Setting up HTTPS: Difference between revisions

From NEOSYS Technical Support Wiki
Jump to navigationJump to search
 
(50 intermediate revisions by 7 users not shown)
Line 1: Line 1:
== Creating a single HTTPS web site on Windows 2008 ==
== Setting up HTTPS for NEOSYS website ==


Install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys nl1 download folder) only the ssl utility is needed.
CAUTION: When importing certificates on servers that are not owned by NEOSYS you MUST NOT check the "allow certificate export" option otherwise anybody with access to the server can steal the NEOSYS certificate and pass off their own servers as NEOSYS certified.


http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en
NEOSYS has a very simple way of enabling https for all the clients. Every client has been set up with domain name " *.hosts.neosys.com " where "*" is the clientname.


However please note that the command is different from the usual one:
Pre prepared certificate for *.hosts.neosys.com web sites is present on the nl10r/win3 server. The certificate is signed by COMODO and supports SHA2 security algorithm. It is portable, ensures authenticity and is widely supported. Also refer to [http://itwiki.neosys.com/index.php/SSL_certificate SSL certificate]


[[image:sslwin2008-1.jpg]]
If a client's URL is not as per NEOSYS standards, but has been in use for many years, do not change the URL without a good enough reason.


C:\Program Files\IIS Resources\SelfSSL>selfssl.exe /N:CN=NEOSYS-SERVER /K:1024 /V:9999
=== Creating a single HTTPS web site on Windows 2008 ===
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.
Do you want to replace the SSL settings for site 1 (Y/N)?y
Error opening metabase: 0x80040154
C:\Program Files\IIS Resources\SelfSSL>


/v:9999 means valid for 9999 days
To create a single HTTPS web site on Windows 2008, follow three simple steps:
/s:'''''866651215''''' is the site number in this case  (site number is shown in IIS management screen)
/p:4430 is the non-standard port number neosys uses by convention for ssl/https instead of the standard 443
/n:CN='''''hostname''''' indicates the full domain name of the site and depends on what you want to use (eg. clientname.hosts.neosys.com if the site
  is hosted on nl1/nl1b or clientname.support.neosys.com (if fixed IP) / clientname.redirectme.net (if dynamic IP) IF the site is
  hosted on the client server.


Ignore the error.
#Copy the "*.hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server (password to be used is present in a text file in the same folder).
 
#Import the certificate to IIS without option to export and MUST be deleted after import. See [http://techwiki.neosys.com/index.php/Setting_up_HTTPS#Steps_to_follow_while_importing_certificate_and_why Importing certificate in IIS] for details.
Next go to the IIS Manager and make sure the certificate was created and stored. Note that creating a certificate does not make it automatically bind to the website.  
#Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and click OK.


[[image:sslwin2008-2.jpg]]
[[image:sslwin2008-2.jpg]]
Once you make sure it is created, then click on Sites > Default Website and in the right pane select Bindings:
[[image:sslwin2008-3.jpg]]
[[image:sslwin2008-3.jpg]]
In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and press click on OK:


[[image:sslwin2008-4.jpg]]
[[image:sslwin2008-4.jpg]]


Then test the site from explorer to make sure it works.
Test the site from explorer to make sure it works.
 
== Creating a single HTTPS web site on Windows 2003 ==
 
Install selfssl.exe from Microsoft site (iis60rkt.exe available in neosys nl1 download folder) only the ssl utility is needed.
 
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en
 
then
 
[[Image:SelfSSL.png]]
 
C:\Program Files\IIS Resources\SelfSSL>selfssl /v:9999 /s:'''''866651215''''' /p:4430 /n:CN='''''hostname'''''
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.
Do you want to replace the SSL settings for site 866651215 (Y/N)?y
The self signed certificate was successfully assigned to site 866651215.


/v:9999 means valid for 9999 days
=== Creating a single HTTPS web site on Windows 2003 ===
/s:'''''866651215''''' is the site number in this case  (site number is shown in IIS management screen)
/p:4430 is the non-standard port number neosys uses by convention for ssl/https instead of the standard 443
/n:CN='''''hostname''''' indicates the full domain name of the site and depends on what you want to use (eg. clientname.hosts.neosys.com if the site
  is hosted on nl1/nl1b or clientname.support.neosys.com (if fixed IP) / clientname.redirectme.net (if dynamic IP) IF the site is
  hosted on the client server.


