Create an IIS website for "Kare" - actual combat SSL encryption

zhaozj2021-02-16  63

The Windows Network Operating System Built-in IIS is the most commonly used web server. However, under the system default configuration, IIS uses "HTTP protocol" to transmit data in express form, and is not used by any encryption means. It is easy to steal. This is far less than some websites with high security requirements. In order to ensure that the important data is unloraity, IIS also provides an SSL security encryption mechanism. Here, you will show you how to use SSL security encryption mechanisms in the IIS server.

The author uses Windows Server 2003 (referred to as a Windows 2003) system as an example to show how to apply SSL security encryption mechanism features in the IIS6 server. To create a digital certificate for an IIS website, you must first use the "Web Server Cert Wizard" feature to generate a certificate request file for the site. Go to the Control Panel → Administration Tools → Internet Information Services (IIS) Manager ", expand the" Site "directory in the IIS Manager window, right-click the website you want to use to use the SSL secure encryption mechanism, select" Properties "in the pop-up menu Then switch to the "Directory Security" tab, then click the Server Certificate button. Select New Certificate option in the IIS Certificate Wizard window, click Next, select "Now prepare certificate requests, but send it later", then you will get a name for the certificate in the Name column. Local long "Down-down list" Select "The bit length of the key", here you should pay attention, the length of the length cannot be set, otherwise it will affect the quality of communication; then set the unit, department, and geographic information of the certificate, in the site "utility In the field, enter the domain name of the site, then specify the saving location of the certificate request file, here the author requests the text file in "D\ Certreq.txt". This completes the generation of the certificate request file.

Apply for IIS website certificate

After completing the generation of the certificate request file, you can start the application for IIS website certificates. But this process requires support for certificate services. Windows 2003 System The default status is not installed, you need to add it manually.

● Install the certificate service

Run "Add or Remove Programs" in the Control Panel, switch to the Add / Remove Windows Component page, in the Windows Component Wizard dialog box, select the Certificate Services option, then select the CA type, here the author Select "Separate root CA", then set a name for the CA server, set the validity period of the certificate, it is recommended to use the default value "5 years", and finally the certificate service is completed after the location of the certificate database and the certificate database log is completed. installation.

After completing the installation of the certificate service, you can start the application for IIS website certificates. Run the Internet Explorer browser, enter "LocalHost / Certsrv / Default.asp" in the address bar. Then click on "Application Certificate" link in the "Microsoft Certificate Service" Welcome window, and then click "Advanced Certificate Application" link in the certificate application type, click "Click" Use Base64 Code CMC or PKCS # 10 file in the Advanced Certificate Application window. Submit ... link, then copy the contents of the certificate request file to the "Save Application" input box, here the author's certificate request file content is saved in "D: / Certreq.txt", and finally click the "Submit" button.

IIS website certificate

Although after the application of the IIS website certificate is completed, it is still in a suspended state, and it needs to be issued after it will take effect. Run the Certificate Authority program in the Control Panel → Administration Tools. Expand the directory in the left window of the Certificate Authority, select the "Suspended Application" directory, find the certificate you applied for, right-click the certificate, select "All Tasks →" issued ".

Then click on the "The Certificate" directory to open the certificate that has just been successfully issued and switched to the Details tab in the Certificate dialog. Click the "Copy to File" button, pop up the certificate export dialog, all the way, in the "to export the file" column, here the author saves the certificate path to "D: / Cce.cer", finally click "to complete ". Import IIS website certificate

On the "Directory Security" tab of the IIS Manager, click the Server Certificate button. At this time, "Harcated Certificate Request" dialog box, select "Processing the request and install the certificate" option, click " After step by step, specify the location of the IIS website certificate file just exported, then specify the port used by SSL, it is recommended to use the default "443", and finally click "Finish" button.

Configuring an IIS server

After completing the import of the certificate, the IIS website has not enabled the SSL security encryption function at this time, and the IIS server needs to be configured.

In the "Directory Security" tab, click the "Edit" button of the secure communication bar to select "Require Secure Channel (SSL)" and "Requirements 128-bit Encryption" option, and finally click the "OK" button.

Then click the "Edit" button in the Authentication and Access Control bar, and cancel the "Enable Anonymous Access" and "Integrate Windows Authentication" options in the dialog box, here is the "Basic Authentication" option, and finally click "OK". Button.

figure 1

The Windows Network Operating System Built-in IIS is the most commonly used web server. However, under the system default configuration, IIS uses "HTTP protocol" to transmit data in express form, and is not used by any encryption means. It is easy to steal. This is far less than some websites with high security requirements. In order to ensure that the important data is unloraity, IIS also provides an SSL security encryption mechanism. Here, you will show you how to use SSL security encryption mechanisms in the IIS server.

