Hello then, with the episode “Configure permissions Domain Computers on the Web Server certificate template for IIS Enrollment app Subordinate Enterprise CA,” we stayed a while with Certificate Templates by requesting a Web Server certificate with further additional details. This may raise concerns about security, some sort of impersonations; however, its application in the custom SAN can be introduced.
Now we will see it in actions about how to implement HTTPS SSL for our Web Enrollment ASPX app on the Subordinate Enterprise CA.
By the time the Role Services: Certification Authority Web Enrollment of the Role: Active Directory Certificate Services was installed, IIS would be taken place automatically.
[00:12] “Secure IIS Web Server” -- eventtracker.com
[00:22] Open up Internet Information Services (IIS) Manager console, navigate through Connections, Sites, Default Web Site, CertSrv.
However, there are 2 further small steps to harden the web app: Site Bindings and Require SSL.
You should be aware that: dealing with security installations needs a great attitude about kinds of stuff that I will mention later.
Edit Site’s Bindings menu resides in the Actions section of the right panel.
Type: https, IP address: All Unassigned, Port: 443, SSL certificate information is shared between subdirectories too: CertEnroll, CertSrv.
Make sure you select the Web Server certificate with contains the Server Authentication object identifier (OID): 18.104.22.168.22.214.171.124.1.
That’s why the certificate’s friendly name is important.
[00:44] You should verify Certificate Information through the View menu.
Remember that IIS has its own Server Certificates utility.
Use this feature to request and manage certificates that the Web server can use with
websites configured for SSL.
Complete Certificate Request…
Create Domain Certificate…
Create a Self-Signed Certificate…
[00:53] “How to create a CSR on Windows Server 2012 -- IIS 8 and Windows Server 2012 R2 -- IIS 8.5” -- digicert.com
[00:57] Now, the CA and clients can communicate through a secure channel of the Web Enrollment app.
However, the normal channel still gets exposed, because HTTP is used by default.
Since we want a secure Web server, we\rquote ll force users to use SSL when connecting to the site. SSL will encrypt the user credentials and data moving between the Web client and the Web server. We will also force Integrated authentication, which is more secure than basic authentication. However, the type of authentication used is not so important in this scenario, since the user credentials are protected by SSL.
Fortunately, we can force clients to use HTTPS, otherwise; 403 Forbidden Error will be warned. Select the CertSrv app, SSL Settings, Require SSL.
(This page lets you modify the SSL settings for the content of a Web site or application.)
Then do Apply at the Actions section to see “The changes have been successfully saved.”
[01:13] “Using Client Certificate Authentication with IIS 6.0 Web Sites” -- windowsecurity.com
[01:35] Actually, we can use the IIS’s URL Rewrite module to redirect clients’ browsers, though PKI transactions themselves require advanced users; so it is just an alternative.
[01:28] “IIS7 Redirect HTTP to HTTPS” -- sslshopper.com
[01:48] Trivial HTTP is no longer available.
403 -- Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
[01:39] “IIS7.5: Is there a way to use Require SSL and URL Rewrite Module together for
https?” -- stackoverflow.com
[01:56] If you choose to use additional client authentications, security errors may happen; you can look up from there:
[01:56] “403.7 Forbidden: Client Certificate Required” error when you open an IIS webpage” -- support.microsoft.com
Ok then, our Web Enrollment is ready to be accessed securely.
Select a task:
Request a certificate.
View the status of a pending certificate request.
Download a CA certificate, certificate chain or CRL.
[01:59] “Issues With SSL Settings Inside IIS 7.5 Manager Console” -- forums.iis.net
[02:11] We now have a secure PKI issuance medium so that we can leverage them to demonstrate further EFS’s usages of certificates in the next part.
Microsoft Active Directory Certificate Services
Use this Web site to request a certificate for your Web browser, e-mail client, or another program by using a certificate, you can verify your identity to people you communicate with over the Web, sign and encrypt messages, and, depending upon the type of certificate you request, perform other security tasks.
You can also use this Web site to download a certificate authority (CA) certificate, certificate chain, or certificate revocation list (CRL), or to view the status of a pending request.