Enable SSL/TLS on a Web Server and Client
In this IT Pro Challenges hands-on lab, learners are introduced to skills required to configure the IIS web server with HTTPS. Exercises in this lab teach users various concepts such as HTTPS binding, SSL/TLS, and user certificate. The topics covered in this lab are critical for learners to be effective in System administrator roles in IT.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are security rules. They are applied so that the network connection is stable and reliable. SSL and TLS are generally utilized by web browsers to preserve associations between web applications and web servers.
In this hands-on virtual lab, learners will enable SSL/TLS on a web server and client. First, they will configure the IIS webserver to require HTTPS access using client certificates. Next, they will issue a user certificate to a client workstation. Finally, on the client workstation, they will connect to the website by using a web browser that has a trusted certificate to ensure that HTTPS access is functional. The other guided and advanced challenges in this series are "Request a PKI Certificate Manually" and "Can You Secure a Website Using an SSL/TLS Certificate?"
Understand the Scenario
In this virtual lab, you are a system administrator for a company that uses a public key infrastructure (PKI) to secure data systems and digital assets. Your job is to configure a webserver to require trusted client PKI certificates before allowing HTTPS connections. To accomplish this task, you will use a virtual machine named DC1-CA that runs Microsoft Windows Server 2016. It is configured as a domain controller for an Active Directory domain named Contoso. A private enterprise Root CA named Contoso CA, has been created for you. You have a client workstation named Client1 that runs Windows 10 and is joined to the Contoso domain. You will connect to the virtual machine consoles directly in the lab environment.
Configure HTTP binding on a web server
The HTTP binding changes the data that is transferred in as a message in local format to a business object in an application. The HTTP binding also can change the data that is transferred out as a business object to the local format anticipated by the external application. In this first section of the lab, you will learn how to configure HTTP binding on a web server. For this, learners will sign in to DC1-CA as Administrator and in Internet Information Services (IIS) Manager, add an HTTPS binding that uses port 443, and the DC1.contoso.com certificate for the Default Web Site binding. Next, they will connect to the secured website https://dc1.contoso.com using the browser and confirm that they added an HTTPS binding that uses SSL and the DC1.contoso.com certificate to the default website. They will also check and confirm that the website is accessible in a web browser using HTTPS.
Configure the website to require client certificates
A client certificate is a kind of digital certificate that is utilized by client systems to make validated requests to a remote server. Client certificates perform a pivotal role in various common authentication patterns, giving powerful certitudes of a requester's connections. In this section of the lab, you will learn how to configure the website to require client certificates. For this, in IIS, you will enable the Require SSL option for the website and enable the "Require" option for client certificates, and apply the settings. Finally, you will check and confirm that you have configured the website to require client certificates.
Attempt to connect to the website using HTTPS
HTTPS assures that the website is the accurate site the server is assumed to be communicating to. HTTPS also secures all user data, such as business data and browsing history, and defends third-party infringements. Most browsers back HTTP/2, which gives browser improvements over regular HTTP. In this section of the lab, you will sign in to Client1 as Administrator and then in the browser, attempt to connect to the website https://dc1.contoso.com. Finally, you will check and confirm that you received an HTTPS error message when attempting to connect to the website https://dc1.contoso.com.
Acquire a user certificate on Client1
In this section of the virtual lab, you will learn how to acquire a user certificate on the client machine. For this, on Client1, you will add the certificates snap-in for the local user to the MMC tool. On the Start menu, enter MMC, to launch the tool, and on the File menu, select Add/Remove Snap-in to ensure that My user account is selected. Next, you will manually acquire a user certificate using the User certificate template and view the newly issued user certificate in the MMC Certificates console. Finally, you will check and confirm that a user certificate has been issued by ContosoCA to the Administrator user.
Connect to the website using HTTPS
After acquiring a user certificate on client1, in this section of the lab, you will connect to the website using HTTPS. On Client1, in Microsoft Edge, connect to https://dc1.contoso.com, and then when prompted to confirm the user certificate, select OK. Next, you will check and confirm that you can connect to dc1.contoso.com by using HTTPS.
Lab Summary Conclusion
After completing the "Enable SSL/TLS on a Web Server and Client" virtual lab, you will have accomplished the following:
- Configured the IIS web server with HTTPS.
- Configured the IIS default website to require client certificates before allowing HTTPS access.
- Tested HTTPS connectivity to the website.