Author: Internet Prodigal Box (formerly known as littlehb)
http://blog.9cbs.net/littlehb/
First, the server is equipped with CA (CERTIFICATE SERVER)
1, install CA on the server
The installer with CA in Win2000. Click Start, Control Pannel Add / Remove Program Click Add / Remove Windows Compence. When Windows Component Wizard appears, select the certificate service (Certificate Services). In the next step, the installation needs to point out the type of server authorization, generally as a separate web server, select Stand-Alone root CA. Then, you need to specify the shared folder, which is the configuration data storage location of the certificate service, click Next, after installation.
Note: When you create a CA organization, the named by the CA organization is the name of the person you are defined. In the client's IE, the root certificate authority that does not belong to the client trust at the beginning, if the client does not put the CA organization Add as our own trusted root certificate authority, the security warning message will appear when the client accesses the website on the server.
2, establish and install a site certificate
Proceed as follows:
A, open IIS, select the site to install the certificate, click Right click, select Properties in the pop-up menu, in the pop-up dialog box, click the Directory Security property page, click the Server Certificate button, appear Iis Certificate Wizard dialog box This step is the operation of the completed functionality that generates a key file to the CA application digital certificate, and the file is stored in the local directory in the format of .txt.
B, access the registration control and its form by the Certificate Server Enrollment page:
On the machine installed in the Certificate Service, you can
The certificate Server Administration Tools web page of http: // localhost / certsrv can access the registration control. Select the Request a certificate option, select Advance Request in the next page, here you need to note that this item must be selected if you apply for a digital certificate, because the digital certificate given the website needs to use the specific dense generated in the A step. Key files that can generate unique digital certificates belonging to the site. Generally User Certificate Request is two ways to design the client designed to access the site, respectively, of the Web Browser Certificate and E-mail Protection Certificate. Customers apply to Web Browser Certificate to apply for access to SSL-protected websites, and E-mail protection certificate is the information transfer when protecting customers' email. Advanced Certificate Requests we will choose from the next page We choose Submit a certificate Request Using A Base64 Encode PKCS # 10 File OR A Renewal Request Using A Base64 Encode PKCS # 7 file. Because this format is consistent with the encryption format of the key file generated in the A step. Then, you can use Browse to upload the .txt key file on the unit to the web page, essay. In the final interface, it is notified that the request has been received and is waiting for the approval of the certificate authority. C, Microsoft's Certificate Service can use MMC to manage:
The request for the server requests digital verification is passed to the CA organization. After opening Start / Program / Administrative Tools / Certification Authority, you can see the Pending Request folder, which contains all certificate requests waiting for the ROOT authorization authority. If the CA certification body feels that the application is feasible, click Right click to select Issue so that the file is moved to IssueD certificates, indicating that the application is successful, this node contains all certificates to approve and published certificates . Vioence, if the CA institution thinks that the application is not feasible, select DENY, which is transferred to the failed request, indicating that the application fails, this node contains all rejected certificate requests. For the digital certificate issued and released, if the CA mechanism wants to cancel the certificate, you can click Right click to select Revoke, and the successful digital certificate is moved to the Revoke Certificate folder, which contains all published but Also revoked certificates.
D, the website submitted digital verification is still passing after a certain period of time.
Http: // localhost / certificaterv is the case where the digital verification they applied is. Select the Check ON A Pending Certificate option and click the Next button to continue. Select the candidate request from the option box, click the Next button to continue. Select Base64 Encoding to download this file and click the Download Ca CA CERTIFICATE link to start the download process. This will receive a server certificate file from the certificate authorization body. Open IIS, select the website that has already been diagnosed, select Properties, select Properties, in the Properties page Directory Security, click the Server Certificate button to launch the Web Service Certificate Wizard, select the Process A Pending Request and Install Certificate option. Select the stored path of Download's digital certificate (ie .cer file) in the previous step to start installing. After the installation is successful, the View Certificate and Edit buttons in the Directory Security property page are changed from disable to enable. The digital verification process of the entire website is completed. 3. About the property settings for Certificate
Click the EDIT button of the Directory Security property page to make the setting of the website digital verification property. First, if the Require Secure Channel (SSL) check box is selected, the HTTP form will not be able to access the site, which is accessible only by HTTPS. If this item is not selected, both HTTP and HTTPS are incorporated in two ways, all access to this website. If this item is selected, there are three ways to choose from, namely Ignore Client Certificate, Accept Client Certificate, and Require Client Certificate. Ignore Client Certificate means that it does not accept customer certificates (default): If the customer browser installed a customer certificate, an Access Denied message will be returned. Accept client certificate indicates that the certificate is accessed regardless of whether the customer has no difference in the client, and the access is allowed in both cases. Ignore Client Certificate indicates that the customer certificate is required: Unless the customer has a legitimate certificate granted by the Root CA (here the certificate server), the access is rejected. The customer wants to access the website, and must first get digital verification from the server, that is, the client must first ask the request for digital authentication to the website to be accessed, and the digital certificate used for the server-side information interaction The website can be accessed, otherwise the website will reject the customer's access.
Different websites can make different settings for these three properties.
4, client SSL configuration
Before starting SSL communication between the browser and the Web site, the client must be able to recognize the server's certificate is legal. To do this, the client must contact the server's certificate authorization agency, in which case the local certificate server. If the front step is not implemented, it will be directly connected to the SSL site, will first receive the security warning information. The customer browser needs to install a certificate in the browser's Trusted root Store. To install the certificate, when the Security Warning dialog appears, click the View Certificate button, there will be a dialog box that contains the certificate information. Click the Install Certificate button to start the certificate import wizard.
For customers, the configuration of SSL is relatively simple. Customers can choose to apply for digital certificates, but not, just if a website accessed by the customer sets the Require Client Certificate property, the customer must get the website. After digital verification, you can access this, in other words, customers want to access access, you must first apply to the website. Customers pass access
http: // servername / certificaterv to apply for digital verification, its operational process and website application digital verification basic light, but it is not an Advance Request this, but use the Web Browser Certificate option under User Certificate Request, just fill in customers After some corresponding information, you can handle the application, and when the CA organization is authenticated, it is also directly downloaded the corresponding digital certificate to this unit. In this way, whenever you access the site, when you pop up the message box that requires the client digital authentication, the customer chooses the digital certificate that has been downloaded, you can visit the website.
Note: If the port number of the site is not the default 80, but it is defined by itself, the corresponding one must set a port number to the SSL PORT, and when accessing HTTP and HTTPS, the port number entered is Inconsistent. If the website uses the default 80 port, SSL does not need to configure a specific port number, and its default port number is 443.
Second, the server and computer independent website with CA (CERTIFICATE SERVER) apply for digital certificates as the previous part. However, the last part of the operation is on the same machine because the CA and the server are located on the same machine, so the http: // localhost / certsrv of the unit can be, and this part, because the CA and the server are independent, so the application When you are also like the client, you can access http: // caname / CERTSRV, which is the same as the specific operations. Just, in this case, if the Require Client Certificate is set, the customer is difficult to access the site because the client cannot issue a request for digital verification to the site. In general, it is best to use Accept Client Certificate.