register your cryptoki.dll file
-
Register your slot for Administrator/(Server name or Domain name) and again for System/NT Authority.
-
-
Create a policy file to generate a cert request. Normally, you can do this directly through the GUI, but the KSP is not yet recognized through the GUI. The policy file (call it policy.inf) should look like this:
[NewRequest] KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG" Providertype = 1 RequesterName = OTT1-HANNIBAL\Administrator RequestType = PKCS10 ProviderName = "SafeNet Key Storage Provider" Subject = "CN=OTT1-HANNIBAL,O=CompanyName" KeyContainer = "OTT1-HANNIBAL" MachineKeySet = true HashAlgorithm = sha256 KeyAlgorithm = RSA KeyLength = 2048
-
Using the above file, create your cert request:
C:\>certreq -new policy.inf cert.req
-
Submit your cert request to a CA and obtain a signed cert, and the root cert of the CA. Move these certificates to your IIS server.
-
Install the root certificate:
-
Open the root cert file and select “Install Certificate.”
-
At the Welcome screen, select Next.
-
You’ll need to specify the Certificate Store to be used. Select the “Place all certificates in the following store” radio button, and select the “Browse…” button.
-
In the Select Certificate Store window that opens, put a check in the “Show physical stores” box, locate and expand Trusted Root Certification Authorities and select “Local Computer” then select OK.
-
-
Open Server Manager and select “Add Roles” to install Web Server (IIS). Configure to your needs, though the default options will do for the purposes of this document.
-
When the installation is complete, expand the Roles tree from the left-hand pane, then expand Web Server (IIS) and select “Internet Information Services (IIS) Manager,” then select the object name (most likely your server’s name) from the Connections pane, as shown below:
-
Under the Home pane, open Server Certificates, then select “Complete Certificate Request…” from the Actions pane.
-
Complete the form that opens; select the path to your certificate and choose a friendly name for said certificate and select OK:
-
The certificate list will then be populated by the certificate you specified:
-
Under the Connections pane, expand the server host name tree (in the example below, OTT1-HANNIBAL), then expand the Sites tree, and select “Default Web Site”:
-
Select “Bindings” from the Actions pane on the right-hand side. This opens the Site Bindings box.
-
Select Add, and make the following selections:
Type — https
IP Address — Can be left as “All unassigned”
Port — Can be left as 443
SSL certificate — Select the friendly name you assigned earlier to your certificate when your completed the cert request.Select OK to continue.
-
Under the actions pane, you will now have a link labeled “Browse *:443 (https)” (this may appear slightly different, depending on the IP Address options you set in the previous step).
-
Select this link and it will show you your default webpage over a secure connection. Configure your website as needed.