InstallerContactSite Map

This page allows you to properly configure HTTPS bindings and SSL options for a website.

NoteSSL configuration options are available only when you have configured at least one HTTPS binding.

HTTPS Bindings

This section allows you to configure HTTPS bindings for your website.

Adding a new HTTPS website binding

Use the [ New... ] button, the “New...” context menu item or press the Insert key while the focus is in the list control.

Editing a HTTPS website binding

Use the [ Edit... ] button, the “Edit...” context menu item or press the Space key while the focus is in the list control.

Removing a HTTPS website binding

Use the [ Remove ] button, the “Remove” context menu item or press the Delete key while the focus is in the list control.

ImportantThis triplet setting (IP Address, Port No, Host Name) defines the website binding and therefore must be unique. If you add a duplicate binding to the Web server, only one site with that binding can run at a time. Additionally, any changes that are made to the SSL certificate on one binding will affect the certificate on the other bindings.

SSL Certificate

Select the digital certificate that you want the site to use for SSL. The Advanced Installer IIS configuration tool gives you the option of associating an existing certificate (from the server) with your new website, or you can install your own digital certificate. The installed digital certificate can reside as a binary resource within the package (with its password securely crypted), or you can choose to provide the certificate and password at install time.

NoteYou can use the same digital certificate for multiple websites in your project/server.

TipFor server testing and troubleshooting you can use a Self-Signed Certificate, that you can easily create from the IIS/Certificates MMC Snap-in.

System Store Name

Specify the system store name for the used digital certificate. Usually, the 'Personal' store ( MY ) is used.

Using existing server certificate

Select this option if you want to associate an existing certificate (from the server) with your new website.

The ThumbPrint or certificate hash represents the binary data (in hexadecimal representation) produced by using a hashing algorithm on the certificate. Although this data uniquely identifies a certificate, the hash data cannot be used to trace a certificate because hashing is a one-way process.

You can use the helper “...” button to select a PFX certificate file from which to extract the thumb-print (hash). This does not bind the selected cerificate to the project in any way.

TipThese fields are of Formatted Type and can be edited using Smart Edit Control by inserting Windows Installer property references, which will be resolved at install time.

Install PFX certificate from the package

Select this option if you want to install on the server a digital certificate for your website. The digital certificate will reside as a binary resource within the package, with the password you provide securely crypted.

Install PFX certificate chosen at run time

If you don't want to store the digital certificate and password in your package, you have the option of letting the installing user provide them through the installation UI, by means of Windows Installer Properties.

NoteFor details on how to choose a digital certificate file from the installation package UI please read the Browse For File tutorial.

SSL Options

Use the SSL (Secure Sockets Layer) Settings to manage data encryption of transmissions between your server and clients. Additionally, by selecting Ignore, Accept, or Require certificates you can require a client to be identified before gaining access to content.

Require SSL

Select this option to enable a 40–bit data encryption method that you can use to help secure transmissions between your server and clients. This option setting works in both intranet and Internet environments.

Require 128-bit SSL

Select this option to provide stronger encryption than the 40–bit version. You can use 128–bit SSL to help secure transmissions between your server and clients in either an intranet or Internet environment.

Client certificates

Configure how the server should handle the client identity when connecting securely to the website. The following options are available:

  • Ignore(default) - server does not accept client certificates if they are provided
  • Accept - server accepts client certificates (if they are provided) and verifies client identity before allowing the client to gain access to content
  • Require - server requires that certificates verify client identity before allowing the client to gain access to content

NoteThe Ignore option does not require clients to verify their identity before gaining access to your content. Therefore, this is the least secure of these settings.

Always negotiate client certificate

This setting controls SSL client connection negotiations. If checked, any time SSL connections are negotiated, the server will immediately negotiate a client certificate, preventing an expensive renegotiation. Setting this option also helps eliminate client certificate renegotiation deadlocks, which may occur when a client is blocked on sending a large request body when a renegotiation request is received.