Install SSL Certificates
Cartegraph recommends placing SSL certificates on both the Web and Application servers. Use a wildcard SSL certificate because the certificate secures your website URL, and an unlimited number of its subdomains. For more information, http://support.godaddy.com/help/article/567/what-is-a-wildcard-ssl-certificate.
Before you purchase a certificate, generate a Certificate Signing Request (CSR) from the server. Repeat this on every server you want to get a different certificate for. Click the following link for Go Daddy’s instructions on how to get the CSR from IIS 8:
https://www.godaddy.com/help/generating-a-certificate-signing-request-microsoft-iis-8-4950
Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key. These are the accepted ciphers:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Cartegraph recommends purchasing certificates from Go Daddy, Digicert, Trustwave, Geotrust, or similar vendor.
- Open Internet Information Services (IIS) Manager.
- Click the Server Name.
- From the center menu and the IIS section, click Server Certificates.
- From the Actions menu on the right, click Complete Certificate Request.
- For the File name containing the certificate authority's response, browse to your certificate (.crt, .cer) file on your computer.
- Set a unique name to identify the SSL certificate on the Friendly name field. For wildcard SSL certificates, make sure your friendly name matches your common name such as, *.<sitename> - *.contoso.com.
- From the Select a certificate store for the new certificate field, select Personal.
- In the Connections panel on the left, select the name of the server where you installed the certificate.
- Expand Sites and select the site you want to secure with the SSL certificate.
- In the Actions panel on the right, click Bindings, and click Add.
- Set the Bindings properties:
- Set Type to https.
- IP address to All Unassigned, or select the IP address of the site.
- Port to 443.
- Set the Host name to the wildcard name such as *.<sitename> - *.contoso.com
- SSL certificate to the one you just installed.
- Restart IIS.