Certificate Services App

Source: Internet
Author: User

Certificate Services App

Environment: A single domain controller server 2008, one client

Purpose: Encrypt data

Steps:

1. On the domain controller, in Administrative Tools, open Server Manager, select Roles, and click Add Roles.

2. In the Select Server Roles window, select Active Directory Certificate Services, and then tap Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image002 "border=" 0 "alt=" clip_ image002 "src=" Http://s3.51cto.com/wyfs02/M00/77/8E/wKioL1ZphkPxPt4zAABgMCmeDMo956.png "height=" 185 "/>

3. In the "Introduction to Certificate Services" window, click "Next" directly.

4. In the Select Role Services window, select certification Authority and Certification authority Web enrollment, in the Pop-up dialog window, click Add Required Role Services, and then tap Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image004 "border=" 0 "alt=" clip_ image004 "src=" Http://s3.51cto.com/wyfs02/M02/77/90/wKiom1ZphkTQgpHNAABVCNNAVrQ098.png "height=" 184 "/>

5. In the Specify Installation Type window, select Enterprise, and then click Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image006 "border=" 0 "alt=" clip_ image006 "src=" Http://s3.51cto.com/wyfs02/M01/77/8E/wKioL1ZphkaCJr5gAABVLyJDlMc938.png "height=" 185 "/>

Note: Enterprise CA The main features :
Enterprise CA require AD service , that is, the computer is available in the Active Directory.
When an enterprise root CA is installed , it is automatically added to the trusted Root Certification Authorities certificate store for all users and computers in the domain.
you must be a domain administrator or an administrator with write access to AD to install an enterprise root CA.
Standalone CA The main features :
Standalone CAs do not require the use of the Ad directory service. Stand-alone CAs can be used when it comes to extranet and the Internet.
to a standalone CA when a certificate request is submitted, the certificate requester must explicitly provide all of their identity information and the required certificate type in the certificate request (no need to provide this information when submitting a certificate request to an enterprise CA, because the enterprise user's information is already in the ad. )
By default , all certificate requests that are sent to a stand-alone CA are set to pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is purely a security consideration because the certificate requester's credentials have not yet been verified by a standalone CA.

6. In the Specify CA type window, select Root CA, and then tap Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image008 "border=" 0 "alt=" clip_ image008 "src=" Http://s3.51cto.com/wyfs02/M00/77/90/wKiom1ZphkfBf8fsAABXJ4f2s14402.png "height=" 185 "/>

7. In the Set Private key window, select new Private key, and then tap Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image010 "border=" 0 "alt=" clip_ image010 "src=" Http://s3.51cto.com/wyfs02/M02/77/90/wKiom1ZphkjTGiqGAABoZ_dVbps002.png "height=" 184 "/>

8. In the Configure encryption for CA window, use the default settings, and then tap Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image012 "border=" 0 "alt=" clip_ image012 "src=" Http://s3.51cto.com/wyfs02/M02/77/8E/wKioL1ZphkqRdJr6AABmIMPwrY4791.png "height=" 185 "/>

9. In the Configure CA name window, use the default configuration, and then tap Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image014 "border=" 0 "alt=" clip_ image014 "src=" Http://s3.51cto.com/wyfs02/M00/77/8E/wKioL1ZphkvD9_NXAABSeFYW5O0396.png "height=" 184 "/>

10. In the set Deadline window, use the default settings, and then tap Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image016 "border=" 0 "alt=" clip_ image016 "src=" Http://s3.51cto.com/wyfs02/M01/77/8E/wKioL1ZphkzgWs6TAABSQMVan9g750.png "height=" 185 "/>

Note: certificates are valid only for a specified period of time, and each certificate contains a valid from date and a valid termination date, which sets the period of validity. Once the certificate expires, the user of the expired certificate must apply for a new certificate .

