Securing Web Communications: Certificates, SSL, and https://

This article describes what you need in order to configure secure communication between a browser and a web server, and how to test secure communication for your website using IIS Express and WebMatrix.

What you'll learn

  • What is an SSL certificate and why you need one on a secure website.

  • How to enable SSL in WebMatrix.

Securing Web Communications: Certificates, SSL, and https://

If your website lets users enter sensitive information in the browser and send it to the server, you really should secure that communication. Sensitive information might be a password, a social security number, or a credit card number - basically, anything that no one should know except the user and your website.

To establish secure communications between the user and your website, you need an SSL certificate. A certificate does two things:

  • It verifies that your site belongs to you. This assures users that they're sending sensitive information to you and not to a malicious user whose site looks like yours.

  • It encrypts the communications between the user's browser and the web server where your site is hosted. (This is the "SSL" part of "SSL certificate," which stands for "secure sockets layer" and which is the security protocol used to encrypt the communication.) Encryption prevents people from eavesdropping and reading the sensitive information.

As a user, you've probably used an SSL certificate many times. Any time you access a website using the protocol https:// instead of http://, you're using SSL, such as when you buy something online or do your banking online. If you've noticed this, you've also noticed that you as a user don't have to do anything to use SSL and https:// -- the verification and encryption all happen automatically.

When you create a website, though, it's up to you to get a certificate and to make sure your site is configured to use it. Certificates are sold by various companies and are valid for a specified time. (Search for "SSL certificate" on the web.) Hosting providers often offer SSL certificates to go along with their hosting plans. To get a certificate, in addition to paying the fee, you must provide information about your company or yourself that helps the certificate authority (CA) validate who you are and then code this information into the certificate. When the process is finished, the CA sends you some files that constitute the certificate.

After you've acquired a certificate, it has to be installed on the server where your website is hosted. If you're using a hosting provider, you don't have direct access to the server and therefore can't install the certificate yourself. Instead, the hosting company typically provides a configuration utility or dashboard that lets you send them the certificate (if they didn't issue it themselves) and install it on their servers. If you are managing your own server, you need to install the certificate yourself. (If you're using IIS 7, see How to Set Up SSL on IIS 7 on the IIS.net website.)

Testing SSL in WebMatrix

When you're creating a website in WebMatrix, you want to be able to test that sensitive pages are working properly using SSL. To help with this, WebMatrix includes a self-signed certificate that's created by IIS Express. A self-signed certificate performs the encryption that certificates do, but it has not been verified by a CA. It's therefore useful for testing to make sure that encryption is working. However, it's not suitable for use with a live site, because users would see an error message that warns them that the certificate is not authenticated.

To use the self-signed certificate in WebMatrix, in the Site navigation pane, click Settings. Under SSL Connection, select Enable SSL.

SecuringWebCommunications-1

Although SSL is enabled, when you run a page from WebMatrix using IIS Express, the page will automatically use the http:// protocol. To verify that the https:// protocol is using the self-signed certificate, click Run and then choose a browser option with HTTPS.

SecuringWebCommunications-2

Because you're testing using a self-signed certificate, the browser will display an error. For example, here's what Internet Explorer displays:

SecuringWebCommunications-3

Because you're just testing in WebMatrix, it's safe to go ahead and click Continue to this website (or whatever similar option you see in other browsers).

The browser will often indicate that you're using a non-trusted certificate. In Internet Explorer, the address bar is shown with a red background and "Certificate Error" is displayed:

SecuringWebCommunications-4

In Google Chrome, the address bar shows the protocol (https://) with a line through it:

SecuringWebCommunications-5

However, when you later deploy your website to the server where your real certificate is installed, you won't see this error any more.

You can discuss this article using the adjacent Facebook talkback.

For technical questions please visit our discussion forums, where we have a vibrant community of developers like you, as well as Microsoft engineers who are ready to answer your questions!