Microsoft Internet Information Services

UKCUnbound Key Control - The name of Unbound's key management product. can be integrated with Microsoft Internet Information Services ("IIS"), which is a flexible, secure and manageable web server for hosting anything on the web. See the following link for more information about IIS.

https://www.iis.net/

The following sections describe how to issue a web server certificate using a key pair generated and secured with UKCUnbound Key Control - The name of Unbound's key management product..

Prerequisites

You need the following prerequisites for integration with UKCUnbound Key Control - The name of Unbound's key management product.:

Create the Certificate Authority

After installing UKCUnbound Key Control - The name of Unbound's key management product., create a new CA. Setting up the CA involves installing the CA feature and configuring it. Information about how to do this task can be found here:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority

If there is an existing CA, use the following instructions to migrate it for use with UKCUnbound Key Control - The name of Unbound's key management product.:

  1. Backup the CA private key.
    For instructions, refer to https://support.microsoft.com/en-us/help/298138/how-to-move-a-certification-authority-to-another-server, in the section Windows Server 2003 > Step 2: Use the Certification Authority snap-in to back up the CA database and private key.
  2. Backup the rest of CA configuration.
  3. Import the pfx to UKCUnbound Key Control - The name of Unbound's key management product..
  4. Reinstall the CA.
  5. Choose the certificate that has a corresponding private key in the UKCUnbound Key Control - The name of Unbound's key management product.
    1. If re-installation is done on a new server, it is required to run ucl sync-cert -local first.
  6. Restore the rest of the CA configuration.

Set up the SSL Certificate

The SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate is used to encrypt and decrypt communication between the end user’s browser and IIS. You can either import an existing certificate or you can create a new certificate.

Option 1: Import a certificate into UKC

If you already have a certificate, use the following procedure to import it into UKCUnbound Key Control - The name of Unbound's key management product.:

  1. Backup the CA private key. See here for more information.
    1. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.
    2. Click Next, and then click Private key and CA certificate.

    3. Click Certificate database and certificate database log.

    4. Use an empty folder as the backup location. Make sure that the backup folder can be accessed by the new server.

    5. Click Next. If the specified backup folder does not exist, the Certification Authority Backup Wizard creates it.

    6. Type and then confirm a password for the CA private key backup file.

    7. Click Next, and then verify the backup settings. The following settings should be displayed:

      • Private Key and CA Certificate

      • Issued Log and Pending Requests

    8. Click Finish.

  2. Backup the rest of CA configuration.
  3. Import the .pfx file to UKCUnbound Key Control - The name of Unbound's key management product..
  4. Reinstall the CA.
  5. Choose the certificate that has a corresponding private key in the UKCUnbound Key Control - The name of Unbound's key management product..
    1. If the re-installation is done on a new server, it requires first running ucl sync-cert -local.
  6. Restore the rest of the CA configuration.

Option 2: Create a new certificate

Create an Unbound KSP “Web Server” Certificate Template

To issue a certificate using Unbound as the key provider, you first need to create a duplicate of the Web Server certificate template.

  1. Open the Certification Authority snap-in.
  2. Right click on Certificate templates and then click Manage.
  3. Right click on Web Server and choose Duplicate Template.
  4. In the Compatibility tab, set the following values:
    1. Certification Authority: Windows Server 2008
    2. Certificate recipient: Windows Vista / Server 2008

    Accept the “resulting changes” message, if prompted.

  5. In the Cryptography tab, set the following values:
    1. Provider Category: Key Storage Provider
    2. Under Choose which cryptographic providers can be used for requests, choose Requests must use one of the following providers.
    3. Under Providers choose only Dyadic Security Key Storage Provider.
    4. Under Request hash, choose SHA256.

  6. In the General tab, under Template Name, set the name to Unbound Web Server.
  7. In the Security tab, add the machine hostname you are working on, and select Allow under the Enroll permission.
  8. Click OK to save the new certificate template.
  9. Go back to the Certification Authority snap-in, right click on Certificate Templates, click New > Certificate Template to Issue.
  10. Choose Unbound Web Server and click OK.

Create a Web Server Certificate

Use the following procedure to create the SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate for IIS:

  1. Open MMC and add the Certificates snap-in for Computer account.
  2. Expand Personal > Certificates.
  3. Right click on Certificates and select Request New Certificate.
  4. On the Select Certificate Enrollment Policy, click Next.
  5. Check the Unbound Web Server certificate template and click on More information is required to enroll this certificate. Click here to configure settings.
  6. Under Subject name choose Common name as type and enter the name of the certificate you would like to create (For example: www.mydomainname.com). Then click Add and OK.
  7. Click Enroll.
  8. Click Finish.

The SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate and private key are generated and secured in the UKCUnbound Key Control - The name of Unbound's key management product. system.

Choose the Certificate On IIS

To add the UKCUnbound Key Control - The name of Unbound's key management product. server certificate to the UKCUnbound Key Control - The name of Unbound's key management product. client:

  1. Open the IIS snap-in and expand the server node. Choose Sites. Choose the web site you wish to protect (By default, it is “Default Web Site”).
  2. On the right pane, under Actions, click Bindings…
  3. Click Add and set the binding as follows:
    1. Type: HTTPS.
    2. Hostname: The UKCUnbound Key Control - The name of Unbound's key management product. server DNS hostname (which is the same hostname as configured on the certificate).
    3. SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. Certificate: Choose the created certificate.
  4. Click OK and close.
  5. Open SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. Settings.
  6. Select Require SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network..
  7. Click Apply.

The web site is now configured for SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network., using a certificate and key protected by UKCUnbound Key Control - The name of Unbound's key management product..

Run the Solution

Verify the SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. installation and view the signing events:

  1. Make sure that the server hostname is resolvable to the IIS server IP address in your DNS server by browsing to the IIS web site. For example:
  2. https://www.mydomainname.com

  3. View the SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. signing events in the UKCUnbound Key Control - The name of Unbound's key management product. event log, which can be found here:
  4. C:\Program Files\Dyadic\ekm\tomcat\logs\ekm.log