11. In the Configure Certificate Database window, you can modify where the database resides and where the database logs are stored, or use the default configuration, and then tap Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image018 "border=" 0 "alt=" clip_ image018 "src=" Http://s3.51cto.com/wyfs02/M00/77/8E/wKioL1Zphk6DO8jSAABSfML8o3M607.png "height=" 185 "/>

12. In the "Web Server Introduction" screen, click "Next" directly.

13. In the Select Role Services window, use the default role services added for the Web server, and then tap Next.

14. Click "Install" and click "Close" when you are finished adding the characters.

15. After the installation is complete, you can select CA (certification authority) from the Administrative tools, open the Certification Authority manager, and manage the issuance of certificates. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image020 "border=" 0 "alt=" clip_ image020 "src=" http://s3.51cto.com/wyfs02/M02/77/8E/wKioL1Zphk-h_VNUAAA10BoA_wg653.png "height="/>

16. On the domain controller, in Administrative Tools, open Internet Information Services (IIS) Manager, click the server name in the left-hand window, and hit the server certificate in the window. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image022 "border=" 0 "alt=" clip_ image022 "src=" Http://s3.51cto.com/wyfs02/M00/77/90/wKiom1ZphlDzhPv_AACKvc7augk197.png "height=" 184 "/>

17. Click "Create certificate Request" in the right window. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image024 "border=" 0 "alt=" clip_ image024 "src=" Http://s3.51cto.com/wyfs02/M00/77/90/wKiom1ZphlLRrPKyAAB3ZihQhKo541.png "height=" 183 "/>

18. In the Distinguished Name Properties window, enter the required information for the certificate, and then click Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image026 "border=" 0 "alt=" clip_ image026 "src=" Http://s3.51cto.com/wyfs02/M01/77/90/wKiom1ZphlODMl8OAABpAabKQTQ153.png "height=" 183 "/>

19. In the Encrypt comfortable Provider Properties window, use the default encryption program and key length, and then tap Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image027 "border=" 0 "alt=" clip_ image027 "src=" Http://s3.51cto.com/wyfs02/M01/77/90/wKiom1ZphlSB0IAJAABJ8S9g2LY191.png "height=" 173 "/>

20. In the File name window, specify a file name and save location for the certificate request, and then click Finish. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image028 "border=" 0 "alt=" clip_ image028 "src=" Http://s3.51cto.com/wyfs02/M02/77/8E/wKioL1ZphlXBWwP6AAA1yTD8Vmg572.png "height=" 174 "/>

Note: Open the certificate request file "C:\webcer.txt" and the visible certificate request file is BASE64 encoded. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image030 "border=" 0 "alt=" clip_ image030 "src=" Http://s3.51cto.com/wyfs02/M00/77/8E/wKioL1ZphlfyYFMoAACxM3QuXXA255.png "height=" 169 "/>

21. Copy the entire contents of the certificate request file. Using the browser "Http://192.168.1.1/certsrv" link to the virtual directory of the Certificate Server, click "Request a Certificate". :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image032 "border=" 0 "alt=" clip_ image032 "src=" Http://s3.51cto.com/wyfs02/M02/77/90/wKiom1Zphlmi5i80AACC00pxJ-M631.png "height=" 175 "/>

22. On the "Request a Certificate" page, click "Advanced Certificate Request". :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image034 "border=" 0 "alt=" clip_ image034 "src=" Http://s3.51cto.com/wyfs02/M01/77/90/wKiom1ZphlqwBJIOAABQhWBR_OU588.png "height=" 176 "/>

23. On the Advanced Certificate Request page, select the 2nd item, using the BASE64 encoded certificate request. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image036 "border=" 0 "alt=" clip_ image036 "src=" Http://s3.51cto.com/wyfs02/M01/77/8E/wKioL1ZphlySg149AABj2kgaHLA441.png "height=" 175 "/>

24. On the "Submit a certificate request or Renewal Request" page, paste the copied certificate request into the "Saved Request:" text box, select "Web Server" in the "Certificate Template" drop-down list box and click "Submit". :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image038 "border=" 0 "alt=" clip_ image038 "src=" Http://s3.51cto.com/wyfs02/M02/77/8E/wKioL1Zphl2Q6RlEAACJCyMwIhQ448.png "height=" 192 "/>

25. In the domain environment to apply for the certificate, after submitting the application will go directly to the "certificate issued" page, select "Base64 Code", click "Download Certificate", save the certificate to local,:

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image040 "border=" 0 "alt=" clip_ image040 "src=" Http://s3.51cto.com/wyfs02/M01/77/90/wKiom1Zphl-zhU9nAABceBruITo256.png "height=" 192 "/>

