INSTALLING YOUR SSL CERTIFICATE ON THE FILEHOLD SERVER ON WINDOWS 2008 X64 ON IIS 7
Copyright 2011 FileHold Systems Inc. All rights reserved. For further information about this manual or other FileHold Systems products, contact us at Suite 250-4664 Lougheed Highway Burnaby, BC, Canada V5C5T5, via email sales@filehold.com, our website www.filehold.com, or call 604-734-5653. FileHold is a trademark of FileHold Systems. All other products are trademarks or registered trademarks of their respective holders, all rights reserved. Reference to these products is not intended to imply affiliation with or sponsorship of FileHold Systems. Proprietary Notice This document contains confidential and trade secret information, which is proprietary to FileHold Systems, and is protected by laws pertaining to such materials. This document, the information in this document, and all rights thereto are the sole and exclusive property of FileHold Systems, are intended for use by customers and employees of FileHold Systems, and are not to be copied, used, or disclosed to anyone, in whole or in part, without the express written permission of FileHold Systems. For authorization to copy this information, please call FileHold Systems Product Support at 604-734-5653 or email sales@filehold.com.
Ta ble of Contents FileHold TABLE OF CONTENTS 1. CSR GENERATION: MICROSOFT IIS 7.X... 2 2. SSL CERTIFICATE INSTALLATION: MICROSOFT IIS 7.X... 5 3. INSTALLING THE ROOT AND INTERMEDIATE CERTIFICATES... 9 4. SET SITE BINDINGS IN IIS 7 ON DEFAULT WEB SITE FOR THE CERTIFICATE YOU HAVE INSTALLED FROM YOUR SSL PROVIDER... 13 5. ENSURE SSL IS REQUIRED ON THE FILEHOLD APPLICATION... 14 6. CHANGE WEB CONFIGS WITH FHINSTRUMENTATION TOOL... 14 7. TESTING YOUR SSL CERTIFICATE... 17 i May 2011
FileHold Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver 1. CSR GENERATION: MICROSOFT IIS 7.X WARNING: This information is provided purely as a guide and you should always follow the IIS 7 specific guide from your own SSL provider. 1. Click Start and go to Administrative Tools. 2. Start Internet Services Manager. 3. Click Server Name. 4. From the center menu, double-click Server Certificates in the Security section. 5. From the Actions menu, click Create Certificate Request. 2 May 2011
Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver FileHold 6. This will open the Request Certificate wizard. 7. In the Distinguished Name Properties window, enter the information as follows: The Common Name field should be the Fully Qualified Domain Name (FQDN) or the web address for which you plan to use your IIS SSL Certificate. You will need to insure that the common name submitted in the CSR is the correct domain name / FQDN that you intend to use the certificate for. For wildcard SSL certificates the common name should contain at least one asterisks (*) e.g. *.comodo.com,*.instantssl.com,etc May 2011 3
FileHold Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver Enter Organization and Organization Unit. These are your company name and department respectively. Enter your City/locality, State/province and Country/region. 8. Click Next. 9. In the Cryptographic Service Provider Properties window, leave both settings at their defaults (Microsoft RSA SChannel and 1024) and then click Next. 10. Enter a filename and location to save your CSR. You will need this CSR to enroll for your IIS SSL Certificate. 11. Click Finish. Your new CSR is now contained within the file c:\certreq.txt. 4 May 2011
Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver FileHold 12. When you make your application, make sure you include the CSR in its entirety into the appropriate section of the enrollment form - including -----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST----- 13. Click Next. 14. Confirm your details in the enrollment form and click Finish. TO SAVE YOUR PRIVATE KEY 1. Go to Certificates snap-in in the MMC. 2. Select Requests. 3. Select All tasks. 4. Select Export. 2. SSL CERTIFICATE INSTALLATION: MICROSOFT IIS 7.X 1. Click Start and select Administrative Tools. 2. Start Internet Services Manager. 3. Click Server Name. 4. From the center menu, double-click the Server Certificates button in the Security section. 5. From the Actions menu, click Complete Certificate Request. May 2011 5
FileHold Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver 6. This will open the Complete Certificate Request wizard. 7. Enter the location of your IIS SSL certificate (you will need to browse to locate your IIS SSL certificate this file will be the certificate sent to you in a zip file and should be named yourdomainname.crt ).Then enter a Friendly name. The friendly name is not part of the certificate itself, but is used by the server administrator to easily distinguish the certificate. Click OK. NOTE: There is a known issue in IIS 7 giving the following error Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created. You may also receive a message stating ASN1 bad tag value met. If this is the same server that you generated the CSR on then, in most cases, the 6 May 2011
Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver FileHold certificate is actually installed. Simply cancel the dialog and press F5 to refresh the list of server certificates. If the new certificate is now in the list, you can continue with the next step. If it is not in the list, you will need to reissue your certificate using a new CSR and replace this Certificate. Please use the instructions provided from your SSL provider for this task. 8. After the certificate has been successfully installed to the server, you will need to assign that certificate to the appropriate website using IIS. 9. From the Connections menu in the main Internet Information Services (IIS) Manager window, select the name of the server to which the certificate was installed. 10. Under Sites, select the site to be secured with SSL. 11. From the Actions menu), click on Bindings. 12. This will open the Site Bindings window. 13. In the Site Bindings window, click Add. This will open the Add Site Binding window. May 2011 7
