Setting up Certification Authority on WinServer2003 and configuring IIS SSL

ssl ssl-certificate iis certificate-authority

I'm a .net developer and I'm currently working on moving the asp.net project from http to https.

I have worked my way through few tutorials and I'm wondering whether I have missed anything out.

So far:

I have installed and configured CA on the server. CA service is running fine but I'm not entirely sure whether it needs to be accessible from outside? I have a localhost/certsrv running to submit the certificate requests. Later I log onto the server and confirm/deny the requests.

On the same server I have configured an IIS. Confirmed the certificate that was generated by the CA service. Enabled anonymous authentication and set the password to be send in the clear text.

I'm not 100% on how the certificate works. Do I understand this correctly?

  1. I log onto the website: https\someaddress.domain\site
  2. There is a certificate that's associated with this website so the window comes up stating that this is an unknown certificate.
  3. I confirm that I want to view the website and the browsers takes me onto that website.

How does this improve the security when I transfer data between browser and the web server?


Solution 1:

You have it right. The problem with a self-signed certificate is that it's not a signing authority that's included in your trusted root by default (hence the message that it's not a known provider). For some people, this isn't an issue (OWA comes to mind). However for businesses to conduct transactions on the web, you'll want one from a known authority (Verisign, GeoTrust, etc.) so that an HTTPS connection just happens and the user isn't prompted to make it happen.

As for improving security, hell yeah it does. It encrypts the traffic from the users browser to your server.

The CA does not have to be seen from the outside.

There are some things to remember also with self-signed certs. Because the browser asks for permission, unless you install it in the root, everytime you visit the site, it's fairly easy to lull your users into a false sense of security. What I mean is that because they'll get that message each time they visit your site, doing a little arp-poisoning and publishing a fake certificate is fairly easy and at that point your "encrypted" connection is owned.

Related

Interview Question: Virtualization and software quality assurance
error editing SharePoint page
Why is it necessary to chmod o+r parent directory to fix 403 access forbidden error with Nginx and Passenger?
How to instal the PHP MCrypt + library (libmcrypt) on CentOS 5 server
chmod -R 777 /. - RHEL 5.5
Executing SU in a bash script
Centos 6.3 disk space allocation
Server performance for high traffic? [closed]
How can I make this script better?
Cisco ASA - Configure External Access to a Server
Problem redirecting http to https with apache
Which one is better for my CentOS? Hardware RAID using Dell PERC 6 or Software RAID? [closed]