Welcome to WebmasterWorld Guest from 34.228.115.216

Forum Moderators: phranque

How to add / import SSL keys into NT4/IIS4?

     
1:20 am on Oct 5, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 8, 2016
posts:69
votes: 0


I started the recent thread "Do I need to convert my company website to https?" and the take-away was that it should be pretty easy to do, so why don't I do it?

So here is where I'm at in this process. My site is currently running on an NT4 server running IIS4.

There are a number of files used in the creation of a domain validation SSL certificate:

I used the ZeroSSL online tools [zerossl.com...]

I used the SSL Certificate Wizard, entering only my email (email@example.com) and company domain (example.com and www.example.com) as the domains.

This generated a CSR file, which I downloaded: "csr" appears in the filename, the beginning sequence of which is: -----BEGIN CERTIFICATE REQUEST-----

Next the wizard generated an account key, which I downloaded. The text "account-key" appears in the filename, and it begins with the sequence: -----BEGIN RSA PRIVATE KEY-----

The next stage is verification, where the wizard requires the creation of specific filenames with specific contents: The web page tells you what they are. There is one file for each domain, so two files - one for www.example.com and the other for example.com. These are created under <webdsite-root>\.well-known\acme-challenge.

Once verified, the wizard presents an account ID (new-account-key.txt) which is a short sequence of digits: It's used in conjunction with the email entered into the wizard to facilitate recovery of the certificate(s)/keys.

I download the certificate (new-domain-crt.txt) which begins with the sequence: -----BEGIN CERTIFICATE-----

There are two such entries in the file (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) : I assume 2 entries for the two domains.

I downloaded the domain key (new-domain-key.txt) which begins with the sequence: -----BEGIN RSA PRIVATE KEY-----

I've placed all the these files on the NT4 server. The wizard talks about using the domain certificate with the domain key, not the LetsEncrypt key. I believe the LE key is called the Account Key, and can be used when renewing the domain certificate & key without going through the verification process again.

On the NT4 server, in the Key Manager, under Key, I can Create New Key, or Import Key. I assume that I've already created the key, so I select Import Key. I'm asked for the location of 2 files (which right now I can't recall but I assume these are what I created above) and it's asking for a password, for which I have no clue what sort of password it wants. At no point was I asked for a password: I don't know what IIS4 expects here. The text box is short, so I doubt it's a key. I've tried my nt4 admin password, but I get an error when I go forward with that. So that's where I'm kinda stuck right now.
8:23 am on Oct 5, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 68


i know this is off topic, but may be you should consider upgrading to a much more recent version of ISS/Windows. NT4 is very old, and I suspect it contains security holes, which are no longer fixed since a while since a while.

[edited by: engine at 1:09 pm (utc) on Oct 5, 2018]
[edit reason] Edit typo at member request [/edit]

10:19 am on Oct 5, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3225
votes: 17


NT4 does not support many features needed for HTTPS sites. Even the Windows version I use, Server 2012, struggles with some features such as TLS v1.3. Also, I don't think LetsEncrypt will work - never got it working on my server, anyway.
12:37 pm on Oct 5, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 8, 2016
posts:69
votes: 0


We run no server-side scripts, so I'm not interested in changing the server OS due to security or hackability (after operating for 19 years I'm sure it's not hackable now). I'm only looking at this https stuff to see if there's some people that browse to our site and are turned off because it's only http not https.

I forgot to mention that in addition to creating the account-key.txt file, a csr.txt key (CertificateSigningRequest) is also created. I think what happens is that the account-key is used to securely transfer the CSR to the certifying authority. The CSR contains (encrypted) the domains for which you want a domain validation certificate. I think that if the domain information doesn't change (hence the same CSR file), you can use the account-key with the CSR to renew the certificate (the domain-crt.txt) and the domain-key.txt without going through the validation steps again.

I believe the 2 fields requested by the KeyManager are the domain-crt.txt file and the domain-key.txt file. The password textbox appears in the same dialog box as a third field and appears quite short, although I never attempted to determine its maximum length.

...And there's more. The DV (domain validation) certificate is a "baseline" certificate. We probably want an EV (Extended Validation) certificate - The one required by modern browser to put a green, closed padlock (e.g. Firefox) next to the URL. This requires a more rigorous validation process by a CA, such as validating the government-issued business number, telephone/FAX numbers, physical address validation, etc. See [en.wikipedia.org...] more info. After all, a malicious entity can create a phony website (maybe using internationalized domain names (IDNA). i.e. punycode) to mimic a legit website, whose URL can be contained in a malicious email, etc. Since it's under the fraudsters' control, the validation process to obtain a DV certificate (such as what LetsEncrypt gives us) is trivial.
3:08 pm on Oct 5, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 68


I'm not interested in changing the server OS due to security or hackability (after operating for 19 years I'm sure it's not hackable now)

hum...
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members