converting from http to https

Mike_Storms

Hi,

We are wanting to convert from http port 80 to https port 443. We have a certificate. Is there any information on how to best accomplish this in an existing system? I'm sure others have done this what issues did you encounter how were they resolved...Thanks!

Tom_Hendricks

Completely agree with @Adam_Dzyacky above.  Use the MMC console for requesting internal certificates from your root CA, following its (hopefully more robust) policies, and I believe you would also add external certificates (if your site is publicly accessible) from there as well.

While you did not mention this, @Mike_Storms, the first thing I thought of when reading your question was redirection from http to https.

I am assuming here that you have added a binding to the site in IIS for HTTPS to port 443 (or another, if you choose) and you added your certificate to the binding.  This is essentially what the second page of the Cireson Portal installer does as well.  You could re-run it if you prefer that to the IIS interface.  It can also be done via PowerShell.  The Cireson Portal installer used to eliminate this binding every time it ran, so I had to script this and run it each time we updated.  This script assumes that you installed the cert the way Adam described above.

I have posted this script in a different comment thread, already.  It also includes the HTTP to HTTPS redirection and setting the session timeout, at the bottom (which you can remove if desired, of course).

Tom_Hendricks

If you use redirects, it will not be necessary to change your links. However, you may want to do this anyway as you are able to. 

As for the installer, make sure you have added your cert following @Adam_Dzyacky's instructions (he should get answer credit for this, IMO.  My comment was just something to consider along with it.). Then I believe it will appear in the list, in the installer. I added mine in the IIS binding before the installer recognized certs, so I am not sure if one depends on the other. The installer will ask for a non-https port (defaults to 80) and an https port (443) that your cert will be bound to. Having both makes sense if you allow http traffic but redirect it to https. I am not sure if you can install if you cleared port 80, for example. 

If you think about it though, it is a better user experience to allow both http and https, but force all http urls to be rewritten (by the server) as https. That way, the connection is still secure even if your user typed it the wrong way or simply didn't specify (which your browser will auto-fill as http). 

Adam_Dzyacky

I think the biggest gotcha on the topic of certificates (independent of Cireson) is the SHA1 deprecation by browsers. If I'm not mistaken, if you generate a web cert through IIS (and unless you've configured otherwise) it will by default issue a SHA1 based cert. You can get around this by creating a new template not based on SHA1 on your CA, then requesting a new cert through an MMC snap-in.

There isn't much in the way of Cireson specific documentation, as the portal sits entirely on IIS which is where this change is made. However it should be as simple as adding a new binding for port 443 on the same web server, providing the cert, and the host name. In order to even select the cert within the IIS binding window, the cert will need to be placed in the Personal store of the Computer account.

Tom_Hendricks

Completely agree with @Adam_Dzyacky above.  Use the MMC console for requesting internal certificates from your root CA, following its (hopefully more robust) policies, and I believe you would also add external certificates (if your site is publicly accessible) from there as well.

While you did not mention this, @Mike_Storms, the first thing I thought of when reading your question was redirection from http to https.

I am assuming here that you have added a binding to the site in IIS for HTTPS to port 443 (or another, if you choose) and you added your certificate to the binding.  This is essentially what the second page of the Cireson Portal installer does as well.  You could re-run it if you prefer that to the IIS interface.  It can also be done via PowerShell.  The Cireson Portal installer used to eliminate this binding every time it ran, so I had to script this and run it each time we updated.  This script assumes that you installed the cert the way Adam described above.

I have posted this script in a different comment thread, already.  It also includes the HTTP to HTTPS redirection and setting the session timeout, at the bottom (which you can remove if desired, of course).

Mike_Storms

Thanks sounds like the best way is to reinstall portal only specifying the cert if I understand correctly. 

What about any hard coded links in notifications I assume they would need changing to point to https.  Is that correct?

Tom_Hendricks

If you use redirects, it will not be necessary to change your links. However, you may want to do this anyway as you are able to. 

As for the installer, make sure you have added your cert following @Adam_Dzyacky's instructions (he should get answer credit for this, IMO.  My comment was just something to consider along with it.). Then I believe it will appear in the list, in the installer. I added mine in the IIS binding before the installer recognized certs, so I am not sure if one depends on the other. The installer will ask for a non-https port (defaults to 80) and an https port (443) that your cert will be bound to. Having both makes sense if you allow http traffic but redirect it to https. I am not sure if you can install if you cleared port 80, for example. 

If you think about it though, it is a better user experience to allow both http and https, but force all http urls to be rewritten (by the server) as https. That way, the connection is still secure even if your user typed it the wrong way or simply didn't specify (which your browser will auto-fill as http). 

Mike_Storms

Thanks for everyone's response our conversion is extremely successful.