Note: If you are using an enterprise CA, the CA will automatically issue the certificate after the request is submitted. If you are a standalone CA, you will also need to manually issue certificates. Open Standalone CA, in the left window, select "Pending Request", right-click on the right-hand window to apply, and in the popup menu, select "All people" → "issue" to issue a certificate for the application. After certificate issuance is complete, on the certificate Issued page, select BASE64 encoding to download the certificate. As shown in the following:

26. In the window as shown, click "Complete Certificate Request" in the window on the right.

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image042 "border=" 0 "alt=" clip_ image042 "src=" Http://s3.51cto.com/wyfs02/M00/77/8E/wKioL1ZphmCQ0vlyAAB23VUC5fg672.png "height=" 184 "/>

27. In the Specify Certification Authority response window, enter the path and file name of the CA response file (the downloaded digital certificate file), give the file a friendly name, and then click Next. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image043 "border=" 0 "alt=" clip_ image043 "src=" Http://s3.51cto.com/wyfs02/M00/77/8E/wKioL1ZphmHCIcifAAA8Y1aCnk0309.png "height=" 173 "/>

28. Expand the node tree in the left-hand window of Internet Information Services (IIS) Manager, select the site where you want to use the certificate, and then click Bind in the right-side window of the single machine.

29. In the Site Bindings window, click Add.

30. In the Add Site Bindings window, select the type is "https", select the SSL certificate for the previously installed certificate "Web", use the default "443" Port, and click "OK". :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image044 "border=" 0 "alt=" clip_ image044 "src=" http://s3.51cto.com/wyfs02/M01/77/8E/wKioL1ZphmLiVInQAAA_HBCW3bk069.png "height="/>

31. When you set the HTTPS type binding for a site, you also need to modify the SSL settings for that site. Expand Internet Information Services (IIS) Manager, the node tree in the left window, select the site where you want to configure SSL, and double-click SSL Settings for the function window. :

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image046 "border=" 0 "alt=" clip_ image046 "src=" Http://s3.51cto.com/wyfs02/M02/77/8E/wKioL1ZphmTRdVrBAACmAQi-6po283.png "height=" 184 "/>

32. If you need to force users to link the site using SSL, select Require SSL. When this option is selected, users can only connect to the site HTTPS, regardless of whether the site has an HTTPS type of binding. After selecting Require SSL, you can further select Require 128-bit SSL and use 128 to encrypt SSL traffic for the key.

On the SSL Settings page, you can also set whether a client certificate is required.
Ignore : Access is granted regardless of whether the user owns the certificate. Clients do not need to request and install client certificates.
Accept : The user can access the resource using a client certificate, but the certificate is not required. Clients do not need to request and install client certificates.
must : The server validates the client certificate before connecting the user to the resource. The client must request and install a client certificate, such as a "user" certificate.

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image048 "border=" 0 "alt=" clip_ image048 "src=" Http://s3.51cto.com/wyfs02/M00/77/8F/wKioL1ZphmWi71RXAABz7HAsfCI804.png "height=" 184 "/>

33. When the certificate is installed and a binding for the HTTPS type is added to the site, the user can use HTTPS mode (https://192.168.1.1) to establish a connection with the site. The following security Alert window pops up when the user accesses https.

650) this.width=650; "Style=" Background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left : 0px;padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image049 "border=" 0 "alt=" clip_image049 "src=" Http://s3.51cto.com/wyfs02/M01/77/90/wKiom1Zphmbgo7bLAABPgTM4ybo983.png "height=" 122 "/> 650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image050 "border=" 0 "alt=" clip_ image050 "src=" Http://s3.51cto.com/wyfs02/M02/77/90/wKiom1ZphmaTm6bVAABx0CydbA4533.png "height=" 178 "/>650" this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px;padding-right : 0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image051 "border=" 0 "alt=" clip_image051 "src=" Http://s3.51cto.com/wyfs02/M02/77/8F/wKioL1ZphmeDv_7eAABHfUZPz2c615.png "height=" 195 "/>

Live: If you do not select Require SSL on the SSL Settings page, and the site also has an HTTPS type of binding, the user can also access the site by using HTTPS. If require SSL is selected, an error message pops up when the user accesses https.
Security alerts as shown are not present when certificates are issued by a public trust CA on the Internet or by an enterprise CA in the same domain. In addition, security alerts may be displayed differently due to browser versions.

Certificate Services App

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.