Creating and Managing Server Key Pairs

You can use the Key Manager to create, import, and export Secure Sockets Layer (SSL) encryption key pairs, which enable you server to negotiate a secure link with a user's browser. When you create a unique key pair for your server, you must attach the key pair to your server certificate.

You can also use Key Manager to request and install server certificates, and to create a key pair for a remote server. Only one server certificate can be assigned to a domain name, and only one key pair can be assigned to a server certificate. However, a key pair can be shared over multiple IP addresses with the same domain name, as in the case of a Web server farm.

Important   You should regard the SSL key pair as you would the keys to your house: you do not want to loose your keys, nor do you want others to have access to them. Likewise, it is important to safeguard the key pair; always back up the key pair onto a disk and keep the disk in a secure place. A backup copy is especially important because upgrading or reinstalling Internet Information Server may delete your server certificates and related key pairs.

Note   You can access Key Manager in either of two ways: After you select a site, directory, or file you can either click the Key Manager icon in the toolbar, or you can open its properties sheet, choose the Directory Security or File Security tab and under Secure Communications click the Edit button and then the Key Manager button in the Secure Communications dialog box.

1. In Internet Service Manager, click the Key Manager icon.
2. On the Key menu, select Create New Key and follow the instructions.

Note   Key Manager combines the creation of a key pair with the generation of a server certificate request. You can automatically send the request to an online certificate authority if you have received an application plug-in from the authority that is compatible with Microsoft® Certificate Server 1.0. For a list of certificate authorities supporting Internet Internet Information Server, see Obtaining a Server Certificate.

1. In Key Manager, select the key you want to backup.
2. On the Key menu, select Export Key and then Backup File.
3. You will be prompted by a dialog box, click OK .
4. Use the Save As dialog box to navigate to where you want to backup the key, such as the floppy drive.
5. Enter a name for the backup file in the File name dialog box. Give the file a .txt extension. Click OK. The backup copy will have the same password as the original key.

1. In Internet Service Manager, click the Key Manager icon.
2. On the Computers menu, select Connect to Computer.
3. In the Browse for Computer list box, browse to and select the name of the remote Web server, then click OK.
4. Follow the previous procedure to create a key pair.
5. After you create a key pair, you will need to obtain a valid server certificate from a certificate authority. See Obtaining a Server Certificate.

Caution   Remote key pair generation should only be done over a secure or trusted network. You can seriously jeopardize the integrity of your Web site's identification by transmitting your key pair file over an unsecured network, such as the Internet. Protection of the private key portion of your key pair is critical for maintaining secure SSL communications. To avoid transmitting key pair over an unsecured network, do either of the following:

• Create the key pair file locally, on the Web server where it is to be installed.
• Generate the key pair file on a trusted local computer, save the key pair file on a disk, and manually install the file at the remote Web server.

You can enable your key pair by binding it with a valid certificate that you have installed on your Web server. When you receive a valid certificate from the certificate authority, you can copy and save the certificate text to a file. You can then use Key Manager to install the certificate on your Web server.

1. Save the text of the certificate file that you received from the certificate authority, as a standard (ASCII) text file. Use a .txt file name extension.

Note   Consult specific instructions sent by the certificate authority that issued the certificate.


2. In Internet Service Manager, click the Key Manager icon.
3. In the Key Manager window, select the key for which you wish to install a certificate.
4. On the Key menu, select Install Key Certificate.
5. In the Open dialog box, select the certificate text file. Click Open.
6. In the Password text box, enter the certificate file password, then click OK.

1. In Internet Service Manager, click the Key Manager icon.
2. In the Key Manager window, select the key which you wish to configure.
3. On the Key menu, select Properties.
4. In the Server Bindings dialog box, either click Add or select an IP binding and click Edit.
5. In the Edit Bindings dialog box, enter an IP address. You can also browse for an IP address that already is bound by using the ellipsis (. . .) button to the right of the IP Address text box, and selecting an address from the Choose Server IP Address item list. If you do not assign an IP address, any unassigned IP address will be used.
6. Under Port Number, click Any Unassigned Port to have your Web server assign the key pair an unused port number, or click Port Number to type in a value.

Note   Use the following guidelines when assigning IP addresses, Web sites, and SSL ports to your server certificates:


• You cannot assign multiple server certificates per IP address.
• You cannot assign multiple Web sites per IP address.
• You can assign multiple IP addresses per Web site.
• You can assign multiple SSL ports per Web site.

© 1997 by Microsoft Corporation. All rights reserved.