I recently got curious about use of SSL in SSRS. I mean I know that it has an option to use secure HTTP but I have never used it. Because in all of the places where I have worked were either not interested in using SSL or just felt that it is too expensive to use and maintain ‘em.
So this weekend I decided to take matters in my hand and decided to start my journey to make SSRS use SSL . And first step for me was to make IIS use SSL. I really don’t have expertise to explain how SSL works but it is basically process of exchanging information between server and client via certificates and then verifying that information to make sure that both server and client are really what they say that they are.
And as you know that these server certificates has to be signed by some kind of CA (certificate authorities) and they charge hefty amount of $$$ for these kind of certificates. But if you want to use your secure HTTP just for very limited userbase or want to test some SSL based features then IIS has a feature called “self-signed certificates” which basically allows users to create their own certificates to use !!
This whole process of generating self-signed certificate is very easy process. For that just open up IIS Manager and select “Server Certificates”. Open up that option and on right hand side there is a sidebar with bunch of different options. One of the option is “Create Self-Signed Certificate”, click on that option and it will open up a small window. This window will prompt to specify “user friendly” name for that certificate. And that it !! Once user friendly name is entered, it creates certificate for you … just like that …
Next is to configure IIS to use that certificate. You have option to use HTTPS for some specific file or for a site. In this demo I am configuring to use HTTPS for default web site in IIS. For that just select default site and again on left sidebar there is an option called BINDING.
Select that option, and it will open up a screen where you need to select HTTPS as type and then select name of SSL certificate. If you click on view you will notice that this certificate is issued to “Test-PC” which is name of my test VM. And this concludes configuration of IIS to use certificate.
To test this, just go to https://localhost/ and it should show a warning page instead of standard IIS welcome page !! Reason is, this certificate is not issued by some CA thus web browser thinks that it is not real or secure enough (which is true !). But if you select option “continue to this website (not recommended) you will see that standard IIS welcome page.
I have few words of advice for anyone who want to use this method.
A) This is self-signed certificate so there is actually no way to verify authenticity of server and thus it is not so secure mechanism for applications accessed over internet.
B) I think ideal use for this is for some limited number of users located in same domain as of IIS.
C) If more that one service is going to use this certificate then I think you will have to create multiple certificate to each service and it is obviously not the best choice. Instead I think it is better to use “Domain Certificate” in conjunction with in-house CA Server .. that’s what I want to achieve ultimately to use for my SSRS with SSL target … but it is for some other time
And this ends this post about how to setup SSL in IIS.
It’s Just A Thought …