Generate and configure the SSL (Secure Sockets Layer) certificate in Windows 2003 Server using Internet Information Services (IIS) 6.0.
An SSL certificate is a bit of code on your web server that provides security for online communications. When a web browser contacts your secured web site, the SSL certificate enables an encrypted connection.
The Public SSL is installed on the server and all clients can use it. Its certificate is self-signed and configured to work only with the server’s name. That’s why it will always show a pop-up warning when used.
On the other hand, the Private SSL is issued especially for your domain by a trusted authority. Browsers can validate the private SSL and will show a secure icon.
iOS4 can use both HTTP and HTTPS but in iOS5 it requires all communications in HTTPS so it is needed that your Policy (Communication) server uses an SSL certificate.
To generate and configure the SSL certificate in Windows 2003 Server using Internet Information Services (IIS) 6.0:
The following procedure is for Private SSL Certificate.
- Install the Certification Authority Server.
When a Policy and the Master server is/are installed on the same system, the OfficeScan virtual website is shared meaning both Policy and Master server is using the same folder. Follow the procedure below when you have both Policy and Master server installed on the same machine.
- Create a Certificate Signing Request (CSR).
This procedure will make your OfficeScan web console inaccessible since there is no SSL certificate being used.
- Open the IIS Manager. From the Start button select Programs > Administrative Tools > Internet Information Services Manager.
- In IIS Manager, double-click the local computer.
- Select OfficeScan, then right-click Properties. Select the Directory Security tab, and then click the Server Certificates button in the Security section of the menu. This starts the Web Server Certificate Wizard.
- Click Next to continue.
- Select Remove the current certificate, then click Next to continue.
OfficeScan has a default SSL certificate which is a 1024 bit length for the encryption level. Use the 2048 bit length encryption level. Since OfficeScan has a default SSL certificate, there will be no option in creating a new certificate. You need to remove the current certificate and replace it with a new one with 2048 bit length encryption level.
- Removing the certificate does not totally delete the certificate from its list. Click Finish to confirm certificate removal.
- Again, click the Server Certificates button then click Next. Select Create a new certificate, then click Next to continue.
- Select Prepare the request now, but send it later. Click Next to continue.
- In the Bit Length field, select 2048 for the encryption level, then tick Select cryptographic service provide CSP for this certificate. Click Next.
- From the Available Providers window, select Microsoft RSA SChannel Cryptographic Provider, and then click Next.
- Enter the legal name of your Organization and Organization Unit, which is the department within your organization. Click Next.
- In the Common name field, enter the NetBIOS, FQDN or the IP address of the server. Click Next.
This should be used in TMMS’ communication settings between your Master and Policy Server.
- Enter the Country/Region, State/Province, and City/locality of your organization. Click Next to continue. In the Certificate Request File Name window, save the CSR to your computer. Take note of the location and filename.
- Review the information for the certificate request in the Request File Summary window. To make revisions, click Back or click Next, then click Finish.
- Go to Administrative > Certification Authority.
- Right-click the server name, and then select All Tasks > Submit new request. Locate and select the CSR created.
- Go to Pending Requests. Right-click the request and then select Issue. The request will immediately disappear and will and will reappear under Issued Certificates.
- Export the child certificate. Double-click on the newly signed and issued certificate then the Certificate Wizard opens. Click the Details tab then click the Copy to file button. The Certificate Export Wizard appears.
- Click Next.
- Select DER encoded binary X.509 (.CER), and then click Next. Save the file to a target directory and name it as “Child-CA.cer”, so that it can be distinguished as the child certificate.
- Click Next.
- Verify the information then click Finish. A window appears saying the export was successful. Click OK to close the window.
- Export the root certificate. On the same Certificate window click Certification Path then select the root certificate. Click View Certificate.
- Click the Details tab and click Copy to File button. The Certificate Export Wizard appears then click Next to continue. Select the DER encoded binary X.509 (.CER) option, and then click Next.
- Save the file to a target directory and name it as “Root-CA.cer” so that it can be distinguished as the root certificate. Verify the information and click Finish.
A window should appear saying that the export was successful. Click Finish to close the windows.
- Open IIS Manager and then right-click OfficeScan, and then select Properties.
- Go to Directory Security tab and then click Server Certificate. At this point since there is no certificate used by OfficeScan virtual website, the View Certificate button will be greyed-out.
- Click Server Certificate > Next. Click Process pending request and install the certificate > Next.
- Locate and select the child certificate and then when prompted for the SSL port, set it to 4343.
- Click Next.
- Review and verify information. Click Finish to complete the request.
Click Finish to close all windows.
- Restart the OfficeScan virtual website to make sure that the changes take effect.
You should be able to access the OfficeScan management console.Tthis means that the self-signed certificate has been binded to the OfficeScan virtual website
The example below will show you the difference between when accessing the web console through IP address and FQDN.
When using the IP address it will no longer prompt a certificate error and will show you a lock icon right after the address bar. This is due to the site’s common name is the IP address. As for the FQDN, when accessing the web console it will still prompt a certificate error and no lock icon.
Please be sure of what to use on your site’s common name. In any case that you wish to revert to FQDN or NetBIOS name, you need to redo all the steps above.
For Public SSL certificate:
- Follow the instructions the public issuer’s web site on how to submit a certificate signing request. This has the same steps on how to create a CSR.
- After submitting and receiving the signed CSR, follow the steps provided by the issuer on how to apply the signed certificate on a specific operation system.
- Open IIS Manager then right-click OfficeScan.
- Go to Directory Security tab. Click the Server Certificate button.
- Click Export the current certificate to a .pfx file > Next. Select a target directory and filename.
- Select a target directory and filename.
- Enter the password and click Next. Review and verify the information.
- Click Next > Finish to complete the export.
- Upload the certificate. For more information, refer to the following topic from the Installation and Deployment Guide:Trend Micro Mobile Security – Client Profile Signing Credentials.
- Install the root certificate on your computer:
- Double-click the root certificate.
- On the Certificate window, click Install Certificate.
- On the welcome screen, click Next.
- Keep the default settings, and then click Next.
- Click Finish to start the installation. A pop up message displays notifying that the certificate import was successful.
- Download and install the iPhone Configuration Utility.
- Create a Profile for iOS mobile devices:
- Start the iPhone Configuration Utility.
- Click Configuration Profiles from the Library list on the left pane.
- Click New to add a new profile in the profiles list.
- Select the new profile that you have created, and then select Credentials on the center pane.
- Click Configure on the Configure Credentials found on the right pane. The Personal Certificate Store displays.
- Select the root certificate from the list, and then click OK.
- Click General on the center pane, and then type the necessary information in the fields provided on the Identity area.
- Install the profile on the iOS mobile device by:
- Connect the iOS mobile device to the computer where you have installed the root certificate.
- Select the iOS mobile device from the
- list on the left pane.
- On the Configuration Profiles tab, select the profile you just created, and then click Install. The iPhone Configuration Utility pushes the profile to the mobile device.
- On the mobile device, tap Install on the Install Profile screen.
- Tap Install Now on the Root Certificates pop message. The profile installation starts.
- After the profile is installed, tap Done on the Profile Installed screen.