Hi Jordan,

There are usually at least two reasons. One if what you described -- server
authentication. E.g. I really want to know that I am talking to Microsoft
server when I am downloading patches; or I really want to know that I am
talking to my on-line bank server when I am entering data to access my
account information.

The other purpose is to encrypt the data that is exchanged between the
server and the client. I don't want people to listen in on my conversation
when I am sending information from my computer to bank server -- or when
bank server replies with information.

There are also client side certificates. They are used to authenticate users
to web server. This way server knows who it is talking to (since I am the
only one who is supposed to have the private keys).

I hope this helps,

Mike

[quoted text, click to view]

Hi,

Here is some general information that may help.

How To Set Up an HTTPS Service in IIS
http://support.microsoft.com/?kbid=324069

How To Set Up SSL Using IIS 5.0 and Certificate Server 2.0
http://support.microsoft.com/kb/299525

Setup process depends on:
* version of operating system where IIS is running (Windows 2000, Windows
XP, Windows 2003 Server)
* origin of certificate (will you buy certificate from 3rd party CA
companies (e.g. Verisign, Thawte, ...) or will you issue your own
certificates)

You can issue your own certificates in two ways:
* you can use SelfSSL tool from IIS 6 resource kit (it works on Windows 2003
server and Windows XP
* you can setup your own CA server

IIS 6.0 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en

The problem with your own certificates is that users outside your company
will not be able to recognize them by default like they would recognize e.g.
Verisign certificates. E.g. I have Verisign Root Certificate in my Trusted
Root Store. Therefore I trust any certificate issued by this CA. Since I
don't have your certificate in my trusted root store I would get a warning
that site that I am trying to access is not trusted. I would have an option
to choose whether I want to continue...
http://freeweb.siol.net/mpihler/nottrusted.jpg

Own CA servers are usually used for internal use while 3rd party CA servers
are used when e.g. doing business on-line with large number of people...

Here is additional information about Microsoft CA service

New features:
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
Operations guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
Managing PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Certificate templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
Certificate Autoenrollment in Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Key archival -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
Advanced certificate enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
web enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Feel free to post back with any additional questions...

I hope this helps,

Mike

[quoted text, click to view]