IIS

Setting up one way TLS with a Self-Signed Server Certificate on Windows (IIS)

A Self-Signed Server Certificate should be used for Test purposes only.

This procedure generates a self-signed certificate that does not originate from a generally trusted source; therefore, you should not use this certificate to help secure data transfers between Internet clients and your server.

Create the Self-Signed Certificate

  • Open IIS Manager on your Web Server and navigate to the Website you want to manage.
  • In Features view, double-click Server Certificates.
  • In the Actions pane, click Create Self-Signed Certificate.
  • On the Create Self-Signed Certificate page, type a friendly name for the certificate in the Specify a friendly name for the certificate box, and then click OK.

You now have a Self-Signed Server Certificate that you can use.
Turn on SSL

  • Open IIS Manager on your Web Server and navigate to the Website you want to manage. Click on the Bindings item in the Actions menu
  • Click Add
  • Select the Type to be https
  • Select the Self-Signed Certificate you created.

Setting up one way TLS with a trusted TLS certificate on Windows (IIS)

Commercial Certificate Authority TLS certificates allow web servers to encrypt their traffic, and also offer a mechanism to validate server identities to their visitors.
There are various Certificate Authority companies where you can request and obtain a trusted TLS certificate for use on your web server.

Once you have requested, purchased and downloaded your trusted TLS certificate from a Commercial Certificate Authority, you will need to do the following.

Install the TLS Certificate

  • Open Internet Information Services (IIS) Manager
  • Navigate to the server you are configuring
  • Open Server Certificates
  • Click on Import
  • Enter the certificate file and password and press OK

Turn on SSL

  • Navigate to Sites -> Your Website
  • Click on the Bindings item in the Actions menu
  • Click Add
  • Select the Type to be https
  • Select the TLS Certificate to be the certificate you acquired.

Setting up two way TLS Windows (IIS)

Download the trusted issuer certificate file from your RapID Customer Dashboard to a location on your webserver.

Open the trusted issuer certificate file and click on Install Certificate. Choose Place in the following store and select the Trusted Root Certification Authorities store.

Re-open the trusted issuer certificate file and click on Install Certificate. Choose Place in the following store and select the Client Authentication Issuers store.

Now configure SSL using cmd or PowerShell on the server to enforce the use of the Client Authentication Issuers Store. This requires you to delete the existing configuration and apply the new one.

  1. :> netsh http show sslcert (Copy the ApplicationID and certificate hash for the server SSL certificate. You need them for step 3)
  2. :> netsh http delete sslcert ipport=0.0.0.0:443
  3. :> netsh http add sslcert ipport=0.0.0.0:443 certhash=f27cc86a95570505dd5cffcbd670e65091f14620 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlstorename=ClientAuthIssuer
    (Substitute the hash and applicationID from stage 1 here.)
  4. :> iisreset

Configure protected URLs

  • Open Internet Information Services (IIS) Manager
  • Navigate to Sites -> Your Website
  • Select the directory that should be protected
  • Open SSL Settings in the features view
  • Enable Require SSL and choose Client Certificates Require

Securing your Service authentication certificate on Windows

Although your Service authentication certificate can be placed in a secure file location, we highly recommend storing it in your server keystore.

  • Download your service authentication certificate (you will need to choose a password for the certificate) from your RapID Customer Dashboard to a location on your web server.
  • Right click on the Service authentication certificate file and click on Install PFX.
  • On the Certificate Import Wizard select Local Machine and click _Next
  • Select the file name of the Service authentication certificate and click Next.
  • Type the password for the private key and leave the Import options at default ensuring strong private key protection is not enabled. Click Next.
  • Select Automatically select the certificate store and click Next.
  • Complete the Certificate Import Wizard by clicking Finish