Installing a VeriSign SGC Certificate on IIS 4.0

ID: Q234271


The information in this article applies to:

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

This article describes how to install a VeriSign Server Gated Crypto (SGC) certificate on a computer running Microsoft Internet Information Server (IIS) version 4.0.


MORE INFORMATION

The process for configuring non-US versions of IIS 4.0 (for example, the English international 40-bit version) to use a VeriSign SGC certificate is as follows.

Prerequisites

Note: Bypass the Prerequisites section if Windows NT 4.0 Service Pack 4 has been applied to the IIS 4.0 computer.

  1. Ensure that you have at least Windows NT 4.0 Service Pack 3 applied on the IIS computer.


  2. Make sure that you obtain the latest Schannel patch and Sgcinst.exe files from ftp.microsoft.com and that you view the Readme file prior to implementation on a live environment. For additional information, please see the following article in the Microsoft Knowledge Base:
    Q148427 Generic SSL (PCT/TLS) Updates for IIS and Microsoft Internet Products
    You can download the current fix from the following location:
    ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/ssl-fix


  3. Check the EnableSGC registry value in the following registry key:
    HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\SecurityProviders\SCHAN
    NEL is set to 1. If this value is different or not created, use Registry Editor to modify or add the DWord value.


WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).


Obtaining the SGC Certificate

At this stage, the IIS computer is now configured with the necessary file revisions to accept the SGC certificate. Go to the VeriSign Web site and request a SGC digital ID. When VeriSign approves your certificate request, you will receive your certificate in the mail.

NOTE: Some e-mail systems may corrupt the valid certificate. Please check with you vender. At present there are no known issues with Microsoft Exchange Server.

Sample Certificate


-----BEGIN CERTIFICATE-----
MIIBqDCCARECAQAwaTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMRMwEQYD
VQQHEwpMYXNDb2xpbmFzMRIwEAYDVQQKEwlNaWNyb3NvZnQxDjAMBgNVBAsTBUl0
ZWFtMREwDwYDVQQDFAhOVFZPT0RPTzCBnjANBgkqhkiG9w0BAQEFAAOBjAAwgYgC
gYBxmmAWKbLJHg5TuVyjgzWW0JsY5Shaqd7BDWtqhzy4HfRTW22f31rlm8NeSXHn
EhLiwsGgNzWHJ8no1QIYzAgpDR79oqxvgrY4WS3PXT7OLwIDAQABoAAwDQYJKoZI
hvcNAQEEBQADgYEAVcyI4jtnnV6kMiByiq4Xg99yL0U7bIpEwAf3MIZHS7wuNqfY
acfhbRj6VFHT8ObprKGPmqXJvwrBmPrEuCs4Ik6PidAAeEfoaa3naIbM73tTvKN+
WD30lAfGBr8SZixLep4pMIN/wO0eu6f30cBuoPtDnDulNT8AuQHjkJIc8Qc=
-----END CERTIFICATE----- 
Configuring and Installing the Certificate

The certificate will be sent in the body of an e-mail message. Copy the contents of the mail message into a text file using a plain text editor (which does not insert specific format information, such as Notepad.exe). Ensure that the very first line is "--Begin Certificate--" and the last line being "--End Certificate."

Formatting of the Certificate

Notes:

  • Do not use Microsoft Word. Microsoft Word specifically formats documents. Microsoft Notepad.exe does not apply any specific formatting.


  • Make sure that you do not have the Word Wrap feature set on your text processor and that there are no leading or trailing spaces on EACH line in the certificate.


  • Make sure that the "Begin Certificate" and "End Certificate" lines are separate from the main body of the message (certificate). Save this file as a text file.


    1. Run the Sgcinst.exe utility that you obtained from the Microsoft FTP site against the raw certificate. The command should be similar to the following:
      C:\sgcinst.exe rawcert.txt sgccert.txt


    2. Install the new outputted file (for example Sgccert.txt) as the Certificate in Key Manager.


    The IIS 4.0 computer should now negotiate 128-bit secure sessions.

    Additional query words: SGCInst Certificate

    
    Keywords          : 
    Version           : winnt:4.0
    Platform          : winnt 
    Issue type        : kbhowto 

    Last Reviewed: July 1, 1999