You probably made a mistake in the site number if you get the following message.
*Copy the "*.hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server. (password to be used is present in a text file in the same folder)
*Click on Sites > Properties > Directory Security > Server certificate. Follow the steps in the wizard to import/bind the certificate to port 4430. See [https://support.microsoft.com/en-us/kb/816794 Installing imported certificate in Windows 2003 IIS] for detailed steps to import.


Error opening site metabase key: 0x80070003
=== Creating multiple HTTPS web sites on NEOSYS hosted server ===


== Creating a single HTTPS web site on NEOSYS hosted server ==
All clients hosted on NEOSYS servers use the same IP address but unique HTTPS port numbers starting from 4431 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites.


=== Creating a site in IIS ===
*Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the "*.hosts.neosys.com.pfx" certificate from the drop down and click OK.


Each client hosted on nl1/nl1b uses the same IP address, but unique HTTPS port numbers starting from 4431 onwards. Similarly HTTP also needs to be configured with unique port numbers starting from 8123 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites.
Since the http access is not required for any Client on NEOSYS hosted server, this step of https binding can be performed while creating the client website as shown in the screen shot below.


==== Creating a site in IIS in Windows 2003 ====
[[image:IISwin3.png]]


The https options are only available after running selfssl (see below).
=== Steps to follow while importing certificate and why ===


[[Image:httpadvancedwebsitesetup.png]]
#It MUST be imported  WITHOUT OPTION TO EXPORT and
#It MUST be deleted after import.  


==== Creating a site in IIS in Windows 2008 ====
It is especially important to keep pfx files off clients own servers because they are commonly directly exposed to potentially infected employees computers and/or personal devices via the corporate LAN so they may be far less secure than NEOSYS own servers which are reasonably well isolated. If a pfx file is obtained by criminal hackers, perhaps using automated tools, and the pfx password guessed, brute forced, or broken in some way, the keys contained could in principle be used against us or our clients. If the pfx file is a wildcard that supports any subdomain, then loss in one place could affect others. The chances of all this happening is probably very low but NEOSYS needs to be prepared to pass IT audits and leaving keys around will be viewed as having a culture of low security standards.
 
Follow the procedures as explained in "Creating a single HTTPS web site on Windows 2008" and add one port binding each for HTTP and HTTPS.
 
=== Testing access to the new HTTPS web site. ===
 
Make a subdomain '''clientname'''.hosts.neosys.com
 
Open "https://'''clientname'''.hosts.neosys.com:44XX/neosys" in IE where 44XX is the designated port number
 
If you get certificate error:
 
#check that the selfsll /n:CN='''clientname'''.hosts.neosys.com matches the domain name used in IE
#install the certificate into the client computer (double click the padlock, view certificates etc)
 
Closing all internet explorer versions and restarting is necessary for installed certificates to become effective.


==Setting up HTTPS for installations with more than 1 database==
==Setting up HTTPS for installations with more than 1 database==


In cases where there are multiple databases within the same installation, the website can be made accessible via different URLs, one for each database, like database1.hosts.neosys.com and database2.hosts.neosys.com, though they will finally be pointing to the same website. In order to assign multiple URLs to the same website, simply repeat the steps for [[Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2003| creating and binding a HTTPS website]] for each HTTPS URL that is required.
In cases where there are multiple databases within the same installation, you can use the same website to access all the databases. In case the Client asks for separate domain names for multiple databases, use the same steps as explained in [[Setting_up_HTTPS#Setting_up_HTTPS_for_NEOSYS_website|Setting up HTTPS]] as the case maybe.
 
== Creating multiple HTTPS web sites ==
 
=== Bugs ===
 
SelfSSL allows only one website to have SSL at a time in Windows 2003. However to avoid any issues in the future the solutions below have been provided for both Windows 2003 and 2008.
 
IIS Diagnostics Toolkit which has fixed SelfSSL but doesnt allow full control
http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx
 
=== Solution for Windows 2003 ===
 
Use selfssl as follows:
 
"Wizard" in the following means IIS, Web Sites, (website), properties, directory security, server certificate, next, Renew/Remove/Export/Import
 
Certificates must be saved in d:\hosts\certificates preferably by name for easy reference otherwise by site number. If this is not done then if certificates need to be regenerated then you have the pain of supporting re-import of certificates by all users. In some cases this isn't easy e.g. Vista.
 
