Enabling SGC on Internet Information Server

ID: Q201255

The information in this article applies to:
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

This article describes how to enable SGC on a computer running Internet Information Server (IIS).

NOTE: Microsoft Internet Information Server (IIS) version 4.0 requires no special modifications. It is only necessary to request an SGC Certificate for SGC to be functional with IIS version 4.0. See the Requesting an SGC Certificate section below for more information.


MORE INFORMATION

Installing Schannel.dll and Sgcinst.exe

  1. The SGC update requires that you install the following two executable files:

    These files are contained in the self-extracting Sgcschannel.exe file. Copy Sgcschannel.exe into a temporary directory on your Windows NT server. Running this file unpacks the following files:



  2. This version of Schannel.dll should be installed in the %windir%\system32 directory, where %windir% is your Windows installation directory. Typically, this is C:\WINNT. Note that Schannel.dll will already exist in this directory. This DLL is loaded at boot time and may not be copied over. To install the SGC Schannel.dll, you must first rename the existing Schannel.dll file. This may be done from a command prompt or using Windows Explorer. We recommend you rename it to Schannel.sp3 so it is available in the event you decide to uninstall the SGC capability at a later time. When this is done, copy the SGC Schannel.dll file to the %windir%\system32 directory.


  3. Copy Sgcinst.exe to a working directory. This can be placed in any location; however, it is recommended that you copy it to %windir%\system32, so it will be in your standard path for executable programs. The application is a utility to assist in installing SGC Certificates into existing versions of IIS.


Enabling Server Gated Cryptography

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).


  1. Click the Start button, and then click Run.


  2. Open (click on the plus sign ( + ) next to) HKEY_LOCAL_MACHINE, and then go to the following subkey:
    System\CurrentControlSet\Control\SecurityProviders


  3. Select SCHANNEL.


  4. On the Edit menu, select New, and then choose DWORD Value. A new value will appear in the right pane.

    If necessary, right-click on the new item and choose Rename from the menu.


  5. Type "EnableSGC" and press the Enter key.


  6. Right-click "EnableSGC" and choose Modify.


  7. In the Edit DWord Value dialog box, type "1" (one) and click OK.


  8. Click Registry, and then click Exit to close the Registry Editor.


  9. Restart the computer.


Requesting an SGC Certificate

An SGC Certificate can be requested using the process described in the IIS Key Manager documentation. Generating a request for an SGC Certificate is no different than the process for requesting a standard Server Identification Certificate. Please note that the keys associated with SGC Certificates should be 1024 bits in length.

Note: You will also need to provide any additional information requested by the Certificate Authority to validate your application.

Installing the SGC Certificate

Installing an SGC Certificate with IIS 3.0 requires a two step process.

VeriSign and other Certificate Authorities (CAs) that currently issue Server Identification Certificates return the server certificate as a base-64 encoded x.509v3 certificate.

To more effectively control issuance of the SGC Certificates, VeriSign has created an intermediate, or issuing, CA for SGC Certificates. This requires a certificate chain be returned to the IIS computer. This chain includes both the SGC Server Certificate and the intermediate CA Certificate in a base-64 encoded PKCS-7 data structure. With current IIS releases, this must be pre-processed prior to installing the SGC Server Certificate using IIS Key Manager.

Sgcinst.exe performs the required pre-processing. It accepts a base-64 encoded PKCS-7 data structure, installs the intermediate CA Certificate, and creates a base-64 encoded x.509v3 Certificate file containing only the SGC server Certificate. This output file may then be loaded for IIS use using Key Manager.

To install a base-64 encoded PKCS-7 data structure from VeriSign or other CA returning a PKCS-7 Certificate chain, do the following:
  1. Retrieve the PKCS-7 Certificate from the CA and save it to a temporary directory on the IIS computer. It is recommended this be saved with a ".pk7" extension.


  2. Run Sgcinst.exe with the PKCS-7 Certificate chain file as the input file and a filename to hold the base-64 encoded x.509v3 SGC server Certificate as the output file.

    To do this, open a command prompt window on the Windows NT Server computer, go to the directory containing the Certificate files, and then enter the following command:
    sgcinst input file output file
    where:
    input file is the file containing the base-64 encoded PKCS-7 Certificate chain (File received from Certificate Authority)

    -and-

    output file is the file that will hold the base-64 encoded x.509v3 SGC Server Certificate


  3. If the CA Certificate chain had been saved to a file named Sgccert.pk7, then the Sgcinst command would be as follows:
    sgcinst sgccert.pk7 sgccert.cer
    Note: If the input file is not a properly formatted base-64 encoded PKCS-7, the program will return following the error message:
    Error in reading input file: <inputfilename>


  4. Install the output file using IIS Key Manager. See your IIS documentation if you need assistance with this operation.


NOTES

It is critical that the input file to the Sgcinst program is properly formatted. A properly formatted input file contains only ASCII printable characters (base-64 encoding insures this). The following is an example of a correct input file: 


   -----BEGIN CERTIFICATE-----
   MIIFHjCCBIegAwIBAgIQTvLRLEwlvniwCz0g3ZENcDANBgkqhkiG9w0BAQQFADCB
   .
   .
   .
   PU/rJbU8kEvm1tCZXJIHQem6
   -----END CERTIFICATE-----


where the . characters indicate multiple lines similar to the second one. It is acceptable for there to be additional lines of text preceding the line containing the text "BEGIN CERTIFICATE." For example, an e-mail header preceding the certificate data will not cause a problem. If you manually save the certificate chain returned by the CA, make sure to include the lines containing "BEGIN CERTIFCATE" and "END CERTIFICATE," as indicated above.

Additional query words: 


Keywords          : 
Version           : winnt:2.0,3.0,4.0
Platform          : winnt 
Issue type        :

Last Reviewed: June 28, 1999