Creating and Managing Server Key Pairs

You can use the Key Manager to create, import, and export Secure Sockets Layer (SSL) encryption key pairs on your Web server. You can use SSL key pairs to allow remote users to uniquely identify, or authenticate, your Web sites. When you create a unique key pair for your server, you must attach the key pair to your server certificate. Use Key Manager to request and install server certificates, and also to create a key pair on your Web server and transfer it to a remote server. Only one certificate can be assigned to a domain name, and only key pair can be assigned to a certificate. However, a key pair can be shared over multiple IP addresses with the same domain name. This would be useful for sharing a key pair over a Web farm.

Note   You can access the key manager in either of two ways. After you select a site, directory, or file you can either click the Key Manager icon in the toolbar, or you can open its properties sheet, choose the Directory Security or File Security tab and under Secure Communications click the Edit button and then the Key Manager button in the Secure Communications dialog box.

To create a server key pair
  1. In Internet Service Manager, click the Key Manager icon.
  2. On the Key menu, select Create New Key and follow the instructions.

    3. Note   Key Manager combines the creation of a key pair with the generation of a server certificate request. For more information, see Obtaining a Server Certificate.

 

To create a key pair for a remote Web server
  1. In Internet Service Manager, click the Key Manager icon.
  2. On the Computers menu, select Connect to Computer.
  3. In the Browse for Computer list box, browse to and select the name of the remote Web server, then click OK.
  4. Follow the previous procedure to create a key pair.
  5. After you create a key pair, you will need to obtain a valid server certificate from a certificate authority. See Obtaining a Server Certificate.

Caution   Remote key pair generation should only be done over a secure or trusted network. You can seriously jeopardize the integrity of your Web site's identification by transmitting your key pair file over an unsecured network, such as the Internet. Protection of the private key portion of your key pair is critical for maintaining secure SSL communications. To avoid transmitting key pair over an unsecured network, do one of the following:

You can enable your key pair by binding it with a valid certificate that you have installed on your Web server. When you receive a valid certificate from the certificate authority, you can copy and save the certificate text to a file. You can then use Key Manager to install the certificate on your Web server.

To install a certificate
  1. Save the text of the certificate file that you received from the certificate authority, as a standard (ASCII) text file. Use a .txt file name extension.

    2. Note   Consult specific instructions sent by the certificate authority that issued the certificate.

  2. In Internet Service Manager, click the Key Manager icon.
  3. In the Key Manager window, select the key for which you wish to install a certificate.
  4. On the Key menu, select Install Key Certificate.
  5. In the Open dialog box, select the certificate text file. Click Open.
  6. In the Password text box, enter the certificate file password, then click OK.

 

To add or edit an IP assignment to a key
  1. In Internet Service Manager, click the Key Manager icon.
  2. In the Key Manager window, select the key which you wish to configure.
  3. On the Key menu, select Properties.
  4. In the Server Bindings dialog box, either click Add or select an IP binding and click Edit.
  5. In the Edit Bindings dialog box, enter an IP address. You can also browse for an IP address that already is bound by using the ellipsis (. . .) button to the right of the IP Address text box, and selecting an address from the Choose Server IP Address item list. If you do not assign an IP address, any unassigned IP address will be used.
  6. Either type a port number or choose one from the item list. If you do not assign a port number, any unassigned port number will be used.

© 1997 by Microsoft Corporation. All rights reserved.