SSLMate and IIS – a love story

I am a part-owner in a company based in South Africa. Our headline act, if you will, is a website that customers log into to manage certain aspects of their business.

This website needs to be secure for obvious reasons. The most basic requirement for a secure website is an SSL certificate (Secure Sockets Layer), or more accurately, TLS (Transport Layer Security). This is the padlock in the address bar of your browser, next to the https: the s means secure.

If you feel like exploding your brain, check the Wikipedia article about TLS and SSL.

For a number of reasons, which Troy Hunt is vastly more qualified to explain to you, we have to ensure that only the most recent browsers are supported by our website and its SSL/TLS certificate.

Older software was not designed with security in mind. The early Internet was about sharing information as easily as possible. Only with Microsoft’s security drive in the early 2000s did we start to see software becoming secure by default. Most recently, news about POODLE and Heartbleed means that even SSL isn’t secure anymore. That is why we have to focus on TLS instead.

It is therefore imperative that we at my company inconvenience users of older software in the best interest of keeping our website as secure as we can. Our SLA (Service Level Agreement) states a minimum version for operating system and web browser.

To this end, I will talk about my new favourite SSL/TLS certificate provider, SSLMate. They allow you to order and renew SSL/TLS certificates from the command line. Even better, unlike most other providers, they tell you when an SSL/TLS certificate is about to expire and renew it for you. I cannot even begin to tell you how convenient this is.

Last year I was travelling out of the country when one of my websites’ certificates expired. The issuer did not warn me (their position is that it’s not their responsibility, and I have to take blame). But, as evidenced by Apple, and Microsoft, and Google, we ALL make this mistake.

SSLmate takes the hassle out of remembering. I of course have created a new workflow to remind me a month before each of my certificates expires, but now that they are all managed by SSLmate, I know they have my back as well.

This all sounds great. I open up a command line prompt and type:

computer~$ sslmate buy example.com

That’s it. After an exchange of email to the appropriate approved address and a confirmation link, I can download four files:

  • example.com.chained.crt — Domain and Intermediate Certificate
  • example.com.chain.crt — Intermediate Certificate
  • example.com.crt — Domain Certificate
  • example.com.key — Private Key

Now comes the tricky part. Internet Information Server, or IIS, needs to import a PFX file. PFX stands for Personal Information Exchange Format and is also known as PKCS #12.

None of these files from SSLMate is in the right format. In fact, if you try importing one of the *.crt files, it will vanish from inside IIS. It needs to be signed by the Private Key.

Confused yet?

On my Mac (or on Windows), I need to use OpenSSL to sign the certificate with the private key, to generate a PFX file that I can import into IIS.

computer~$ openssl pkcs12 -export -out iis_cert.pfx -inkey example.com.key -in example.com.crt -certfile example.com.chain.crt

The output will be iis_cert.pfx, which I can then import into IIS and bind to the website I want to secure. In this example, there are two input files because SSLMate uses intermediate certificates in the chain.

Next time, I will tell you about an easy way to make sure IIS is the most secure it can be.