In IIS7, HTTP.sys operates SSL encryption and decryption in kernel mode, which improves performance by nearly 20% compared to IIS6.
SSL binding information is stored in two places when SSL is running in kernel mode. The first place, the binding configuration is saved in the%windir%\system32\inetsrv\config\ In ApplicationHost.config, when the site is started, IIS7 sends binding information to HTTP.sys, while HTTP.sys listens for requests on specific IP and port. In the second place, the SSL configuration associated with the binding is saved in the HTTP.sys configuration. Use the Netsh command to view the SSL binding configuration that is saved in HTTP.sys:
netsh http show sslcert
When a client begins a connection and initiates an SSL negotiation, HTTP.sys finds the corresponding SSL configuration for this ip:port in its configuration. This SSL configuration must include the certificate hash value and name:
L CONFIRM the existence of this binding in ApplicationHost.config
L HTTP.sys contains the hash value of the valid certificate and whether the name exists
When you select a certificate, you need to consider the following issues:
Do you want the end user to be able to verify the uniqueness of your server through the certificate you have provided?
If yes, then
Either establish a certificate request and send a certificate request to the Certificate Authority (CA), such as VeriSign or GeoTrust;
Either obtain a certificate from an intranet's online CA
Browsers generally use three things to confirm the validity of a server certificate:
1. The current date is within the validity range of the certificate
2. The certificate's "Common name" (CN) matches the host name in the request. For example, if a customer initiates a request to http://www.contoso.com, then the CN must be: http://www.contoso.com/
3. The publisher of the certificate is a known and trusted CA
If 1 of them fail, the browser warns the user. If you have an Internet site or an intranet user you don't know well, you need to make sure that all 3 items are passed.
Self-signed certificates can be created with your own computer. This self-signed certificate can be useful if the end user is not important, or if they trust your server, or for the test environment.
Ø using WMI to bind SSL certificates
Using the WMI namespace, you cannot request or create a certificate.
Establish SSL Bindings
The following script shows how to establish an SSL binding and add the appropriate information to the HTTP.sys:
Copy Code code as follows:
Set oIIS = GetObject ("Winmgmts:root\webadministration")
'''''''''''''''''''''''''''''''''''''''''''''
' CREATE SSL BINDING
'''''''''''''''''''''''''''''''''''''''''''''
Oiis.get ("sslbinding"). Create _
"*", 443, "4dc67e0ca1d9ac7dd4efb3daaeb15d708c9184f8", "My" "'" "," "'", "" "" "" "" "" "" "" "" "" ""
' ADD SSL BINDING to SITE
'''''''''''''''''''''''''''''''''''''''''''''
Set obinding = Oiis.get ("BindingElement"). SpawnInstance_
Obinding.bindinginformation = "*:443:"
Obinding.protocol = "https"
Set osite = Oiis.get ("site.name= ' Default Web Site")
Arrbindings = osite.bindings
ReDim Preserve arrbindings (UBound (arrbindings) + 1)
Set arrbindings (UBound (arrbindings)) = Obinding
Osite.bindings = arrbindings
Set OPath = Osite.put_
Note: The hash value and name of the certificate must refer to the authentic and useful certificate you are serving. If one of the items is false, an error occurs.
Note: The hash value and name of the certificate must refer to the authentic and useful certificate you are serving. If one of the items is false, an error occurs.
Configure SSL Settings
The script shows how to set up SSL through the IIS7 WMI provider.
Copy Code code as follows:
CONST SSL = 8
Set oIIS = GetObject ("Winmgmts:root\webadministration")
Set Osection = Oiis.get (_
"Accesssection.path= ' machine/webroot/apphost ', location= ' Default Web Site '")
Osection.sslflags = Osection.sslflags OR SSL
Osection.put_
to bind an SSL certificate by using IIS Manager
Get a certificate
Select the server node in the tree directory and double-click the server certificates icon on the right:
Click Create Self-signed Certificate ... button:
Enter the name of the new certificate and click OK.
Now you have a self-signed certificate. This certificate is marked " Server-side Authentication"
Establish SSL bindings
Select a site, click Bindings in the Actions panel ... . The Add, modify, and Delete Bindings dialog box is displayed. Click Add ... button to add a new SSL binding.
The default setting is the port, select HTTPS in the Type dropdown box,Select the self-signed certificate name you just created in the SSL Certificate dropdown box, click OK.
Now that you have completed the SSL binding, all that remains is to make sure that you are working properly.
Ø SSL binding Confirmation
In the Actions Panel, under Browse Web site , click the binding you just added
Because this certificate is a self-signed certificate, IE7 will display an error page.
Click Continue to the website (not recommended). continue to
Ø Configure SSL settings
You need to configure SSL settings when you require users to use certificates, or if they must be connected in an SSL manner . Double-click SSL Settings as shown below: