DEVOS: INSTALLING SSL CERTIFICATES

Security is an increasingly important concern for every enterprise. This is an important issue for any applications running on web servers particularly when those servers are in the cloud or accessible on the public internet. The most common way to secure websites like DEVOS is to install a Secure Socket Layer (SSL) certificate. This ensures that all communication between the web server and the user is encrypted and secure and enables uses of “https://” as opposed to the unsecured “http://” in browsers. Https is required for any embed code hosted in a website that is https and is mandatory for Discover Video webcam recording and videoconferencing.

This guide will explain the process of installing an SSL certificate on a DEVOS server.

Preparation

The first thing you need to install an SSL certificate is the certificate. A Certificate Authority (CA) must issue this based on a Certificate Signing Request (CSR) that you generate from your server. The certificate issued by the CA is attached to your domain either as a subdomain certificate (i.e. subdomain.domain.com) or a wildcard certificate (i.e. *.domain.com). You can use a wildcard certificate on multiple servers as long as they are all on the same domain, and you may already have one for your organization that you can use. A subdomain certificate is only good on the server assigned to that subdomain.

All DEVOS servers use Microsoft IIS to serve the DEVOS website. What version of IIS you have depends on the version of the Windows Server Operating System, but the process to generate a CSR is the same for IIS 7, 8, and 10.

Generating a CSR

To generate a CSR, open IIS and select the server from the Connections menu and then select Server Certificates. 

Select Create Certificate Request from the Actions section on the right.

Enter the CSR details as follows:

Common name: Must be a fully-qualified domain name (FQDN) like “domain.com”. If you are requesting a wildcard certificate, enter *.domain.com.

Organization: Your organization’s legal name. If you do not have a company or organization, you can put another name or N/A here.

Organizational unit: Your department within your organization. If you do not have an organization, put N/A.

City/locality: Your city.

State/province: Your state or region. This information must not be abbreviated, for example you must use “Florida” instead of “FL”.

Country: Your country (select from drop-down list).

On the Cryptographic Service Provider Properties page (only IIS 8 and 10), select the following options from the drop-down menus:

Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider

Bit length: 2048

Once the CSR is created, save the file and submit it to your Certificate Authority to issue the certificate.

Installing the SSL Certificate

Once you receive your SSL certificate from your Certificate Authority, go to the Server Certificates section in IIS as you did when generating the CSR. Instead of clicking Create Certificate Request, click Complete Certificate Request.

On the Specify Security Authority Response page, browse to your certificate file and select it. Enter a friendly name (i.e. domainname.com). On IIS 8, select “Personal” as the certificate store. On IIS 10, select “Web Hosting” as the certificate store. (IIS 7 does not include this field.) Finally, click OK to import your certificate.

Bind the Certificate

Once the certificate is imported, bind the certificate to your website by clicking Bindings under Edit Site for your Default Web Site in IIS.

Under Site Bindings, click Add and enter the following information:

IP Address – Select “All unassigned.” Now, if you have multiple IP address, select the correct one that applies.

Port – Enter “443” unless you are listening to SSL traffic on another port (e.g. 992).

SSL Certificates – Select the “friendly name” of the SSL certificate you just installed.  You can always click “View” to confirm the certificates validity details.

Forcing All Traffic to HTTPS

By default, after installing your SSL certificate, your site will be accessible via both http:// and https:// addresses. In order to prevent users from accessing the site in an unencrypted way via http://, you must set up a URL Rewrite to force all http:// traffic to https://. Typicaly, the URL Rewrite module for IIS is not installed on Windows Servers, so if you do not see it in IIS, you will need to install it. The steps below assumes this.

      <rules>

      <rule name="Redirect to https" enabled="true" stopProcessing="true">

       <match url="(.*)" />

       <conditions logicalGrouping="MatchAll" trackAllCaptures="false">

       <add input="{HTTPS}" pattern="off" />

       <add input="{HTTP_HOST}" pattern="localhost" negate="true" />

       </conditions>

       <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />

      </rule>

     </rules>

The entire section including the one above it should now look like the image below: