HTTPS and Certificates

Forum Moderators: phranque

Message Too Old, No Replies

HTTPS and Certificates

what is involved in setting this up?

txbakers

2:18 am on Aug 4, 2002 (gmt 0)

I'm running W2K Advanced Server, and I now need to set up https sites.

When I run the certificate wizard on W2K, I can generate a file. Where do I send that file? What else is involved in setting up an HTTPS site?

Lastly, what are the real benefits to having an https site?

Thanks all.

chameleon

2:58 am on Aug 4, 2002 (gmt 0)

txbakers -

The file you generated is called a Certificate Signing Request (CSR). It will need to be provided to the certificate issuing authority along with the exact domain name you plan to secure, proof of ownership for the domain, and the articles of incorporation or DBA paperwork for the company owning the domain.

The goal is to ensure that the issuer (Thawte, VeriSign, etc.) can validate that you are who you say you are.

The domain name tells them what they're securing (Note: [store.mydomain.com...] is not the same as www.mydomain.com. Be absolutely exact in what you specify).

The proof of ownership ties a person or a company to the domain name.

The DBA or articles of incorporation prove that you are that person or company.

Finally, the CSR will tie that domain to your specific server.

Once you provide the issuing authority with all of this information (and your credit card!), they'll give you another file which you can import into IIS to secure the domain.

For more detailed instructions, visit:

[thawte.com...]

There are numerous companies that issue SSL certificates, but I recommend purchasing a Thawte SSL Certificates or GeoTrust True BusinessID. There are two reasons:

I've used both without incident
They will both be recognized by almost every browser without having to download any additional software. Some of the newer companies weren't around when the version 4.x browsers were released, so they'll pop up a warning when one of their certificates is used to secure a page. That usually scares away customers.

Good luck!

txbakers

3:35 am on Aug 4, 2002 (gmt 0)

Thanks for the info.

One further question. Can I secure part of a domain?

For example, the outer site is called www.mydomain.com

From there, the user goes to the login screen on www.mydomain.com/login.asp

Can the https: start with that page, or will the entire domain be https now?

Lisa

5:11 am on Aug 4, 2002 (gmt 0)

That is all left up to your programming. You will want to place code in your login.asp file that checks to make sure it is secure. If not, then direct back to the same URI but now https mode. On that page you will want to make sure that backward links only link to the http version. It can be hard to selter only the secure area but in the end it comes down to programming.