FileHold Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver 14. Under Type, select https. The IP address should be the IP address of the site or All Unassigned, and the port over which traffic will be secured by SSL is usually 443. The SSL Certificate field should specify the certificate that was installed previously. 15. Click OK. You now have an IIS SSL server certificate installed. 16. IMPORTANT!: You must now restart the IIS / the website to complete the install of the certificate 17. Once you have completed the above steps you will need to install the Root and Intermediate certificates manually. For installation instructions on how to manually install the other Root and Intermediate Certificates that are sent with your web server that you have been sent PLEASE read the next page 8 May 2011
Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver FileHold 3. INSTALLING THE ROOT AND INTERMEDIATE CERTIFICATES 1. Please use the SSL certificates you have purchased from your certificate authority that provides sells SSL certificates. 2. Save these Certificates to the desktop of the web server machine. 3. Click Start, select Run, type mmc and click OK. 4. Click File and select Add/Remove Snap in. 5. Select Add. May 2011 9
FileHold Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver 6. Select Certificates from the Add Standalone Snap-in window and click Add. 7. Select Computer Account and click Next. WARNING: This step is very important. It must be the computer account and no other account. 10 May 2011
Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver FileHold 8. Select Local Computer and select Finish. 9. Close the Add Standalone Snap-in window and click OK. 10. Return to the MMC TO INSTALL THE YOUR ROOT CERTIFICATE 1. Right click the Trusted Root Certification Authorities, select All Tasks, and select Import. May 2011 11
FileHold Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver 2. The Certificate Import Wizard opens. Click Next. 3. Locate the Root Certificate and click Next. 12 May 2011
Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver FileHold 4. When the wizard is completed, click Finish. TO INSTALL THE INTERMEDIATE CERTIFICATE/CERTIFICATES 1. Right click the Intermediate Certification Authorities, select All Tasks, select Import. 2. Complete the Certificate Import Wizard again, but this time locating the intermediate Certificate when prompted for the Certificate file. NOTE: You will need to repeat this step for all the intermediate certificates that are sent to you. 3. Ensure that the Root certificate appears under Trusted Root Certification Authorities. 4. Ensure that the intermediate certificate / certificates appear under Intermediate Certification Authorities. 5. Once these are installed you may need to restart the server. 4. SET SITE BINDINGS IN IIS 7 ON DEFAULT WEB SITE FOR THE CERTIFICATE YOU HAVE INSTALLED FROM YOUR SSL PROVIDER 1. Click on Default Web Site in IIS 7 Administration application. May 2011 13
FileHold Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver 2. Click Bindings and then edit the bindings as needed. You can remove the port 80 HTTP binding if you wish. We recommend this. 5. ENSURE SSL IS REQUIRED ON THE FILEHOLD APPLICATION 6. CHANGE WEB CONFIGS WITH FHINSTRUMENTATION TOOL 1. Launch the FHInstrumentation tool located at: Program Files\FileHold Systems\Application Server\FH\FileHold\FHinstrumentation 2. Right-click and Run as Server or domain administrator account and remove the check mark to run with restricted permissions. Do this at all times when running this tool. 14 May 2011
Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver FileHold 3. Select Change port, server name or protocol wizard and click Start. 4. Browse to find the Application Server Folder and then click Next. This locates the config files so the FHInstrumentation utility can change them. 5. Select Change Protocol check box and click Next. May 2011 15
FileHold Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver 6. The tool will update all web.config files from http to https and will save about 15 minutes of work with Notepad or Notepad ++. 7. Click Update to finish the procedure. 8. The task will finish successfully if the account you are using to run this tool has the appropriate server administrator permissions. 16 May 2011
Installing Your S SL Ce rti f icat e on the Fil ehold Ser ver FileHold 9. Click Finish. 10. Restart World Wide Web Service in Services.msc control panel or go to control panel and select services and restart it there. 7. TESTING YOUR SSL CERTIFICATE 1. Change all Web Client short cuts to HTTPS and FDA connection URL s to HTTPS and try to login. 2. Testing with Web Client: Do a test of search, adding a document, checking out a document, checking in a document, launching and completing a workflow (if you use this optional module). 3. Testing with Desktop Client: Repeat the same test. Do a test of search, adding a document, checking out a document, checking in a document, launching and completing a workflow (if you use this optional module) May 2011 17