In order to secure web traffic, SSL (Secure Socket Layer) is generally used as a first line encryption defense (you know, it makes the little padlock icon on your browser). SSL is also known as TLS (Transport Layer Security) which is kind of its newer name. Normally you access a site by navigating your browser to some place like: http://www.devtoolshed.com

This kind of communication between your browser and the web server sends information "in the clear" meaning that an attacker can read this traffic and if there is anything private like a credit card number, this can also be seen by an attacker. The "http" in the browser URL informs you that it is NOT secured by SSL.

Therefore when sensitive information needs to be passed between your browser and a web server, many times SSL is used to encrypt (basic make the traffic into gibberish characters) that only the server and the browser have the ability to decrypt (decryption turns the gibberish back into readable information). When running under SSL, instead of using the "http" in front of your browser address, you will use "https" (the "s" stands for "secure"). For example, the URL above would change to: https://www.devtoolshed.com

How SSL Works
The way SSL works is somewhat complicated but at a high level (admittedly, this has been GREATLY simplified to make it easy for non-technical readers to understand so don’t hold it against me if there are things here that are not exact), you can understand it this way. Most popular browsers including Internet Explorer and Firefox ship with a list of "trusted root certificates". These certificates are publicly available "passwords" that are digitally signed by a CA (Certificate Authority). These CA’s are companies that have been generally agreed upon to be trusted by the Internet community in general. They sell SSL certificates. Some of the names of popular CA’s you may have heard of include VeriSign, Thawte, Entrust, and GoDaddy.

The process to obtain a certificate generally follows these steps. You generate a long "password" on your server called a CSR (Certificate Signing Request). You send this CSR to the CA to digitally sign it for you. The CA sends back your CSR digitally signed by their trusted root certificate. This becomes your SSL certificate. You then install this SSL certificate into your server. The following is a step by step guide to installing the certificate in Internet Information Services (IIS) 7 and Windows Server 2008.

Installing an SSL Certificate on Windows Server 2008
Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

On the right side, choose Create Certificate Request to start the process of generating your CSR for your certificate.

In the Request Certificate dialog, fill in all of the fields and click Next.

What do all of these fields mean?
Common name: This is the full domain name that your certificate will be securing. Certificates are bound to a specific domain so when creating your request, you must specify which domain this certificate will be securing. NOTE: domains and sub-domains are different so if you had mydomain1.devtoolshed.com and mydomain2.devtoolshed.com, you would need to purchase a certificate for both. Just because they are both using the domain devtoolshed.com, each sub-domain is treated separately.

Organization: The exact name of your company or organization as filed with the Government. When the CA background checks your organization to issue the certificate, they will check that this name exactly matches your organization’s name. That means if you have "inc" or "LLC" on the end of your name, make sure to put that in as well.

Organizational Unit: This is the division or group for which this certificate is being requested by. Most CA’s do not check this field so it mostly informational.

City / Locality: The city where your company or organization is located.

State / Province: the state, province, or region where your company or organization is located. If possible, use the full name of the place instead of its abbreviation.

Country / Region: The country where your company or organization is located. This can be abbreviated with the two-letter ISO country code.

Choose the Cryptographic Service Provider (you can leave this as the default in most cases). Then choose a Bit Length of 2048 or higher. Then click Next.

Enter a name of a .txt file that you want to generate the CSR to. The file will be created so it does not need to exist yet. Then click Finish.

Now that you have this CSR, you can open the .txt file that you just generated to find your signing request code that you must send to your CA to get it digitally signed. Depending on your CA you will need to provide this as well as other information and once the request is complete and you’ve paid for your certificate, you will usually receive it via email or web link to download. Download your certificate and you are now ready to install it back to your server.

In IIS, make sure you are back on the Server Certificates icon (double-clicked like you did in the previous steps). On the right side will be a new link Complete Certificate Request. Click this link to start the process of installing your certificate.

Use the … button to browse to the certificate you received from the CA. This certificate file may have a ".cer" extension in some cases. If so, make sure to click the drop down on the file picker dialog and choose "all files *" so that it shows up in your file view. Choose this file and then enter a friendly name (this is just a name you want to show up in the IIS list so you can tell what this certificate is for). You can put whatever you want to help you remember this certificate in the Friendly Name. Then click OK.

You will now see your certificate listed as a new certificate available to use. You can configure your site now to use this certificate for SSL traffic. There is more information here about configuring certificates and other details for IIS 7:

http://www.sslshopper.com/article-installing-an-ssl-certificate-in-windows-server-2008-iis-7.0.html