In this tutorial, I will show you how to install SSL certificate in IIS 8.0. To communicate securely over the web requires the use of encryption on the messages passed back and forth.  Encryption on the web is accomplised through the use of Transport Layer Security (TLS). Http traffic layered over SSL/TLS is called Https.  It would be all too easy to venture down the rabbit hole and explain in great detail how TLS establishes a secure connection, but the crypto minutia is likely a bit out of scope for the purposes of this discussion.  However, a basic understanding of the mechanisms used by TLS to secure the communication channel will make understanding the use of SSL certificates much easier.

TLS uses public key cryptography, which requires the distribution of a public key.  This public key is transmitted as part of an SSL certificate, along with other identifying information meant to establish trust that a server is who it is supposed to be (and not a malicious eavesdroper).  While it is possible to create self-signed certificates, browsers do not trust these certificates and will give users dire warning when they are encountered (this would be like me printing my own drivers license and saying "See, I am who I say I am... really!").  For a certificate to be trusted, it must be issued by a trusted Certificate Authority (CA).  When a secure connection is made using a trusted certificate, most browsers will display an indicator that the connection is secure.  In Chrome, clicking the green lock icon will reveal information regarding the details of the connection:

And this is what a self-signed certificate will get you:

So to fully take advantage of Https you need to have a certificate from a trusted CA (Symantec [GeoTrust, VeriSign], Comodo, GlobalSign, etc).  Getting a certificate involves first creating a Certificate Signing Request (CSR).  IIS has the capability of creating a CSR, and their are other tools available, including the linux command line using OpenSSL.  This is what it looks like in IIS:

You'll transmit the CSR in one form or another to the CA you are getting your certificate from, and after they've performed whatever level of due diligence they'll send you your SSL certificate.  Once you have the certificate, you'll need to install it on the server hosting your site.  For .NET based web applications, that likely means IIS or Azure.

  • Installing SSL Certificate in IIS 8.0

In IIS Manager, under Server Certificates, there is an option for "Complete Certificate Request".  Here you'll browse to the *.cer file that contains your certificate, add a friendly name to make management easier it doesn't change anything in the certificate and add the certificate to the Personal certificate store.  This installs the certificate to the server.  To use it in your site, you have to bind it.  Navigate to the site settings in IIS, go to bindings, and add a binding for https using port 443 and the created certificate.

  • Using Https in the application

Using the URL Rewrite rule described in the Azure SSL instruction involved adding this rule to the web.config file:

      <rule name="Force HTTPS" enabled="false">
        <match url="(.*)" ignoreCase="false"/>
        <add input="{HTTPS}" pattern="off"/>
        <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                appendQueryString="true" redirectType="Permanent"/>

In MVC, using the [RequireHttps] attribute gives fine grained control over what portions of the site will need to use https:

public ActionResult About()
    ViewBag.Message = "Your application description page.";
    return View();
} IIS 8 Hosting revolutionized hosting with Plesk Control Panel, a Web-based interface that provides customers with 24x7 access to their server and site configuration tools. Plesk completes requests in seconds. It is included free with each hosting account. Renowned for its comprehensive functionality - beyond other hosting control panels - and ease of use, Plesk Control Panel is available only to HostForLIFE's customers. They offer a highly redundant, carrier-class architecture, designed around the needs of shared hosting customers.