SSL and Virtual Server
Q: Rod has this question: "I recently made the switch over to Virtual Server 2005 from VMware. I love the web based interface but am having troubles with enabling SSL. Can I use SelfSSL from the IIS6 Reskit? Could I set up a CA in a virtual machine to create the website and VMRC SSL certificates? Any tips on securing the Admin website and VMRC?
A: Here's a response from Ed Reed, a developer on the Virtual Machine team, and our resident VM security expert:
For the Administration Website, there are no special requirements for an SSL certificate. As long as the certificate supports Server Authentication, it really doesn't matter where the certificate comes from. The choice of certificate, however, determines the level of security that SSL encryption can provide. Here are some links to relevant information:
- Designing a Public Key Infrastructure:
https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/b1ee9920-d7ef-4ce5-b63c-3661c72e0f0b.mspx - Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure: https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
- Windows Server 2003 PKI Operations Guide: https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
- How to implement SSL with a stand-alone certificate server in Virtual Server 2005: https://support.microsoft.com/default.aspx?scid=kb;en-us;887490
The requirements are different, however, for VMRC. Because Virtual Server runs as NetworkService, you need to create the VMRC SSL certificate using the IVMVirtualServer::VMRCCreateEncryptionCertificateRequest COM interface. You can also create this certificate from the Administration Website on the Virtual Machine Remote Control (VMRC) Server Properties page. This request makes a temporary certificate that can be used to perform SSL encryption, however, it doesn't have the full security of a certificate signed by a third-party CA. If you use MAKECERT or some other tool, the private key is stored such that it is inaccessible to NetworkService. Such a certificate will not work for VMRC.