When you set up SSL for a Middle Tier Server on a Windows 2000 machine, all of the administration will be done with the Internet Services Manager and ConsoleOne®. The major procedures in the setup include the following:
To generate a certificate request on a Middle Tier Server installed on a Windows 2000 server:
At the server's desktop, click
> > > to open the Internet Information Services window.Click the + sign on the Middle Tier Server icon to expand its hierarchy.
Right-click
> click to open the Default Web Site Properties dialog box.If an SSL certificate has not been configured yet, the SSL Port field is dimmed.
Click
to open the Directory Security page.Click
to start the Web Services Certificate Wizard.On the wizard's Welcome page, click
to open the Server Certificate page.On the Server Certificate page, select
, then click .On the wizard's Delayed or Immediate page, select
, then click Next.On the Name and Security Setting page, specify a certificate name such as DaveMiddleTier Web Site, change the bit length to 1024, then click
.On the wizard's Organization Information page, specify the names of your organization and organizational unit in the
and fields, then click .On the wizard's Your Site's Common Name page, specify your full DNS name, such as zztop1.zenworks.provo.novell.com if you are in the DNS tables, then click .
You can also specify your IP address if it is static and if all access is through IP addresses.
If your servers are behind a firewall, specify the DNS name by which the server is known to the outside world.
On the wizard's Geographical Information page, enter the correct information in the
, , and fields, then click .On the wizard's Certificate Request File Name page, save the certificate request in an accessible location, then click
.This request is a file to be submitted to a trusted Certificate Authority (CA) for signing.
On the wizard's Request File Summary page, review all of the information. If necessary, you can use the
button to make changes on appropriate pages. Click .On the wizard's Completing the Web Services Certificate Wizard page, click
.Submit the certificate request to an appropriate trusted Certificate Authority. When the trusted CA issues the certificate, proceed with the steps outlined in Processing a Pending Certificate Request on IIS.
The eDirectory Root CA can be used to issue a certificate for a valid Certificate Signing Request (CSR). If you use this method, the root is not a trusted root. For more information, see Step 4.
This machine should have Novell Client™ 4.83 or later, ConsoleOne 1.3.3 or later, and the Novell International Cryptographic Infrastructure (NICI) client 2.4.0 or later installed.
On the server's desktop, start ConsoleOne.
Select the container in the tree where the server objects reside.
Select
> to start the Issue Certificate Wizard.In the
field, specify the name of the file that contains the certificate request, then click .On the Organizational Certificate Authority page, click
.On the SSL or TLS page, click
.On the next page of the wizard, accept the defaults by clicking
.On the Save Certificate page, save the file as the default (that is, in .der format).
Export the self-signed certificate from the Certificate Authority.
Because the root is not a trusted root, you need to import the self-signed certificate from the Root CA into all workstations that will connect to the Middle Tier Server. If this self-signed certificate is not imported, certificate verification fails for all certificates issued by this CA.
In ConsoleOne, browse to the Security container in the tree. The Security container is identified with a padlock icon.
Right-click
> select .Click
> select .Click
.Accept the defaults on succeeding pages until you need to save to a location.
If a non-trusted CA (for example, the eDirectory Root CA) signed the certificate request, you need to install the self-signed certificate from the CA on the Middle Tier Server:
Locate and double-click the file containing the self-signed certificate from the CA.
On the Certificate page, click
to start the wizard.On the first page of the wizard, click
.On the second page of the wizard, when you see a message reading “Automatically select the certificate store,” click
.On the third page of the wizard, click
.In the Root Certificate Store message box, select
.In the Successful Import dialog box, click
.A message reading “The import was successful” is displayed.
When a trusted CA has issued a certificate, you can use the Internet Services Manager to process that request.
At the server's desktop, click
> > > to open the Internet Information Services window.Click the + sign on the Middle Tier Server icon to expand its hierarchy.
Right-click
, then click to open the Default Web Site Properties dialog box.Click
to open the Directory Security page.Click
to start the Web Services Certificate Wizard.Use the Web Services Certificate Wizard to process the Certificate Request:
On the Welcome page, click
.On the Server Certificate page, select
, then click .On the next page, enter the full path of the signed certificate as received from the Certificate Authority.
This can be a .der or a .cer file, or a file with some other extension, depending on the naming convention used by the Certificate Authority.
On the next wizard page, click
.On the last wizard page, click
.Close the Properties page.
Right-click the server icon in the tree, then select
.When IIS restarts, open the properties of the default Web site to verify that the SSL port is available.