The author uses Windows Server 2003 (referred to as a Windows 2003) system as an example to show how to apply SSL security encryption mechanism features in the IIS6 server. To create a digital certificate for an IIS website, you must first use the "Web Server Cert Wizard" feature to generate a certificate request file for the site. Go to the Control Panel → Administration Tools → Internet Information Services (IIS) Manager ", expand the" Site "directory in the IIS Manager window, right-click the website you want to use to use the SSL secure encryption mechanism, select" Properties "in the pop-up menu Then switch to the "Directory Security" tab, then click the Server Certificate button. Select New Certificate option in the IIS Certificate Wizard window, click Next, select "Now prepare certificate requests, but send it later", then you will get a name for the certificate in the Name column. Local long "Down-down list" Select "The bit length of the key", here you should pay attention, the length of the length cannot be set, otherwise it will affect the quality of communication; then set the unit, department, and geographic information of the certificate, in the site "utility In the field, enter the domain name of the site, then specify the saving location of the certificate request file, here the author requests the text file in "D\ Certreq.txt". This completes the generation of the certificate request file.

Apply for IIS website certificate

After completing the generation of the certificate request file, you can start the application for IIS website certificates. But this process requires support for certificate services. Windows 2003 System The default status is not installed, you need to add it manually.

● Install the certificate service

Run "Add or Remove Programs" in the Control Panel, switch to the Add / Remove Windows Component page, in the Windows Component Wizard dialog box, select the Certificate Services option, then select the CA type, here the author Select "Separate root CA", then set a name for the CA server, set the validity period of the certificate, it is recommended to use the default value "5 years", and finally the certificate service is completed after the location of the certificate database and the certificate database log is completed. installation. After completing the installation of the certificate service, you can start the application for IIS website certificates. Run the Internet Explorer browser, enter "LocalHost / Certsrv / Default.asp" in the address bar. Then click on "Application Certificate" link in the "Microsoft Certificate Service" Welcome window, and then click "Advanced Certificate Application" link in the certificate application type, click "Click" Use Base64 Code CMC or PKCS # 10 file in the Advanced Certificate Application window. Submit ... link, then copy the contents of the certificate request file to the "Save Application" input box, here the author's certificate request file content is saved in "D: / Certreq.txt", and finally click the "Submit" button.

IIS website certificate

Although after the application of the IIS website certificate is completed, it is still in a suspended state, and it needs to be issued after it will take effect. Run the Certificate Authority program in the Control Panel → Administration Tools. Expand the directory in the left window of the Certificate Authority, select the "Suspended Application" directory, find the certificate you applied for, right-click the certificate, select "All Tasks →" issued ".

Then click on the "The Certificate" directory to open the certificate that has just been successfully issued and switched to the Details tab in the Certificate dialog. Click the "Copy to File" button, pop up the certificate export dialog, all the way, in the "to export the file" column, here the author saves the certificate path to "D: / Cce.cer", finally click "to complete ".

Import IIS website certificate

On the "Directory Security" tab of the IIS Manager, click the Server Certificate button. At this time, "Harcated Certificate Request" dialog box, select "Processing the request and install the certificate" option, click " After step by step, specify the location of the IIS website certificate file just exported, then specify the port used by SSL, it is recommended to use the default "443", and finally click "Finish" button.

Configuring an IIS server

After completing the import of the certificate, the IIS website has not enabled the SSL security encryption function at this time, and the IIS server needs to be configured.

In the "Directory Security" tab, click the "Edit" button of the secure communication bar to select "Require Secure Channel (SSL)" and "Requirements 128-bit Encryption" option, and finally click the "OK" button.

Then click the "Edit" button in the Authentication and Access Control bar, and cancel the "Enable Anonymous Access" and "Integrate Windows Authentication" options in the dialog box, here is the "Basic Authentication" option, and finally click "OK". Button.

figure 1

SSL security encryption mechanism

The Chinese full name of SSL (Security Socket Layer "is a secure communication protocol launched by Netscape, which is located between the HTTP protocol layer and the TCP protocol layer, which is capable of providing credit card and personal information. Strong protection. SSL establishes an encrypted channel between the customer and the server, ensuring that the transmitted data is not illegally stealing, the SSL security encryption mechanism function is implemented using a digital certificate.

After the SSL encryption mechanism is applied, the data communication process of the IIS server is as follows: First, the client establishes a communication connection with the IIS server, then IIS sends the digital certificate to the client to the client. Then use this public key to encrypt the client's session key, passed to the IIS server, and decrypt it with a private key after receiving, then a security data channel is created between the client and IIS server, only The customers allowed by the IIS server can communicate with it. The Chinese version of the mechanism SSL (Security Socket Layer "is" Encrypted Sockets Protocol Layer ", which is a secure communication protocol launched by Netscape, which is located between the HTTP protocol layer and the TCP protocol layer that can be able to credit card and personal information. Provide strong protection. SSL establishes an encrypted channel between the customer and the server, ensuring that the transmitted data is not illegally stealing, the SSL security encryption mechanism function is implemented using a digital certificate.

After the SSL encryption mechanism is applied, the data communication process of the IIS server is as follows: First, the client establishes a communication connection with the IIS server, then IIS sends the digital certificate to the client to the client. Then use this public key to encrypt the client's session key, passed to the IIS server, and decrypt it with a private key after receiving, then a security data channel is created between the client and IIS server, only The customers allowed by the IIS server can communicate with it.

转载请注明原文地址:https://www.9cbs.com/read-16939.html

New Post(0)