How to achieve A Grade SSL Certificate on IIS
In this tutorial, we will learn how to achieve A Grade SSL Certificate on IIS. Secure Sockets Layer(SSL) certificate is used to secure your website by encrypting your web traffic. In the Windows Server environment, we generally use Internet Information Service(IIS) as a web server and install an SSL Certificate on it to make a secure(https) website.
Also Read : How to Install and Configure Apache HTTP Server on Linux
&& Easy Way to Install Nagios Monitoring Tool on AWS
Check rank of your SSL Certificate on SSLLABS
Open https://www.ssllabs.com/ssltest/ and put your website URL say https://devopsmyway.com and submit.
As soon as you enter your website, you will able to see the output. It will show the ranking of your website as A, B or C, etc.
Here you can see my website is having A Grade Certificate. Let suppose you get B, C, D, E or F certificate for your https website. In that case, you need to do the following changes in your registry to get the A Grade Certificate.
Achieve A Grade SSL Certificate on IIS
Changes that you need to do in your Windows Server registry are as follows:
Please do all the changes carefully and also make sure to take a registry backup before doing any changes.
1.Registry edit to Disable SSL 2.0 , SSL 3.0 , TLS 1.0 , TLS 1.1 and Enable TLS 1.2
Open Regedit on your Windows Server and open the following path
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols
Add the below keys and their values according to the following table.
| SubKey | Subkey | DWORD (32 Bit) | Value(Hexadecimal) |
| SSL 2.0 | Client | DisabledByDefault | 1 |
|
SSL 3.0
|
Server | Enabled | 0 |
| Client | DisabledByDefault | 1 | |
|
TLS 1.0
|
Server | Enabled | 0 |
| Client | DisabledByDefault | 1 | |
|
TLS 1.1
|
Server | Enabled | 0 |
| Client | DisabledByDefault | 1 | |
|
TLS 1.2
|
Server | Enabled | 1 |
| Client | DisabledByDefault | 0 |
2.Updated Support for Diffie-Hellman Key Exchange
Open Regedit on your Windows Server and open the following path
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELKeyExchangeAlgorithmsDiffie-Hellman
Add the below keys and their values according to the following table.
ServerMinKeyBitLength — Modify and put the value 00000800
| Sub Key | DWORD(32 Bit ) | Value(Hexadecimal) |
| Diffie-Hellman | ServerMinKeyBitLength | 800 |
3.Registry Edit to Disable RC4 Protocols
Open Regedit on your Windows Server and open the following path
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELKeyExchangeAlgorithmsCiphers
Add the below keys and their values according to the following table.
| Sub Key | DWORD(32 Bit ) | Value(Hexadecimal) |
| RC4 128/128 | Enabled | 0 |
| RC4 40/128 | Enabled | 0 |
| RC4 56/128 | Enabled | 0 |
After doing all the above changes, restart your Server and check the SSL report for the website again at https://www.ssllabs.com/ssltest/ and you will achieve A Grade.
I hope you have enjoyed the tutorial, please give your comment/feedback in the comment box.
If you think we helped you or just want to support us, please consider these:-
Connect to us: Facebook | Twitter