Archive Server for MDaemon

Run Archive Server for MDaemon in HTTPS

Introduction................................................................................................2 Part 1 - Creating a Certificate Signing Request ...............................................3

Create a certificate request using IIS manager ....................................................... 3 Part 2 - Creating and using a self-signed SSL Certificate .................................8 Part 3 - Access to ASM by HTTPS................................................................15

. 2 .

Introduction Typically, Secure Socket Layer (SSL) Certificates are created for domains by first generating a Certificate Signing Request (CSR) through Internet Information Services (IIS), sending the request to a known Certification Authority, such as GeoTrust, which generates a corresponding Certificate file for use in conjunction with the CSR, completing the request and securing communications on the domain. However, IIS does come with the ability to create a “self-signed” certificate, in which the server generating the CSR also generates the corresponding Certificate file. These are mainly used for testing, development and troubleshooting, as the certificate will only be recognized as valid by the server it is hosted on. Attempting to view the secured domain externally would receive an error that the certificate is not valid, as it has not been approved nor is recognized by a known Certification Authority. This tutorial describes the steps for creating a self signed SSL certificate for use with the Microsoft IIS web server to allow Archive Server for MDaemon (ASM) to support the HTTPS protocol. It is geared towards Microsoft Windows XP and IIS 5.1. Part 1 will cover the creation of a certificate request. Part 2 will explain how to create and use a self signed SSL certificate. Part 3 will show how to access to ASM by HTTPS.

. 3 .

Part 1 - Creating a Certificate Signing Request This is the first step in creating a SSL secured site.

Create a certificate request using IIS manager 1. Open Internet Information Services from Administrative Tools in Control Panel. 2. Expand the tree and right click on your web site and select Properties.

3. When the web site properties dialog box appears, click on the Directory Security tab then click on the Server Certificate button.

. 4 .

4. The Web Server Certificate Wizard appears, click Next.

5. Select the first option, Create a new certificate, then click Next.

6. Select Prepare the request now, but send later option, then click Next.

. 5 .

7. You can give the certificate any name you wish. It is probably best to give it the same name as your web site. Set the bit length to 1024 and do not check the bottom checkboxes, then click Next.

8. Set the Organization field to the name of your company or whatever you want. Set the

Organization unit to the department the certificate will belong to. You can put anything you want here since this is a self signed certificate. If it were a real certificate request, you would put your company name and unit. Click Next.

9. The Common name is the web site address the certificate will cover. This could be

www.yourcompany.com or secure.yourcompany.com. You will need a valid DNS name if you plan on accessing your secure site through the Internet. In this case we are using localhost which means we will be accessing our site locally (yes, accessing it locally defeats the purpose of a secure site. Keep in mind this is just a tutorial). Enter your common name and click Next.

. 6 .

10. Set the Country, State, and City fields to where your server is located, then click Next.

11. Enter a File name for your certificate request. To keep things simple we will just place it in the root. Click Next.

12. The IIS Certificate Wizard displays a summary of the values you entered. If you find any mistakes click the Back button and correct the errors. When you are done click Next.

. 7 .

13. Congratulations, you have just created a certificate request. Click Finish.

14. We have just finished creating our certificate signing request.

. 8 .

Part 2 - Creating and using a self-signed SSL Certificate

There are many free tools to create a self-signed SSL certificate for any hosted domain on your server. In this tutorial we use SSL Diagnostics Kit v1.1, which can be obtained free of charge from Microsoft via the following URL: http://www.microsoft.com/DownLoads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&displaylang=en

1. Given the option to either Run or Save the file, choose Save.

2. For now, let's save the file to the desktop. Click Save again.

3. Once the download is complete, double-click the icon to begin the installation.

. 9 .

4. Click Next on the initial window.

5. Click the option to accept the terms of the License Agreement, and click Next.

6. Enter your desired Name and Company information, and click Next.

. 10 .

7. The next screen will provide options for which type of installation you prefer. You can click Complete to install the Diagnostics.