#delete any existing certificate
#create certificate for a site in SELFSSL following the normal procedure
#export the certificate to a pfx file (Wizard) USE PASSWORD FOUND IN CERTIFICATES FOLDER
#remove the certificate (Wizard)
#import pfx certificate back (Wizard)
#*Use PASSWORD found in certificates folder
#*Make sure you select the "mark certificate as exportable" option <br>[[image:import-export.jpg]]<br>
 
Continue adding sites this way and they should work perfectly fine. Just follow the sequence here for each site being added.
 
NOTE: The EXPORT/REMOVE/IMPORT stage is necessary where there are multiple https sites on one server since any subsequent SELFCERT seems to destroy all other sites done with SELFCERT that have not been exported/REMOVED/imported.
 
==== Re-installing Certificates ====
 
Sometimes due to an unknown issue, site/s stop working and hence there is a need to re-install the site certificate.
 
===== Re-installing Certificates from saved PFX files =====
 
Just do the first and last steps of the normal installation procedure.
 
#delete the existing certificate (IIS->Site->directory security->server certificate wizard)
#import pfx certificate (IIS->Site->directory security->server certificate wizard)
#*Use PASSWORD found in certificates folder
#*Make sure you select the "mark certificate as exportable" option <br>[[image:import-export.jpg]]<br>
 
===== Re-installing Certificates from selfssl =====
 
Repeat the usual installation method above without missing the delete stage


If users have installed certificates in their browsers then they will have to reinstall them again to avoid the usual "certificate not trusted/matching" type problems.
==Setting up HTTPS for installations where outside office access is usually restricted==


=== Solution for Windows 2008 ===
During a new installation, support staff MUST import the certificate to IIS, bind the certificate to NEOSYS website (following the steps mentioned above in [[Setting_up_HTTPS#Creating_a_single_HTTPS_web_site_on_Windows_2008|Creating a single HTTPS web site]]) and test if NEOSYS can be accessed via https on the server (https://localhost:4430), so that no problems are faced in future if the client ever requests for outside access with their management's approval.


The solution involves generating the certificate and thereafter saving it. Certificates must be saved in d:\hosts\certificates preferably by name for easy reference otherwise by site number. If this is not done then if certificates need to be regenerated then you have the pain of supporting re-import of certificates by all users.  
Since the client management has informed that outside access is not required, close the server's port 4430 (i.e. remove 4430 from Windows Firewall exceptions). Do not remove the certificate binding in IIS.


#Create certificate for a site in SELFSSL following the normal procedure of Windows 2008
If and when https access is required by the client, this can be enabled by unblocking the server's port 4430 and instructing the client to get their IT to configure the router to port forward port 4430 for https.
#Export the certificate to a pfx file from IIS Manager > Click on Certificate > Export (use the location stated above - password to be set will be in a txt file in the same folder)
#Remove the certificate from IIS Manager
#Import pfx certificate back from IIS Manager
#*Use PASSWORD found in certificates folder
#*Make sure you select the "mark certificate as exportable" option <br>[[image:import-export.jpg]]<br>


Note: Importing and Exporting certificates in Windows 2008 is just one part of the step to add certificates to sites and you need to follow the usual instructions to "bind" the certificate to a particular site.
== Troubleshooting setup of multiple HTTPS websites ==


==== Re-installing Certificates ====
=== Error while binding COMODO signed certificate to NEOSYS website===


Sometimes due to an unknown issue, site/s stop working and hence there is a need to re-install the site certificate.
[[image:Test11.jpg]]


===== Re-installing Certificates from saved PFX files =====
A specified logon  session does not exist. It may already have been terminated.


#Unbind the certificate from the site
If importing a certificate ONCE at the top level onto a NEOSYS controlled server with multiple web sites then you need to mark the "Allow this key to be exported" checkbox when importing the certificate to IIS.
#Remove the certificate from IIS Manager
#Import pfx certificate back from IIS Manager
#*Use PASSWORD found in certificates folder
#*Make sure you select the "mark certificate as exportable" option <br>[[image:import-export.jpg]]<br>
#Rebind the certificate

Latest revision as of 10:15, 4 February 2019

Setting up HTTPS for NEOSYS website

CAUTION: When importing certificates on servers that are not owned by NEOSYS you MUST NOT check the "allow certificate export" option otherwise anybody with access to the server can steal the NEOSYS certificate and pass off their own servers as NEOSYS certified.

