University College Worcester
COMP1321 Session 18 - Setting up a Web Server service that uses SSL to protect web pages and HTML data
Client-end https is all about connecting to a secure web server, rather than a web server that uses http on port 80 (or alternative port). This exercise will show you how to set up a secure SSL server complete with server certificate.
Exercise 18(a) Getting a Server Certificate
Step 1 – Finding the certificate authority (Verisign) website and finding the SSL link…
Before you go for your break… use the following URL to apply for an SSL server certificate:
Navigate to the option to try (trialware) on the right of the screen, and go to the 30-day trial. You’ll have to add name & address, incl. country, etc. but an SSL (Secure Sockets Layer) certificate will be available on the same basis as an email address certificate – free for the trial period, and then you have to pay or get revoked…
Step 2 – Applying for, and hopefully receiving, the Server Certificate
Once you’ve completed online registration, you’ll need to choose the webserver type, etc., and will eventually come to an option to paste some text. You have to generate this from a webserver…
(Note: The open access machines connected to the Internet are generally not even configured to use IIS, and even those that are rewrite settings at every user session! The server that will have the certificate is therefore your Windows 2003 Serverin CH LG022 (of course!)
Step 3 – Preparing the CSR file for a Server Certificate (local machine)
When you have your machine running IIS (i.e.) click on the web server “properties” (as usual…) but this time click on the Directory Security tag. A wizard will open up to ease the process of obtaining and installing the Server Certificate…
Answer the questions on screen, and it will write a .txt file to a user-specified folder, as certreq.txt. If there is a higher encryption option available in the options, take it!
Step 4 – Sending the CSR to the Certificate AuthorityNow, back at the Internet-enabled machine, cut-and-paste the text from certreq.txt into the screen window, and complete the wizard… a higher encryption strength 1024) may be needed, and make a note of the filename created for future reference.
From the email you eventually receive, read carefully, and cut-and-paste the certificate into a text file. Save with a new name on your memory stick.
Step 5 – Local Installation
The server certificate could then be installed on the local machine, just as you (should have!) installed a personal certificate for secure email on a machine (your own?) last week. However, this is a machine-associated certificate, rather than an email address/address book-associated certificate, and you will need to go back to the IIS wizard you used before in CH022 to complete the installation process… do it now…
Exercise 18(b) Configuring the www service to use SSL, and testing it
Once the server certificate has been installed:
1.Click on edit in thesecure communications section, and enable SSL. You will probably need to tick the 128-bit box; 40-bit encryption is no longer regarded as sufficient, although you may get away with it on a test setup. If the system insists that you use the stronger type of encryption… do so.
2.Create a web page with some mock “sensitive data”, and save it in the “secure server” folder pointed to within IIS as a file with the .html suffix.
Now you’ll need the co-operation of a partner…
3.Boot up a second machine with Internet Explorer appropriately configured. Make sure the two machines have good network connectivity right up to the application layer. Now try to use this browser to access the file on the web server:
(a) as a www service using
(b) using
Is this what you would expect?
How is your server certificate configured: organisation signed? or self-signed? How do you know?
4.Now modify the HTML file & settings as appropriate to get the effect you would like. How could you change the browser settings to stop pop ups appearing? Why might this be dangerous?
Can you see how this set up would protect Internet HTML data? Do you see any problems with adding credit card data to a HTML form and sending it via https using this technique?
1
RCH13