(powered by Google Mini, searches all knowledgebase articles, forums and help files)
Knowledgebase: Enterprise TV
Enabling SSL or Web Browsers displaying a security certificate error when accessing the Enterprise TV 5.x Web Admin
Posted by Michael Bui on 03 May 2011 02:57 PM

Table of Contents

  1. Why do I need a SSL Certificate?
  2. Possible ways of getting a SSL Certificate:
    1. Commercial signed SSL Certificate. (Recommended way)
    2. IIS Self Signed SSL Certificate.
  3. Install your SSL Certificate.
  4. Bind your SSL Certificate .
  5. Redirect HTTP to HTTPS.
  6. Test the Web Admin with the Certificate.

 

1. Why do I need a SSL Certificate?

What is SSL? SSL is an acronym for Secure Sockets Layer, an encryption technology. SSL will create an encrypted connection between Enterprise TV and your client's web browser allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery. It uses public key cryptography to establish a secure connection. This means that anything encrypted with a public key (the SSL certificate) can only be decrypted with the private key and vice versa.

To enable SSL on a website, you will need to get an SSL Certificate that identifies you and install it on the server. The use of an SSL certificate on a website is usually indicated by a padlock icon in web browsers but it can also be indicated by a green address bar. Once you have done the SSL install, you can access a site securely by changing the URL from http:// to https://. When an SSL certificate is installed on a website, you can be sure that the information you enter, is secured and only seen by your organization.

In order to use the SSL protocol, Enterprise TV requires the use of an SSL certificate. SSL certificates are provided by Certificate Authorities (CAs) or can be self created.

2. Possible ways of getting a SSL Certificate:

There are several SSL Certificates that you can use. The most recommended way is to get a Commercially signed SSL Certificate from a certificate authority. A certificate authority is an entity which issues digital certificates to organizations or people after validating them. Certification authorities have to keep detailed records of what has been issued and the information used to issue it, and are audited regularly to make sure that they are following defined procedures. Every certification authority provides a Certification Practice Statement (CPS) that defines the procedures that will be used to verify applications. There are many commercial CAs that charge for their services (GoDaddy, Comodo, etc). Institutions and governments may have their own CAs.

An SSL certificate has multiple purposes: distributing the public key and, when signed by a trusted third-party, verifying the identity of the server so clients know they aren’t sending their information (encrypted or not) to the wrong person. A Self Signed Certificate is a certificate that is signed by itself rather than a trusted third party. This means you can't verify that you are connecting to the right server because any attacker can create a self signed certificate and launch a man-in-the-middle attack. Because of this, you should almost never use a self signed certificate if your Enterprise TV server has access to the internet.

  1. Commercial signed SSL Certificate. (Recommended way)

  2. IIS Self Signed SSL Certificate.

A. Commercial signed SSL Certificate. (Recommended way)

This process will show you how to order a SSL certificate from a commercial certificate authority.

Create the Certificate Signing Request

The first step in ordering an SSL certificate is generating a Certificate Signing Request. This is very easy to do in IIS7 using the following instructions. 

  1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

  2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

  3. In the Actions column on the right, click on Create Certificate Request...

  4. Enter all of the following information about your company and the domain you are securing and then click Next.

    Name Explanation Examples

    Common Name

    The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.

    computername.yourcompany.com

    Organization

    The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.

    Your company name

    Organizational Unit

    The division of your organization handling the certificate. (Most CAs don't validate this field)

    IT or Web

    City/Locality

    The city where your organization is located.

    Houston

    State/province

    The state/region where your organization is located. This shouldn't be abbreviated.

    Texas

    Country/Region

    The two-letter ISO code for the country where your organization is location.

    US

  5. Leave the default Cryptographic Service Provider. Increase the Bit length to 2048 bit or higher. ClickNext.

  6. Click the button with the three dots and enter a location and filename where you want to save the CSR file. Click Finish.

Once you have generated a CSR you can use it to order the certificate from a certificate authority.

B. IIS Self Signed SSL Certificate.

Generate Your IIS Self Signed Certificate

An SSL certificate has multiple purposes: distributing the public key and, when signed by a trusted third-party, verifying the identity of the server so clients know they aren’t sending their information (encrypted or not) to the wrong person. A self signed certificate is a certificate that is signed by itself rather than a trusted third party. This means you can't verify that you are connecting to the right server because any attacker can create a self signed certificate and launch a man-in-the-middle attack. Because of this, you should almost never use a self signed certificate on a public IIS server that requires anonymous visitors to connect to your site

 

Now you know when to use an IIS self signed certificate and when not to. Now let’s create one: (Click here to hide or show the images)

  1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

  2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

  3. In the Actions column on the right, click on Create Self-Signed Certificate...

  4. Enter any friendly name and then click OK.

  5. You will now have an IIS Self Signed Certificate valid for 1 year listed under Server Certificates. The certificate common name (Issued To) is the server name. Now we just need to bind the Self signed certificate to the IIS site.

3. Install your SSL Certificate.

Install the Certificate

To install your newly acquired SSL certificate in IIS 7, first copy the file somewhere on the server and then follow these instructions:

  1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

  2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

  3. In the Actions column on the right, click on Complete Certificate Request...

  4. Click the button with the three dots and select the server certificate that you received from the certificate authority. If the certificate doesn't have a .cer file extension, select to view all types. Enter any friendly name you want so you can keep track of the certificate on this server. Click OK.

  5. If successful, you will see your newly installed certificate in the list. If you receive an error stating that the request or private key cannot be found, make sure you are using the correct certificate and that you are installing it to the same server that you generated the CSR on. If you are sure of those two things, you may just need to create a new Certificate Request and reissue/replace the certificate. Contact your certificate authority if you have problems with this.

4. Bind your SSL Certificate.

Bind the Self Signed Certificate

  1. In the Connections column on the left, expand the sites folder and click on the website that you want to bind the certificate to. Click on Bindings... in the right column.

  2. Click on the Add... button.

  3. Change the Type to https and then select the SSL certificate that you just installed. Click OK.

  4. You will now see the binding for port 443 listed. Click Close.

  5. Now let's test the IIS self signed certificate by going to the site with https in our browser (e.g. https://site1.mydomain.com). When you do, you should see the following warning stating that "The security certificate presented by this website was issued for a different website's address" (a name mismatch error).

    This is displayed because IIS always uses the server's name as the common name when it creates a self signed certificate. This typically doesn't match the hostname that you use to access the site in your browser. For many situations where IIS self signed certificates are used, this isn't a problem. Just click "Continue to this web site" each time. However, if you want to completely get rid of the error messages, you'll need to follow the next two steps below.

5. Redirect HTTP to HTTPS.

  1. Access your Web Admin http://localhost/ or http://servername/ or http://ipaddress/

  2. Once you have done that click on Admin at the top, then Web Redirect on the left or http://localhost/Configuration/WebSettings.aspx (where localhost is your server)

  3. On this page, change "Protocol For Redirect Links" to https and click Save.

6. Test the Web Admin with the Certificate.

You are now done, test SSL by opening the Web Admin using https instead of http. You should see a locked icon in your browser when your accessing it via SSL.
SnapStream Media, Inc.