Web Site Bindings/SSL Settings
This view allows you to properly configure HTTP and HTTPS bindings, along with the SSL options for a Web Site.
SSL configuration options are available only when you have configured at least one HTTPS binding.
This section allows you to configure HTTP(S) bindings for your Web Site.
Adding a new HTTP(S) Web Site binding
Use the Insert key while the list control is focused.button, the “New...” context menu item or press the
Editing an HTTP(S) Web Site binding
Use the Space key while an element from the list control is focused.button, the “Edit...” context menu item or press the
Removing an HTTP(S) Web Site binding
Use the Delete key while an element from the list control is selected.button, the “Remove” context menu item or press the
Deleting all HTTP bindings is not allowed, your website must have at least one binding, be it HTTP or HTTPS.
This triplet setting (IP Address, Port No, Host Name) defines the Web Site binding and therefore must be unique. If you add a duplicate binding to the Web server, only one site with that binding can run at a time. Additionally, any changes that are made to the SSL certificate on one binding will affect the certificate on the other bindings.
Select the digital certificate to be used for SSL by your web site. The Advanced Installer IIS configuration tool gives you the option of associating an existing certificate (from the server) with your new Web Site or you can install your own digital certificate. The installed digital certificate can reside as a binary resource within the package (with its password securely encrypted) or you can choose to provide the certificate and password at install time.
You can use the same digital certificate for multiple Web Sites in your project/server.
For server testing and troubleshooting you can use a Self-Signed Certificate, that you can easily create from the IIS/Certificates MMC Snap-in.
System Store Name
Specify the system store name for the used digital certificate. Usually, the 'Personal' store ( MY ) is used.
Using existing server certificate
Select this option if you want to associate an existing certificate (from the server) with your new Web Site.
The ThumbPrint or certificate hash represents the binary data (in hexadecimal representation) produced by using a hashing algorithm on the certificate. Although this data uniquely identifies a certificate, the hash data cannot be used to trace a certificate because hashing is a one-way process.
You can use the helper “...” button to select a PFX certificate file from which to extract the thumb-print (hash). This does not bind the selected certificate to the project in any way.
These fields are of Formatted Type and can be edited using Smart Edit Control by inserting Windows Installer property references, which will be resolved at install time.
Install PFX certificate from the package
Select this option if you want to install on the server a digital certificate for your Web Site. The digital certificate will reside as a binary resource within the package, with the password you provide securely encrypted.
Install PFX certificate chosen at run time
If you don't want to store the digital certificate and password in your package, you have the option of letting the installing user provide them through the installation UI, by means of Windows Installer Properties.
For details on how to choose a digital certificate file from the installation package UI please read the Browse for file how-to article.
Remove this bindings's certificate at Unistall
Enable this option to remove the certificate associated with this binding on package uninstall.
Use the SSL (Secure Sockets Layer) Settings to manage data encryption of transmissions between your server and clients. Additionally, by selecting Ignore, Accept or Require certificates you can require a client to be identified before gaining access to content.
Select this option to enable a 40–bit data encryption method that you can use to help secure transmissions between your server and clients. This option setting works in both Intranet and Internet environments.
Require 128-bit SSL
Select this option to provide stronger encryption than the 40–bit version. You can use 128–bit SSL to help secure transmissions between your server and clients in either an Intranet or Internet environment.
Configure how the server should handle the client identity when connecting securely to the Web Site. The following options are available:
- Ignore(default) - server does not accept client certificates if they are provided
- Accept - server accepts client certificates (if they are provided) and verifies client identity before allowing the client to gain access to content
- Require - server requires that certificates verify client identity before allowing the client to gain access to content
The Ignore option does not require clients to verify their identity before gaining access to your content. Therefore, this is the least secure of these settings.
Always negotiate client certificate
This setting controls SSL client connection negotiations. If checked, any time SSL connections are negotiated the server will immediately negotiate a client certificate preventing an expensive renegotiation. Setting this option also helps eliminate client certificate renegotiation deadlocks which may occur when a client is blocked on sending a large request body.
- Edit a Web Site Binding
Configure a Web Site binding.