Configure an SSL Secure Channel for the IIS server

The Internet is full of dangers, while many important applications are built on the Internet. You do not want your bank account and password to be intercepted by Internet sniffing. An important way to avoid such problems is to encrypt network transmission. Among the many encryption methods, SSL encryption is a very mature method of industrial standards. This technology is widely used by many e-commerce and e-payment sites. In the following articles, we will introduceWindowsIf SSL is enabled on the platform and linux, WEB server transmission is encrypted. At last, we will introduce some questions about the SSL encryption principle. This article first introducesWindowsTo achieve SSL protection.

The author usesWindowsServer 2003 (abbreviationWindows2003) the system is used as an example to describe how to apply the SSL security encryption mechanism to the IIS6 server.

　　Generate a certificate request file

To create a digital certificate for an IIS website, you must first use the Web server certificate wizard function to generate a certificate request file for the website. Go to "Control Panel> Administrative Tools> Internet Information Service (IIS) manager", expand the "website" directory in the IIS manager window, right-click the website to use the SSL encryption function, select "properties" from the menu, switch to the "Directory Security" tab (), and click "server certificate. In the "IIS certificate wizard" window, select the "New certificate" option, click "Next", and select "Prepare certificate request now, but send it later ", in the "name" column, enter a name for the certificate. In the "bit length" drop-down list, select "bit length of the key". Note that the bit length cannot be too large, otherwise, the communication quality will be affected. Set the unit, department, and geographical information of the certificate, and enter the Domain Name of the website in the "public name" column of the site, then specify the storage location of the certificate request file. Here, the author saves the certificate request text file in "d: certreq.txt ". In this way, the certificate request file is generated.

Security Attribute page of the IIS Site Directory

Apply for an IIS website Certificate

After the certificate request file is generated, you can apply for an IIS website certificate. However, this process requires the support of the Certificate Service.Windows2003 the system does not install the service by default. You must manually add the service.

Install the Certificate Service

Run "add or delete programs" in "Control Panel" and switch to "Add/Delete"WindowsOn the "components" page,WindowsIn the "component wizard" dialog box, select the "Certificate Service" option, and then select the CA type. Here I select "independent Root CA", and then name the CA server, set the validity period of the Certificate. We recommend that you use the default value "5 years". After specifying the location of the Certificate database and Certificate database logs, the certificate service is installed.

Install the Certificate Service

After the Certificate Service is installed, you can apply for an IIS website certificate. Run Internet Explorer and enter "http: // localhost/CertSrv/default. asp" in the address bar ". Click the "apply for a certificate" link in the "Microsoft Certificate Service" Welcome window, and then click the "Advanced Certificate Application" link in the certificate application type, in the advanced certificate application window, click "Submit a BASE64-encoded CMC or PKCS #10 file ...." Link, and then copy the content of the certificate request file to the "Save application" input box. Here, the content of the certificate request file is saved in "d: certreq.txt", and then click "Submit.

Certificate Application page

Application Submission page

Issue IIS website Certificate

After you have completed the application for the IIS website certificate, it is still suspended and must be issued before it takes effect. In control panel → Administrative Tools, run the Certificate Authority program. In the left-side window of "Certificate Authority", expand the directory, select the "pending applications" directory, find the certificate you just applied for in the right-side window, right-click the certificate, select "all tasks> issue ".

Issue certificate

Click the "issued certificate" directory to open the issued certificate. In the "certificate" dialog box, switch to the "details" tab. Click "Copy to file" to bring up the certificate Export Dialog Box. Next, specify the file name in the "file to export" column. Here, the author saves the certificate path as "d: cce. cer, and then click Finish ".

　　Import IIS website Certificate

On the "Directory Security" tab of the IIS manager, click the "server certificate" button. In the displayed "pending certificate requests" dialog box, select the "process pending requests and install Certificates" option, click "Next", specify the location of the exported IIS website Certificate file, and then specify the port used for SSL. We recommend that you use the default "443", and then click "finish ".

Configure IIS server

After the certificate is imported, the IIS website does not enable SSL security encryption. You need to configure the IIS server.

Select the site directory for encrypted access (if you want full-site encryption, you can select the entire site), right-click to open the properties page, on the "Directory Security" tab, click the "edit" button in the secure communication column, select the "require secure channel (SSL)" and "require 128-bit encryption" options, and click "OK. If you need advanced features such as user certificate authentication, you can also choose to display the customer certificate, you can also map the specific certificateWindowsUser Account.

Set Directory encryption Properties

About SSL security encryption

The Chinese full name of SSL (Security Socket Layer) is "encrypted Socket protocol Layer", which is a secure communication protocol launched by Netscape. It is located between the HTTP protocol Layer and the TCP protocol Layer, strong protection for credit card and personal information. SSL establishes an encryption channel between the customer and the server to ensure that the transmitted data is not illegally stolen. The SSL security encryption mechanism relies on digital certificates.

After the SSL encryption mechanism is applied, the data communication process of the IIS server is as follows: first, the client establishes a communication connection with the IIS server, and then IIS sends the digital certificate and public key to the client. Use this public key to encrypt the client session key and pass it to the IIS server. After receiving the key, the server uses the private key for decryption, in this case, a secure data channel is created between the client and the IIS server. Only customers allowed by the IIS server can communicate with the secure data channel.