+++ "JLSH" == Jose Luis Saraiva Hime wrote: +++
JLSH> Hello, Wolf:
>> no, it isn't. i created a client-/server-secure connection between
>> msie and iis only with ssleay certs.
JLSH> Could you tell me how have you done that?
See `How to SSL w/ MS IIS 3/4' and `How to SSL w/ Internet Explorer
3/4':
Greetings, Wolf.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<HTML>
<HEAD>
<TITLE>How to SSL w/ MS IIS 3/4</TITLE>
<META name=author content="Wolf-Dietrich Filß">
<META name=date content="Mon Jul 27 11:29:07 1998">
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
</HEAD>
<BODY bgcolor=silver>
<H1 style="color: maroon">How to SSL w/ MS IIS 3/4</H1>
The following instructions are only valid for MS IIS 4, but with litte
reservations they also can be used for MS IIS 3.
<H3>Download and Import CA Certificate</H3>
<OL>
<LI>Install the CA certificate into your Internet Explorer, see <A
href=createIEcert.html>How to SSL w/ Internet Explorer 3/4</A>.
<LI>Map the CA certificate installed in Internet Explorer onto MS IIS:
At the DOS command prompt type <I>cd %WinDir%\System32\InetSrv</I>,
then type <I>IISCA</I>.
</OL>
<H3>Generate Own Key Pair and Certificate Request</H3>
<OL>
<LI>Launch the Microsoft Internet Service Manager and start the web
server.
<LI>Open <A
href="http://localhost/iishelp/iis/misc/default.asp"><I>http://localhost/iishelp/iis/misc/default.asp</I></A>, then follow the instructions
given in <I>Contents</I> > <I>Microsoft Internet Information
Server</I> > <I>Server Administration</I> > <I>Security</I> >
<I>Authentication</I> > <I>Setting Up SSL on Your Server</I>.
<LI>In the Internet Service Manager, click on the <I>Key Manager</I>
icon in the toolbar.
<LI>Select <I>Create New Key</I> from the <I>Key</I> menu.
<LI>You will be asked where to store the key, use the default value
<I>C:\NewKeyRq.txt</I>.
<LI>Fill out some dialog boxes. The<I>Password</I> must be 7
characters or less. In the <I>Common Name</I> field, enter your
web site's fully-qualified name.
<LI>Click <I>OK</I> to generate the key pair and certificate
request. When prompted, enter the password you defined before.
<LI>After key generation, select <I>Commit Changes Now</I> from the
<I>Servers</I> menu to save your new key.
</OL>
<H3>Sign and Import Own Certificate</H3>
<OL>
<LI>Sign generated certificate request <I>C:\NewKeyRq.txt</I> with:
<PRE>ca -config $CFG -in NewKeyRq.txt -ca-out cert.pem
-policy policy_match -days 360 -key $CAPASS
</PRE>
<LI>Launch the Internet Service Manager and click on the <I>Key
Manager</I> icon in the toolbar.
<LI>On the <I>Key</I> menu, select <I>Install Key Certificate</I>,
then <I>Open</I> (<I>C:\cert.pem</I>), and click <I>OK</I>.
</OL>
<H3>Enable SSL</H3>
<OL>
<LI>In Internet Service Manager, select the web site that you want to
protect with SSL and open its property sheets, then go to <I>Web
Site Identification</I> > <I>Advanced</I>. Make sure that the SSL
port is 443.
<LI>On the <I>Directory Security</I> property sheet, under <I>Secure
Communications</I>, click <I>Edit</I> and configure your web
server to require SSL. You have the option of enabling your Web
server's SSL client certificate authentication and mapping
features.
</OL>
</BODY>
</HTML>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<HTML>
<HEAD>
<TITLE>How to SSL w/ Internet Explorer 3/4</TITLE>
<META name=author content="Wolf-Dietrich Filß">
<META name=date content="Mon Jul 27 11:29:07 1998">
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1">
</HEAD>
<BODY bgcolor=silver>
<H1 style="color: maroon">How to SSL w/ Internet Explorer 3/4</H1>
The following instructions are only valid for Explorer 4, but with litte
reservations they also can be used for Explorer 3.
<H3>Include CA Certificate into Browser</H3>
<OL>
<LI>Click link to CA Certificate</A>.
<LI>Select <I>Into Browser</I>, then click <I>Download</I>.
<LI>Some dialog boxes appear. Click <I>Next</I> various times, then
accept the certificate for the purposes you want.
<LI>When prompted by Internet Explorer, choose to <I>Open</I> the
certificate object rather than save it to disk.
</OL>
<H3>Create and Include Own Certificate</H3>
<OL>
<LI>Open the CA web page.
<LI>Fill out the input fields. You should not change the default
values unless it is necessary. In the <I>Common Name</I>
field, enter your web site's fully-qualified name.
<LI>Click <I>OK</I> or something else to generate and include the
certificate.
<LI>A dialog box appears that the certificate has been sucessfully
installed.
</OL>
<H3>Check Certificates, Uninstall CA Certificates</H3>
<OL>
<LI>Click on the browser's <I>View</I> menu.
<LI>Open <I>Internet Options</I> > <I>Content</I>.
<LI>Under <I>Personal</I> you will find your own certificates, under
<I>Authorities</I> you will find CA certificates.
<LI>If the certificates are shown as expired, check your system clock.
Perhaps you have to redefine your date
format. Check <I>Control Panel</I> > <I>Regional Settings</I>
> <I>Date</I> > <I>Short Date Style</I>, set it to
<I>dd/MM/yyyy</I>. Thumb rule: Each certificate has to be 1 day old
before you can use it: CA cert has to be 1 day old to sign other
certs, server cert has to be 1 day old to use it, etc. You may
change ca.c so that you can use the certs immediately:
<PRE>
sgi~/src/SSLeay-0.9.0/apps> diff ca.c-today ca.c-yesterday
1607c1607
< X509_gmtime_adj(X509_get_notBefore(ret),0);
---
> X509_gmtime_adj(X509_get_notBefore(ret),(long)-86400);
</PRE>
<LI>If you want to delete CA certificates, click the certificate, then
click <I>Delete</I>.
</OL>
<H3>Uninstall Own Certificates</H3>
<OL>
<LI>Open the registry with <I>regedit</I>.
<LI><B>Warning!</B> If you delete the following entries of your
registry all your personal certificates will be deleted!
<UL>
<LI><I>HKEY_CURRENT_USER\Software\Microsoft\Cryptography\MapSessionPurpose</I>
<LI><I>HKEY_CURRENT_USER\Software\Microsoft\Cryptography\PersonalCertificates</I>
<LI><I>HKEY_CURRENT_USER\Software\Microsoft\Cryptography\UserKeys</I>
<LI><I>HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates</I>
</UL>
<LI>While installation of your certificate, the dynamic link libraries
<I>certenr.dll</I> (for Explorer 3) or <I>xenroll.dll</I> (for
Explorer 4) are saved into <I>C:\WINNT\Download Program Files</I>
(if not yet installed). You may wish to delete them.
</OL>
</BODY>
</HTML>