DOCUMENT:Q201255 06-AUG-2002 [iis]
TITLE :HOW TO: Enable SGC on Internet Information Server
PRODUCT :Internet Information Server
PROD/VER::3.0,4.0,5.0
OPER/SYS:
KEYWORDS:kbHOWTOmaster
======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Internet Information Server versions 3.0, 4.0
- Microsoft Internet Information Services version 5.0
-------------------------------------------------------------------------------
IMPORTANT: This article contains information about modifying the registry. Before you
modify the registry, make sure to back it up and make sure that you understand how to restore
the registry if a problem occurs. For information about how to back up, restore, and edit the
registry, click the following article number to view the article in the Microsoft Knowledge Base:
Q256986 Description of the Microsoft Windows Registry
IN THIS TASK
------------
- SUMMARY
- Install Schannel.dll and Sgcinst.exe
- Enable Server Gated Cryptography
- Request an SGC Certificate
- Install the SGC Certificate
- IIS 3.0
- IIS 4.0
- IIS 5.0
- Notes
- REFERENCES
SUMMARY
=======
This article describes how to enable Server Gated Cryptography (SGC) on a
computer that is running Internet Information Server (IIS).
NOTE: Microsoft Internet Information Server (IIS) version 4.0 and Microsoft
Internet Information Services (IIS) version 5.0 require no special
modifications. You must only request an SGC certificate for SGC to be functional
with IIS version 4.0 and IIS version 5.0. See the Request an SGC Certificate
section for more information.
Install Schannel.dll and Sgcinst.exe
------------------------------------
1. Install the following two executable files:
- Schannel.dll
- Sgcinst.exe
These files are contained in the self-extracting Sgcschannel.exe file. To access
this file, visit the following Microsoft Web site:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/misc/sgcschannel/
Copy Sgcschannel.exe in a temporary directory on your Windows NT server. Running
this file unpacks the following files:
- Schannel.dll
- Sgcinst.exe
- License.txt
- Readme.txt
2. Install this version of Schannel.dll in the <%windir%>\system32
directory, where <%windir%> is your Windows installation directory.
Typically, this is C:\Winnt. Note that Schannel.dll already exists in this
directory. This DLL is loaded at boot time and may not be copied over. To
install the SGC Schannel.dll file, you must first rename the existing
Schannel.dll file. You can do this from a command prompt or by using Windows
Explorer. Microsoft recommends that you rename it to Schannel.sp3 so that it
is available if you decide to remove the SGC capability later. After you do
this, copy the SGC Schannel.dll file to the <%windir%>\system32
directory.
3. Copy Sgcinst.exe to a working directory. This can be put in any location;
however, Microsoft recommends that you copy it to <%windir%>\system32,
so that it will be in your standard path for executable programs. The
application is a utility to help in installing SGC certificates in existing
versions of IIS.
Enable Server Gated Cryptography
--------------------------------
WARNING: If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft cannot
guarantee that you can solve problems that result from using Registry Editor
incorrectly. Use Registry Editor at your own risk.
NOTE: You do not have to add the EnableSGC DWORD value in Microsoft Internet
Information Server (IIS) version 4.0 from the NT Option Pack or Microsoft
Internet Information Services (IIS) version 5.0 that is included with Windows
2000. In IIS versions 4.0 and 5.0, 1024-bit certificates are supported
natively.
1. Click Start, and then click Run.
2. Type "Regedt32" (without the quotation marks), and then click OK.
3. In Registry Editor, expand HKEY_LOCAL_MACHINE, and then locate the following
subkey:
System\CurrentControlSet\Control\SecurityProviders
4. Click to select SCHANNEL.
5. On the Edit menu, click New, and then click DWORD Value. A new value appears
in the right pane.
6. Type "EnableSGC" (without the quotation marks), and then press ENTER.
7. Right-click EnableSGC, and then click Modify.
8. In the Edit DWord Value dialog box, type "1" (without the quotation marks),
and then click OK.
9. Click Registry, and then click Exit to close Registry Editor.
10. Restart the computer.
Request an SGC Certificate
--------------------------
An SGC certificate can be requested by using the process that is described in the
IIS Key Manager documentation. Generating a request for an SGC certificate is no
different from the process for requesting a standard server identification
certificate. Note that the keys that are associated with SGC certificates must
be 1024 bits in length.
NOTE: You must also provide any additional information that is requested by the
certification authority to validate your application.
Install the SGC Certificate
---------------------------
The procedure to install the SGC certificat is different for IIS 3.0, IIS 4.0,
and IIS 5.0.
IIS 3.0:
Installing an SGC certificate with IIS 3.0 is a two-step process.
VeriSign and other certification authorities that currently issue server
identification certificates return the server certificate as a base-64 encoded
x.509v3 certificate.
To more effectively control issuance of the SGC certificates, VeriSign has
created an intermediate, or issuing, certification authority for SGC
certificates. This requires that a certificate chain be returned to the IIS
computer. This chain includes both the SGC server certificate and the
intermediate certification authority certificate in a base-64 encoded PKCS-7
data structure. With current IIS releases, this must be preprocessed before you
install the SGC server certificate by using IIS Key Manager.
Sgcinst.exe performs the required preprocessing. It accepts a base-64 encoded
PKCS-7 data structure, installs the intermediate certification authority
certificate, and creates a base-64 encoded x.509v3 certificate file that
contains only the SGC server certificate. This output file may then be loaded
for IIS by using Key Manager.
To install a base-64 encoded PKCS-7 data structure from VeriSign or another
certification authority that returns a PKCS-7 certificate chain, follow these
steps:
1. Retrieve the PKCS-7 certificate from the certification authority and save it
to a temporary directory on the IIS computer. Microsoft recommends that you
save this file with a .pk7 file name extension.
2. Run Sgcinst.exe with the PKCS-7 certificate chain file as the input file and
a file name to hold the base-64 encoded x.509v3 SGC server certificate as the
output file.
To do this, open a command prompt window on the Windows NT Server computer,
locate the directory that contains the certificate files, and then type the
following command, where is the file that contains the
base-64 encoded PKCS-7 certificate chain (that is, the file that is received
from the certification authority) and