Microsoft Internet Information Services

CORE can be integrated with Microsoft Internet Information Services ("IIS"- https://www.iis.net/).

The following sections describe how to issue a web server certificate using a key pair generated and secured with CORE.

Prerequisites

You need the following prerequisites for integration with CORE:

  • Microsoft IIS version 8.0 .
  • For UKC client software release 1901 and earlier:
    Copy ekmpkcs11.dll, ssleay32.dll, libeay32.dll from the CORE installation folder to the system32 directory.

Create the Certificate Authority

After installing CORE, create a new CA. Setting up the CA involves installing the CA feature and configuring it. Information about how to do this task can be found here:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority

If there is an existing CA, use the following instructions to migrate it for use with CORE:

  1. Back up the CA private key.
    For instructions, see https://support.microsoft.com/en-us/help/298138/how-to-move-a-certification-authority-to-another-server, in the section Windows Server 2003 > Step 2: Use the Certification Authority snap-in to back up the CA database and private key.
  2. Back up the rest of the CA configuration.
  3. Import the pfx to CORE.
  4. Reinstall the CA.
  5. Choose the certificate that has a corresponding private key in the CORE
    1. If re-installation is done on a new server, it is required to run ucl sync-cert -local first.
  6. Restore the rest of the CA configuration.

Set up the SSL Certificate

You can either import an existing SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate or you can create a new certificate.

Option 1: Import a certificate into CORE

If you already have a certificate, use the following procedure to import it into CORE:

  1. Back up the CA private key. See here for more information.
    1. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.

    2. Click Next, and then click Private key and CA certificate.

    3. Click Certificate database and certificate database log.

    4. Use an empty folder as the backup location. Make sure that the backup folder can be accessed by the new server.

    5. Click Next. If the specified backup folder does not exist, the Certification Authority Backup Wizard creates it.

    6. Type and then confirm a password for the CA private key backup file.

    7. Click Next, and then verify the backup settings. The following settings should be displayed:

      • Private Key and CA Certificate

      • Issued Log and Pending Requests

    8. Click Finish.

  2. Back up the rest of the CA configuration.
  3. Import the .pfx file to CORE.
  4. Reinstall the CA.
  5. Choose the certificate that has a corresponding private key in the CORE.
    1. If the re-installation is done on a new server, it requires first running ucl sync-cert -local.
  6. Restore the rest of the CA configuration.

Option 2: Create a new certificate

Create an Unbound KSP “Web Server” Certificate Template

To issue a certificate using Unbound as the key provider, you first need to create a duplicate of the Web Server certificate template.

  1. Open the Certification Authority snap-in.
  2. Right-click on Certificate templates and then click Manage.
  3. Right-click on Web Server and choose Duplicate Template.

  4. In the Compatibility tab, set the following values:
    1. Certification Authority: Windows Server 2008
    2. Certificate recipient: Windows Vista / Server 2008

    Accept the “resulting changes” message, if prompted.

  5. In the Cryptography tab, set the following values:
    1. Provider Category: Key Storage Provider
    2. In the Choose which cryptographic providers can be used for requests, choose Requests must use one of the following providers.
    3. In the Providers choose only Dyadic Security Key Storage Provider.
    4. In the Request hash, choose SHA256.

  6. In the General tab, under Template Name, set the name to Unbound Web Server.
  7. In the Security tab, add the machine hostname you are working on, and select Allow under the Enroll permission.
  8. Click OK to save the new certificate template.
  9. Go back to the Certification Authority snap-in, right-click on Certificate Templates, click New > Certificate Template to Issue.
  10. Choose Unbound Web Server and click OK.

Create a Web Server Certificate

Use the following procedure to create the SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate for IIS:

  1. Open MMC and add the Certificates snap-in for Computer account.
  2. Expand Personal > Certificates.
  3. Right-click on Certificates and select Request New Certificate.
  4. In the Select Certificate Enrollment Policy, click Next.
  5. Check the Unbound Web Server certificate template and click on More information is required to enroll this certificate. Click here to configure settings.
  6. Under Subject name choose Common name as the type and enter the name of the certificate you would like to create (For example, www.mydomainname.com). Then click Add and OK.
  7. Click Enroll.
  8. Click Finish.

The SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate and private key are generated and secured in the CORE system.

Choose the Certificate

To add the CORE server certificate to the CORE client:

  1. Open the IIS snap-in and expand the server node. Choose Sites. Choose the web site you wish to protect (By default, it is “Default Web Site”).
  2. In the right pane, under Actions, click Bindings…
  3. Click Add and set the binding as follows:
    1. Type: HTTPS.
    2. Hostname: The CORE server DNS hostname (which is the same hostname as configured on the certificate).
    3. SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. Certificate: Choose the created certificate.
  4. Click OK and close.
  5. Open SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. Settings.
  6. Select Require SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network..
  7. Click Apply.

The web site is now configured for SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network., using a certificate and key protected by CORE.

Run the Solution

Verify the SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. installation and inspect the signing events:

  1. Make sure that the server hostname is resolvable to the IIS server IP address in your DNS server by browsing to the IIS web site. For example:

    2. https://www.mydomainname.com

  2. Inspect the SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. signing events in the CORE event log, which can be found here:

    3. C:\Program Files\Dyadic\ekm\tomcat\logs\ekm.log