[an error occurred while processing this directive] |
Convert PEM file to PKCS#12 format for Windows IIS Web Server
We assume you've followed the instructions at How to get a DOEGrids Certificate for Fermilab Hosts or Services (Grid and Web) and now have a PEM file. You'll need to convert this new PEM file into a PKCS #12 file for import into your Windows IIS server. To do so, run the following command on a machine that has OpenSSL installed (this may be your Windows machine). For the sample command, we'll assume you pick a good password (password is optional but recommended), your fully-qualified host name is faz.dhcp.fnal.gov, and that the PEM file is in the current directory (if not, provide path to it):
openssl pkcs12 -export -passout pass:"<enter a good password>" -in <faz.dhcp.fnal.gov>.pem -out <faz.dhcp.fnal.gov>.p12 -name "<faz.dhcp.fnal.gov>"
You should now have the p12 file, e.g., faz.dhcp.fnal.gov.p12. Make sure you protect this file. Remember your password!
Import certificate into IIS server on Windows
- Open the Microsoft Management Console (MMC) and add the Certificates snap-in.
- Choose the 'Computer Account' radio button to manage the local
computer certificate store. Click Next.
- Choose either the local computer or the remote computer where the
certificate will be installed.
- Click Finish.
- Navigate to the Certificates (Local Computer) \ Personal \
Certificates folder.
- Right click in the right side pane and select All Tasks \ Import
- This will start the import wizard. Click the Next button.
- Browse for the .p12 file you created above (e.g., faz.dhcp.fnal.gov.p12).
When you browse for the file, be sure you change the 'Files of type' drop down list from X.509
Certificate (*.cer, *.crt) to Personal Information Exchange (*.pfx,
*.p12).
- If you entered a password to protect the PKCS #12 file (when you ran the openssl command, above, to convert the file to PKCS#12 format), enter
it here. Click Next.
- Ensure the certificate will be imported into your Personal store. Browse for Personal. Click Next.
- Check the information, then click Finish to complete the import
- Your certificate is now imported and available for IIS to use. (Shown in the following image as "faz.dhcp.fnal.gov")
Now you need to configure your certificate properties.
Configure your certificate properties
- Go to your IIS service manager. Navigate to your web site, right
click and select Properties
- Select the Directory Security tab and click on the Server
Certificate button.
- This will start the IIS Certificate wizard. Click the Next
button.
- Select the 'Assign an existing certificate' radio button. Click Next.
- You should see the DOEGrids certificate you imported via the
Certificate Manager MMC snap-in. Select it and click the Next button.
- You will be presented with the certificate details. If everything is fine, click the
Next button.
Enable SSL Protection on a web site
- Back at your IIS manager, right click on the directory you wish
to protect via SSL (this can either be the root of your web site or just a
specific directory). Select Properties.
- Select the 'Directory Security' tab and click the 'Edit' button
in the 'Secure Communications' section.
- Check the 'Require secure channel (SSL)' checkbox. Optionally,
you can also force clients to use 128-bit encryption. Select the
'Require client certificates' radio button in the client certificates
section if you (or a web author using your server) wish(es) to require clients to present a DOEGrids or KCA
certificate. If you only want to use SSL without client authentication,
select the 'Ignore client certificates' radio button (this is the default).
- Click the OK buttons. The directory to which you assigned the certificate
should now be using SSL.
If you wish to accept KCA or DOEGrid client
certificates, (that is, if you clicked accept or require client certs) you'll need to configure that. Please see the Certificate
Authentication with IIS documentation.
|