Use a Self-Signed Certificate to Secure the HPC Basic Profile Web Service

  • Article

Applies To: Windows HPC Server 2008

You can secure the HPC Basic Profile Web Service using a self-signed certificate. The following procedure describes how to generate, export, and bind a self-signed certificate using the Internet Information Services (IIS) Manager.

Generate, export, and bind the self-signed certificate

You can generate a self-signed certificate using the Internet Information Services (IIS) Manager in Windows Server 2008. Although IIS may be activated to generate the certificate, the HPC Basic Profile Web Service does not use IIS for the operation of the Web service. Unless explicitly needed for other purposes on the head node, you should stop the IIS Web Server after the certificate has been generated, exported, and bound.

You must export the public component of the X.509 certificate from the server so that it can be made available to the Web service clients that will be connecting to the Web service. This establishes the trust chain between the client and the server.

To generate, export, and bind the self-signed certificate

  1. Log on to your head node as a user with Administrator privileges.

  2. Enable the Web Server role on the head node from the Server Manager console.

    To open the Server Manager console: click Start, point to Administrative Tools, then click Server Manager.

  3. Open the IIS Manager:

    Click Start, point to Administrative Tools, then click Internet Information Services (IIS) Manager.

  4. Generate the certificate on the head node:

    1. In the Connections pane, select the head node.

    2. In the views pane, double-click the Server Certificates icon.

    3. In the Actions pane, click Create Self-Signed Certificate.

    4. In the Create Self-Signed Certificate dialog box, type a friendly name for the certificate, then click OK.

  5. Export the public certificate:

    1. In the views pane, select the certificate that you created.

    2. In the Actions pane, click View.

    3. In the Certificates property sheet, on the Details tab, click Copy to File.

    4. Complete the steps in the Certificate Export Wizard, selecting the option No, do not export the private key, and the format DER encoded binary X.509 (.CER).

    5. In the Certificates property sheet, click OK.

  6. Bind the certificate to a specific port and protocol:

    1. In the navigation pane, expand the node for your head node, then click Sites.

    2. In the views pane, select the Default Web Site.

    3. In the Actions pane, click Bindings. This provides a dialog box listing the protocols for the selected Web site.

    4. In the Site Bindings dialog box, click Add.

    5. In the Add Site Bindings dialog box, in the Type drop-down list, select https.

    6. In the SSL certificate drop-down list, select the certificate that you exported.

    7. If you plan to operate the Web service on a port other than 443 (the standard for the Secure Hypertext Transfer Protocol (HTTPS) protocol), provide the new port number.

    8. Click OK to add the site binding and return to the Site Bindings dialog box.

    9. In the Site Bindings dialog box, click Close.

  7. Stop the web server:

    1. In the navigation pane, select the head node.

    2. In the Actions pane, click Stop.

Note

You can run the Windows PowerShell netsh http show sslcert command to verify the binding between the certificate and the port.

Additional references