Obtaining a Server Certificate

To activate your Web server's Secure Sockets Layer (SSL) security features, you must obtain and install a valid server certificate. Server certificates are digital identifications containing information about your Web server and the organization sponsoring the server's Web content. Functioning in the same way as conventional forms of identification, a passport or driver's license, a server certificate enables users to authenticate your server, check the validity of Web content, and establish a secure connection.

The success of a server certificate as a means of identification depends on whether the user trusts the validity of information contained in the certificate. For example, a user logging on to your company's Web site might be hesitant to provide credit card information, despite having viewed the contents of your company's server certificate. This may be especially true if your company is new and not well known. For this reason, certificates are sometimes issued and endorsed by a mutually trusted, third-party organization, called a certificate authority. The certificate authority's primary responsibility is confirming the identity of those seeking a certificate, thus ensuring the validity of the identification information contained in the certificate.

Alternatively, depending on your organization's relationship with its Web site users, you can issue your own server certificates. For example, in the case of a large corporate intranet handling employee payroll and benefits information, corporate management may decide to maintain a certificate server, and assume responsibility for validating identification information and issuing server certificates.

To issue your own server certificate

Use Microsoft Certificate Server 1.0 (included with Microsoft Windows NT 4.0 Option Pack) to create a customizable service for issuing and managing certificates. You can create server certificates for the Internet or for corporate intranets, giving your organization complete control over certificate management policies. Consider the following issues when deciding whether to issue your own server certificates:

With Certificate Server your organization can fine tune its certificate issuance policy to match overall security policies. Certificate Server accommodates different certificate formats and enables you to perform auditing or logging of information.
Compare the cost of issuing your own certificates against buying a certificate from a certificate authority. Determine whether there is a "break even" point based on the volume of certificates at which it becomes more attractive to issue certificates.
Your organization may require an initial adjustment period to to learn, implement, and integrate Certificate Server with existing security systems and policies.

For more information, see Microsoft Certificate Server.

Use Key Manager to create a server key pair and install you server certificate. For more information, see Creating and Managing Server Key Pairs.

To obtain a server certificate from a certificate authority

Find a certificate authority offering services that meet your business needs and then request a server certificate. The following certificate authorities offer certificate issuing services for Internet Information Server:

Certificate Authority	Web Site URL
Verisign Inc.	http://www.verisign.com
GTE CyberTrust Solutions	http://www.cybertrust.gte.com
Thawte Consulting	http://www.thawte.com
CertiSign Certificado Digital Ltda.	http://www.certisign.com.br
BelSign NV-SA	http://www.belsign.be
Keywitness Canada	http://www.keywitness.ca
BankGate CA	http://www.bankgate.com

For the latest list of certificate authorities supporting Internet Information Server, visit the Microsoft Security Web site at http://www.microsoft.com/security/.

Consider the following issues when choosing a certificate authority:

Is the certificate authority a trusted entity operating a certification practice that can both meet your needs and operate efficiently in your region? Users and other server administrators should immediately recognize your certificate authority as a reputable, trustworthy organization. If you choose an authority with a questionable reputation, you run the risk of having users reject your server certificate.
Is the certificate authority familiar with your organization or company's business interests? Look for a certificate authority from whom you can leverage technical, legal, and business expertise.
What type of information will the authority require from you in order to verify your identity? Most certificate authorities will require detailed information, such as your identity, your organization's identity, and your official authority to administer the Web server for which you are requesting a certificate. Depending on the level of identification assurance required, a certificate authority may require additional information, such as professional affiliations or financial information, and the endorsement of this information by a notary.
Does the authority have a system for receiving online certificate requests, such as requests generated by Key Manager? An online system can speed up processing of your certificate requests.
With a certificate authority you have less flexibility in certificate issuance and management. Some certificate authority services and products may not integrate with your existing security model and directory services.
Substantial costs can be associated with obtaining a server certificate, especially if you need a high degree of identification assurance.

When you obtain the certificate, refer to installation instructions provided by the certificate authority that apply to Windows NT and Internet Information Server.
Use Key Manager to create a server key pair and to request or install your certificate. For more instructions, see Creating and Managing Server Key Pairs.