8. You are now ready to install the diagnostics. Click Install.

9. When the installer confirms it has completed, click Finish.

. 11 .

10. Now, we need to get some information from IIS before we can generate the self-signed certificate. Open IIS by navigating to Start > Administrative Tools > Internet Information Services (IIS) Manager.

11. Once IIS is open, expand the Server Name, then click on the Web Sites folder. This will bring up a list of all web sites on the server in the right-hand pane. You will notice that each site has a unique number assigned to it under the Identifier column. This is the number which we need in order to create the self-signed certificate. As you can see, the Identifier for example.com is 957.

12. Next, we need to open a DOS Prompt. You can do this by navigating to Start > Run, typing CMD, and clicking OK.

. 12 .

13. Once the DOS prompt is open, we will need to navigate to the directory where the SSL Diagnostic Toolkit is located. This directory is C:\Program Files\IIS Resources\SSLDiag. To navigate to this directory, at the DOS prompt, enter the following command: cd C:\Program Files\IIS Resources\SSLDiag

The cd command stands for Change Directory. Press Enter once the command is typed in, and the prompt will bring you right to the directory, as seen below.

14. Now, we need to enter the command which will actually create the certificate. The base command to create the certificate is ssldiag/selfssl, however command requires certain parameters for the certificate to be successfully created. These parameters are as follows:

• /N: - This specifies the common name of the certificate. The computer name is used if there is no common name specified.

• /K: - This specifies the key length of the certificate. The default is length 1024.

• /V: - This specifies the amount of time the certificate will be valid for, calculated in days. The default setting is seven days.

• /S: - This specifies the Identifier of the site, which we obtained earlier. The default will always be 1, which is the Default Web Site in IIS.

Let's use the following command to create a self-signed certificate for example.com which is valid for two years, using a common name of www.example.com, a key length of 1024: ssldiag /selfssl /N:CN=example.com /K:1024 /V:730 /S:957

15. Once you have set the parameters to your preference, enter the command into the DOS prompt, and press Enter. After pressing Enter, the DOS prompt will simply move to the next line.

. 13 .

16. Now, we can check IIS and verify the certificate is now in place. Using the steps outlined above, navigate back to IIS, right-click on the domain, and choose Properties.

17. Inside the Properties window, click on the Directory Security tab.

. 14 .

18. On the Directory Security tab, under the Secure Communications heading, click on the View Certificate button, as it is now enabled.

19. This windows confirms the certificate has been successfully installed. Note the Issued By field, as typically the issuer would be a known Certification Authority, such as GeoTrust, however here the issuer is example.com. This confirms the certificate is self-signed. Click OK to close the window.

20. You can now view the site on the server under a secure heading. Again, please note that as the certificate is self-signed, and does not have a matching Root Certificate from a Certification Authority, attempting to view the site under a secure heading from an external location will cause a certificate error. Self-signed certificates should only be used for testing and development, and under no circumstances should be substituted for a CA-approved SSL Certificate.

. 15 .

Part 3 - Access to ASM by HTTPS Open your browser, for example Internet Explorer and go to: https://<asm servername>/asm. You should get an error page like this:

This is correct since the self-signed certificate is not certificated by a Certification authority as we said at the beginning of this tutorial. Click on the link with the red icon (“Continuare con il sito Web (scelta non consigliata)” in this sample). The Archive Server for MDaemon login page should appear:

Archive Server for MDaemon is developed and distributed by Achab. MDaemon is an Alt-N Technologies trademark. Copyright © 2004 - Achab S.r.l. – All rights reserved.

Achab S.r.l. Piazza Cinque Giornate, 4 20129 Milano Telephone: +39 02 54108204 Fax: +39 02 5461894 For further informations about Archive Server for MDaemon, visit the Web pages: http://www.achab.com/asm For further informations about Achab, its products and services, visit the Web site: http://www.achab.com For sales and marketing related questions, contact Achab at: sales@achab.com For technical support requests, contact Achab at: support@achab.com