SSL enables browsers to communicate with a web-server over a secure channel that prevents eavesdropping, tampering and message forgery. You should always use SSL for login pages where users are entering usernames/passwords, as well as for all other sensitive pages on sites (for example: account pages that show financial or personal information).
Configuring SSL on Windows with previous versions of IIS has been a pain. Figuring out how to install and manage a certificate, and then associate it with a web-site, is something I bet most web developers don't know how to enable.
The good news is that IIS 7.0 makes it radically easier to configure and enable SSL. IIS 7.0 also now has built-in support for creating "Self Signed Certificates" that enable you to easily create test/personal certificates that you can use to quickly SSL enable a site for development or test purposes.
Using IIS 7.0 you can SSL enable an existing web site in under 30 seconds. The below tutorial demonstrates how to-do this.
Step 1: Create a new website
We'll start by creating a new web-site using the new IIS 7.0 admin tool. This admin tool is a complete re-write of the previous IIS admin tool (and was written entirely in managed code using Windows Forms), and provides a more logical organization of web features. It provides a GUI admin experience for all ASP.NET and IIS settings:
Figure 1: IIS 7.0
To create a new site on the box, right click on the Web Sites-node in the left hand treeview pane and select the Add Web Site context menu option. Enter the appropriate details to create a new web-site:
Figure 2: Add Web Site
One nice feature of IIS7 on Windows Vista is that you can now have an unlimited number of sites on a box (previous versions of IIS on Windows Client only allowed 1 site). The 10 simultaneous request limitation on Windows Client versions of IIS also no longer exists with IIS 7.0.
Once we've completed the above steps, we will now have a brand new site running on our IIS web-server.
Step 2: Create a new self signed certificate
Before binding SSL rules to our new site, we need to first import and setup a security certificate to use with the SSL binding.
Certificates are managed in IIS 7.0 by clicking the root machine-node in the left-hand tree-view explorer, and then selecting the Server Certificates icon in the feature pane on the right:
Figure 3: Manage certificates
This will then list all certificates registered on the machine, and allow you to optionally import and/or create new ones.
I could optionally go to a certificate authority like Verisign and purchase a certificate to import using this admin UI. Alternatively, I can create a self-signed certificate which is a test certificate that I can use during the development and testing of my site. To do so, click on the Create Self-Signed Certificate link on the right-hand side of the admin tool:
Figure 4: Click on the Create Self-Signed Certificate link
Enter a name to use for the certificate (for example: test) and proceed with a click on the [OK]-button. IIS7 will then automatically create a new self-signed crypto certificate for you and register it on the machine:
Figure 5: Server Certificates
Step 3: Enable HTTPS bindings for our new site
To SSL enable the website we have created previously, please select the website node in the left hand treeview, and the click on the Bindings-link in the actions-pane on the right-hand side of the screen:
Figure 6: Click on the Bindings-link
This will then bring up a dialog that lists all of the binding rules that direct traffic to this site (meaning the host-header/IP address/port combinations for the site):
Figure 7: Web Site Binding dialog
To enable SSL for the site, click on the [Add]-button. This will bring up an add binding dialog that we can use to add HTTPS protocol support. We can select the self-signed certificate we created earlier from the SSL certificate dropdownlist in the dialog, and in doing so indicate that we want to use that certificate when encrypting content over SSL:
Figure 8: Add Web Site Binding dialog
Click on the [OK]-button, and we now have SSL enabled for our site:
Figure 9: SSL enabled
Step 4: Test the website
Add a default.aspx-page to the site, and then try and hit it with the browser by typing https://localhost/default.aspx (note the usage of "https" instead of "http" to indicate that you want to connect over SSL).
If you are using Internet Explorer (IE) 7, you could see this anti-phishing error message:
Figure 10: Anti-phishing error message
Don't panic if this happens - it simply indicates that IE is trying to be helpful by suggesting that a self-signed certificate on your local machine looks suspicious.
Click the Continue to this website-link to bypass this security warning and proceed to the site. You'll find that your default.aspx page is now running protected via SSL:
Figure 11: The result
Well done! :) That’s it! We appreciate your feedback! Please share your thoughts by sending an email to email@example.com.
Appendix: A Few Last SSL Notes by Scott Guthrie
A few last SSL related notes:
For more information on IIS 7.0, please read my earlier IIS 7.0 overview blog post. Also make sure to check out the www.iis.net website.
To read more of my Tips and Tricks blog posts, please visit my Tips and Tricks Summary Page.