NEOSYS has a very simple way of enabling https for all the clients. Every client has been set up with domain name " *.hosts.neosys.com " where "*" is the clientname.

Pre prepared certificate for *.hosts.neosys.com web sites is present on the nl10r/win3 server. The certificate is signed by COMODO and supports SHA2 security algorithm. It is portable, ensures authenticity and is widely supported. Also refer to SSL certificate

If a client's URL is not as per NEOSYS standards, but has been in use for many years, do not change the URL without a good enough reason.

Creating a single HTTPS web site on Windows 2008

To create a single HTTPS web site on Windows 2008, follow three simple steps:

  1. Copy the "*.hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server (password to be used is present in a text file in the same folder).
  2. Import the certificate to IIS without option to export and MUST be deleted after import. See Importing certificate in IIS for details.
  3. Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the certificate from the drop down and click OK.

Sslwin2008-2.jpg Sslwin2008-3.jpg

Sslwin2008-4.jpg

Test the site from explorer to make sure it works.

Creating a single HTTPS web site on Windows 2003

  • Copy the "*.hosts.neosys.com.pfx" certificate saved in d:\hosts\certificates on win3 to the server. (password to be used is present in a text file in the same folder)
  • Click on Sites > Properties > Directory Security > Server certificate. Follow the steps in the wizard to import/bind the certificate to port 4430. See Installing imported certificate in Windows 2003 IIS for detailed steps to import.

Creating multiple HTTPS web sites on NEOSYS hosted server

All clients hosted on NEOSYS servers use the same IP address but unique HTTPS port numbers starting from 4431 onwards. The unique port number should be one greater than the highest port number available on the server under IIS manager -> NEOSYS ->Sites.

  • Click on Sites > Client Web Site > Bindings. In the Bindings section - click on Add and select https, All Unassigned IP addresses, port 4430 and select the "*.hosts.neosys.com.pfx" certificate from the drop down and click OK.

Since the http access is not required for any Client on NEOSYS hosted server, this step of https binding can be performed while creating the client website as shown in the screen shot below.

IISwin3.png

Steps to follow while importing certificate and why

  1. It MUST be imported WITHOUT OPTION TO EXPORT and
  2. It MUST be deleted after import.

It is especially important to keep pfx files off clients own servers because they are commonly directly exposed to potentially infected employees computers and/or personal devices via the corporate LAN so they may be far less secure than NEOSYS own servers which are reasonably well isolated. If a pfx file is obtained by criminal hackers, perhaps using automated tools, and the pfx password guessed, brute forced, or broken in some way, the keys contained could in principle be used against us or our clients. If the pfx file is a wildcard that supports any subdomain, then loss in one place could affect others. The chances of all this happening is probably very low but NEOSYS needs to be prepared to pass IT audits and leaving keys around will be viewed as having a culture of low security standards.

Setting up HTTPS for installations with more than 1 database

In cases where there are multiple databases within the same installation, you can use the same website to access all the databases. In case the Client asks for separate domain names for multiple databases, use the same steps as explained in Setting up HTTPS as the case maybe.

Setting up HTTPS for installations where outside office access is usually restricted

During a new installation, support staff MUST import the certificate to IIS, bind the certificate to NEOSYS website (following the steps mentioned above in Creating a single HTTPS web site) and test if NEOSYS can be accessed via https on the server (https://localhost:4430), so that no problems are faced in future if the client ever requests for outside access with their management's approval.

Since the client management has informed that outside access is not required, close the server's port 4430 (i.e. remove 4430 from Windows Firewall exceptions). Do not remove the certificate binding in IIS.

If and when https access is required by the client, this can be enabled by unblocking the server's port 4430 and instructing the client to get their IT to configure the router to port forward port 4430 for https.

Troubleshooting setup of multiple HTTPS websites

Error while binding COMODO signed certificate to NEOSYS website

Test11.jpg

A specified logon  session does not exist. It may already have been terminated. 

If importing a certificate ONCE at the top level onto a NEOSYS controlled server with multiple web sites then you need to mark the "Allow this key to be exported" checkbox when importing the certificate to IIS.