Configure SSL on IIS

To encrypt traffic between the web server and the client browser, as well as to protect privileged passwords while they are in transit, you must configure SSL. Privileged Identity does not come with a pre-installed certificate. Rather, you must obtain a certificate from a public certificate authority, from an internal private certificate authority, or by using a free utility. You can also use a self-signed certificate or create one in IIS.

IMPORTANT

Because SSL and early versions of TLS have certain security flaws, Microsoft recommends disabling SSL v3 and earlier and forcing the use of TLS 1.2.

For more information, please see this Microsoft article on disabling older versions of SSL and TLS: https://technet.microsoft.com/en-us/library/security/3009008.aspx.

Create an SSL Certificate

Internet Information Services (IIS) Manager

  1. On the web app host server, open Internet Information Services (IIS) Manager.
  2. From the Connections pane, select your server node.
  3. From the center pane, open Server Certificates.

 

Create Certificate Request

  1. To create a certificate request to a third-party certificate authority, select Create Certificate Request from the Actions pane.

 

Request Certificate - Distinguished Name Properties

  1. On the Distinguished Name Properties dialog, enter the Common name (the name of the server as entered in a browser). Fill in all fields, and then click Next.

 

Request Certificate - Cryptographic Service Provider Properties

  1. Select the appropriate Crytographic service provider.
  2. Set the Bit length to 2048 bits or higher to maintain compatibility with modern browser and systems.
  3. Click Next.

 

Request Certificate - File Name

  1. Enter a name for the certificate request file, and then click Finish.

 

Complete Certificate Request

  1. You must now send the certificate request file to the certificate authority. Once they have signed your certificate and returned it to you, select Complete Certificate Request from the Actions pane.

 

Complete Certificate Request - Specify Certificate Authority Response

  1. Browse to the signed certificate file.
  2. In Friendly Name, enter a name for easy identification.
  3. Select Web Hosting as the certificate store, and then click OK.
  4. The certificate is added to the Server Certificates list.

 

Important!

Domain certificates are intended for use only with members of your internal Windows domain. Otherwise, you should use a certificate signed by a trusted root certificate authority.

Create Domain Certificate

  1. To create a certificate request to an in-house certificate authority, select Create Domain Certificate from the Actions pane. 

 

Create Certificate - Distinguished Name Properties

  1. On the Distinguished Name Properties dialog, enter the Common name (the name of the server as entered in a browser). Fill in all fields, and then click Next.

 

Create Certificate - Online Certification Authority

  1. In Specify Online Certification Authority, enter or search for the path of a certificate authority in your Windows domain.
  2. In Friendly name, enter a name for easy identification.
  3. Click Finish.
  4. The certificate is added to the Server Certificates list.

 

IMPORTANT!

We do not recommend using a self-signed certificate in a production environment, as no other system will trust that certificate. Some components and systems do not work with untrusted certificates. A self-signed certificate must be distributed and installed on every system that will connect to the web app or web service. Otherwise, those components won't work and will generate a certificate error every time they're attempted. Instead, you should use a certificate signed by a trusted root certificate authority.

Create Self-Signed Certificate

  1. To create a self-signed certificate, select Create Self-Signed Certificate from the Actions pane.

 

Create Self-Signed Certificate - Specify Friendly Name

  1. Enter a name for easy identification, and then click OK.
  2. The certificate is added to the Server Certificates list.

Configure the Web App to Use Your Certificate

IIS Manager - Site Bindings

  1. On the web app host server, open Internet Information Services (IIS) Manager.
  2. From the Connections pane, expand your server node, and then click Sites.
  3. From the center pane, select the web site that hosts your Privileged Identity web app.
  4. From the Actions pane, select Bindings.

 

Site Bindings

  1. From the Site Bindings dialog, click Add.

 

Add Site Binding

  1. From the Type dropdown, select https.
  2. From the IP address dropdown, select an IP or select All Unassigned.
  3. You may leave Port as the default unless your network settings require you to change it.
  4. Enter the Host name for your site.

Note: If you changed the Port, you must include it in the URL as https://address:port_###/.

  1. If you need to include a virtual domain as part of SSL negotiation, you may check Require Server Name Identification.
  2. Select the appropriate certificate from the SSL certificate dropdown.
  3. Click OK.
  4. HTTPS binding is now appended to the web site. Click Close.

IIS Manager - Default Web Site Home

  1. To require the web site to use SSL, select your site node from the Connections pane of the IIS manager.
  2. In the IIS section of the center pane, open SSL Settings.

 

Require SSL

  1. Select Require SSL, and then click Apply.