Enforcing HTTP to HTTPS on IIS

Kent Chen — Thu, 25 Apr 2024 05:49:23 +0000

The IIS server on Windows doesn’t have a feature that can automatically redirect traffic out of the box. There are multiple ways to accomplish it but the easiest way is probably to use a module called URL Rewrite.

Go to the URL Rewrite Module site to download the installation file and run it on a server you want to enforce the HTTPS traffic.

Once installed, go to the SSL-enabled site on IIS Manager, select URL Rewrite, Add Rules, and a Blank rule.

Name your rule and set up the details as below:

Match URL
Requested URL: Matches the Pattern
Using: Wildcards
Pattern: *
Ignore case: Checked

Conditions
Logical grouping: Match Any
Condition input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: OFF
Ignore case: Checked
Track capture groups across conditions: Not checked

Server Variables
Leave blank.

Action
Action type: Redirect
Redirect URL: https://{HTTP_HOST}{REQUEST_URI}
Append query string: Not checked
Redirect type: Permanent (301)

Restart the IIS server and you are all set.

The post Enforcing HTTP to HTTPS on IIS first appeared on KC's Blog.

Self-Signing Certificate to Enable HTTPS on IIS

Kent Chen — Tue, 23 Apr 2024 23:04:49 +0000

For internal-use IIS-based sites, you can enable HTTPS by self-signing a certificate and distributing it through the Group Policy so you can avoid seeing warning messages like this.

Self-Signing a Certificate

Simply open an elevated PowerShell window and run the following command to self-sign a 5-year certificate to the certificate store on the local machine.

New-SelfSignedCertificate -DnsName "servername" -CertStoreLocation cert:\LocalMachine\My -FriendlyName "servername" -NotAfter (Get-Date).AddYears(5)

Technically, you can do so on any given computer but it’s easier to run it right on the IIS server so you don’t have to move the certificate around.

Binding the certificate to IIS

Right-click the site on IIS and choose Edit Binding. Add the HTTPS (443) binding and pick the certificate you just self-signed from the list.

Exporting the certificate

Open the Certificate detail from Server Certificates on the IIS Manager, go to the Details tab, and choose Copy to File… button.

Follow the wizard, choose Yes, export the private key, and Include all certificates in the certification path option to save it with a password.

Distributing the certificate via the Group Policy

Open the Group Policy Management console, and head over to the following location.

Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies

Right-click the Trusted Root Certification Authorities and choose Import.

Then on the File to Import window, pick the PFX file you exported from the last step. Make sure you pick the *.pfx type from the dropdown list.

Forcing HTTPS

Once the certificate gets distributed to the workstations, redirect all HTTP traffic to HTTPS to enforce secure access.

The post Self-Signing Certificate to Enable HTTPS on IIS first appeared on KC's Blog.

IIS | KC's Blog