Setup HSTS and rewrite for IIS 8 and .NET

For your .NET Website, this is the simple way below, just update your web.config with the following:


<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Strict-Transport-Security" value="max-age=31536000" />
      </customHeaders>
    </httpProtocol>
    <rewrite>
      <rules>
        <rule name="HTTPS force" enabled="true" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="^OFF$" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</system.webServer>


If you want to do it with IIS 8

  • Open IIS 8
  • Click “Add Rule(s)”
  • Blank rule
  • Name: HSTS Redirect
  • Requested URL: Matches the Pattern
  • Using: Regular Expressions
  • Pattern: (.*)
  • Ignore case: Checked

Conditions

  • Logical grouping: Match all
  • Click “Add”
  • Condition input: {HTTPS}
  • Check if input string: Matches the Pattern
  • Pattern: ^OFF$
  • Ignore case: Checked

Action

  • Action type: Redirect
  • Redirect URL: https://{HTTP_HOST}/{R:1}
  • Append query string: Checked
  • Redirect type: Permanent (301)

How to Setup Free SSL on your website in IIS 8

The Site I used for this example is https://www.sslforfree.com/

  • Create an account
    • This will let you create 3 free 90 day CERTS
  • Click New Certificate
  • Enter your domain:
    • www.reynoldtech.com
  • Select 90-Day Certificate
  • Auto-Generate CSR
  • Select the Free Plan

Your Certificate has been created

  • Email it to yourself
    • Must be admin email
  • Click Verify Domain
    • Email will be sent to your admin
    • This may take a few minutes
  • Copy the Verification Key from email
  • Go To Verification Page from email
  • Paste in the Verification Code
  • Certificate will be Issued
    • You will get a notification email
  • Click the Install Certificate link from the email

Download Certificate

  • This is a zip file with the following:
    • ca_bundle.crt
    • certificate.crt
    • private.key

We need to convert this to PFX/PKCS#12 so that IIS 8 can read this.

  • Go to: https://sslshopper.com/ssl-converter.html
    • Certificate File to Convert: certificate.crt
    • Type of Current Certificate: Standard PEM
    • Type To Convert To: PFX/PKCS#12
    • Private Key File: private.key
    • Chain Certificate File: ca_bundle.crt
  • Click “Convert Certificate”
  • You will download “certificate.pfx”

Upload all 4 files to your webserver that runs IIS

  • ca_bundle.crt
  • certificate.crt
  • certificate.pfx
  • private.key

On your webserver

  • Right-click: ca_bundle.crt
  • Install Certificate
    • Local Machine
    • Automatically select the certificate store based on the type of certificate
    • Next/Finish

Start IIS 8 Manager

  • Click Your Server
  • Open “Server Certificates”
  • Click “Complete Certificate Request”
    • File name containing the certification authority’s response: certificate.pfx
    • Fill in Friendly Name: www ReynoldTech yyyy-mm-dd
    • You can delete the old one later…
    • Select a certificate store for the new certificate: Personal
  • Navigate to “Sites”
  • Select your website
  • Click “Bindings”
    • If you are renewing, just select the new SSL certificate (Edit)
    • Add
      • Type: https
      • IP address: All Unassigned
      • Port: 443
      • Host name: www.reynoldtech.com
      • Check: Require Server Name Indication
      • SSL certificate: www ReynoldTech yyyy-mm-dd
  • Restart your website
  • Your website is now secure:
  • If this was a certificate renewal, you can now revoke your old certificate on ZeroSSL or just let it expire

Notes, Refences, and Special Thanks

Next Logical step is to set up a permanent redirect, see this:
https://www.reynoldtech.com/setup-hsts-and-rewrite-for-iis-8-and-net/

This is for most of the IIS setup, but won’t work unless you convert to pfx first:
https://www.godaddy.com/help/manually-install-an-ssl-certificate-on-my-iis-8-server-4951

This YouTube video helped me: (Note, this is in Vietnamese I think, but I was able to follow on how to convert to pfx)
https://www.youtube.com/watch?v=l1j7QBFE32s

Connecting to SQL Server after installation

After installing SQL Server, you will need to configure it so you can connect.

Open SQL Server Configuration Manager

SQL Server Network Configuration:

Protocols for YOURINSTANCENAME
TCP/IP: Enabled

Restart YOURINSTANCENAME

SQL Server Network Configuration:

Protocols
TCP/IP
IP Addresses
TCP Port: 9999 (your chosen port)

Create a Firewall Rule for the port:

Name it something like SQLServer 9999 TCP

Your connection to this new instance from SQL Server Management Studio will be:

yourdomain.com\YOURINSTANCENAME,9999