Web Site Bindings/SSL Settings

This view allows you to properly configure HTTP and HTTPS bindings, along with the SSL options for a Web Site.

NoteSSL configuration options are available only when you have configured at least one HTTPS binding.

Bindings

This section allows you to configure HTTP(S) bindings for your Web Site.

Adding a new HTTP(S) Web Site binding

Use the [ New... ] button, the “New...” context menu item or press the Insert key while the list control is focused.

Editing an HTTP(S) Web Site binding

Use the [ Edit... ] button, the “Edit...” context menu item or press the Space key while an element from the list control is focused.

Removing an HTTP(S) Web Site binding

Use the [ Remove ] button, the “Remove” context menu item or press the Delete key while an element from the list control is selected.

NoteDeleting all HTTP bindings is not allowed, your website must have at least one binding, be it HTTP or HTTPS.

ImportantThis triplet setting (IP Address, Port No, Host Name) defines the Web Site binding and therefore must be unique. If you add a duplicate binding to the Web server, only one site with that binding can run at a time. Additionally, any changes that are made to the SSL certificate on one binding will affect the certificate on the other bindings.

SSL Certificate

Select the digital certificate to be used for SSL by your web site. The Advanced Installer IIS configuration tool gives you the option of associating an existing certificate (from the server) with your new Web Site or you can install your own digital certificate. The installed digital certificate can reside as a binary resource within the package (with its password securely encrypted) or you can choose to provide the certificate and password at install time.

NoteYou can use the same digital certificate for multiple Web Sites in your project/server.

TipFor server testing and troubleshooting you can use a Self-Signed Certificate, that you can easily create from the IIS/Certificates MMC Snap-in.

System Store Name

Specify the system store name for the used digital certificate. Usually, the 'Personal' store ( MY ) is used.

Using existing server certificate

Select this option if you want to associate an existing certificate (from the server) with your new Web Site.

ThumbPrint (Hash)

The ThumbPrint or certificate hash represents the binary data (in hexadecimal representation) produced by using a hashing algorithm on the certificate. Although this data uniquely identifies a certificate, the hash data cannot be used to trace a certificate because hashing is a one-way process.

You can use the helper “...” button to select a PFX certificate file from which to extract the thumb-print (hash). This does not bind the selected certificate to the project in any way.

TipThese fields are of Formatted Type and can be edited using Smart Edit Control by inserting Windows Installer property references, which will be resolved at install time.

Install PFX certificate from the package

Select this option if you want to install on the server a digital certificate for your Web Site. The digital certificate will reside as a binary resource within the package, with the password you provide securely encrypted.

Install PFX certificate chosen at run time

If you don't want to store the digital certificate and password in your package, you have the option of letting the installing user provide them through the installation UI, by means of Windows Installer Properties.

NoteFor details on how to choose a digital certificate file from the installation package UI please read the Browse for file how-to article.

SSL Options

Use the SSL (Secure Sockets Layer) Settings to manage data encryption of transmissions between your server and clients. Additionally, by selecting Ignore, Accept or Require certificates you can require a client to be identified before gaining access to content.

Require SSL

Select this option to enable a 40–bit data encryption method that you can use to help secure transmissions between your server and clients. This option setting works in both Intranet and Internet environments.

Require 128-bit SSL

Select this option to provide stronger encryption than the 40–bit version. You can use 128–bit SSL to help secure transmissions between your server and clients in either an Intranet or Internet environment.

Client certificates

Configure how the server should handle the client identity when connecting securely to the Web Site. The following options are available:

  • Ignore(default) - server does not accept client certificates if they are provided
  • Accept - server accepts client certificates (if they are provided) and verifies client identity before allowing the client to gain access to content
  • Require - server requires that certificates verify client identity before allowing the client to gain access to content

NoteThe Ignore option does not require clients to verify their identity before gaining access to your content. Therefore, this is the least secure of these settings.

Always negotiate client certificate

This setting controls SSL client connection negotiations. If checked, any time SSL connections are negotiated the server will immediately negotiate a client certificate preventing an expensive renegotiation. Setting this option also helps eliminate client certificate renegotiation deadlocks which may occur when a client is blocked on sending a large request body.

Topics