Configure an SSL (https) website in IIS

Source: Internet
Author: User

Use SSL in IIS to configure an HTTPS website

Thanks to the popularity of Windows systems, many small and medium-sized enterprises use the default IIS for Web servers on their websites and internal office management systems.
By default, the HTTP protocol we use does not have any encryption measures. All messages are transmitted in plain text on the network. Malicious attackers can install listeners. Program To obtain the communication content between us and the server. This hazard is especially serious in some enterprises' internal networks, for the enterprise intranet that uses the hub, there is almost no security, because anyone can see other people's activities on the network on a computer, although the security threats to networks using vswitches are much smaller, there are still security breakthroughs in many cases. For example, the default users and passwords of vswitches are not changed, you can set your network interface as a listener to monitor all activities of the entire network.
In addition to anonymous access, basic authentication, and Windows NT request/response methods, IIS identity authentication also provides a more secure authentication, that is, using SSL (Security Socket Layer) security Mechanisms use digital certificates.
Therefore, more and more enterprises use SSL to avoid or reduce the losses caused by this.
SSL (encrypted SOCKET protocol layer) is located between the HTTP layer and the TCP layer. encrypted communication between users and servers is established to ensure the security of transmitted information. SSL is based on a public key and a private key. Any user can obtain a public key to encrypt the data. However, to decrypt the data, the corresponding private key must be used. When using the SSL security mechanism, the client first establishes a connection with the server. The server sends its digital certificate and public key to the client, and the client generates a random session key, encrypt the session key with the public key obtained from the server and upload the session key to the server over the network. The session key can be decrypted only on the server, the client and the server establish a unique security channel.
After an SSL security mechanism is established, only customers allowed by SSL can communicate with the websites allowed by SSL. When using the URL Resource Locator, enter https: // instead of http: //.
The following uses the Win2000 Server version as an example to describe how to use SSL to encrypt the HTTP channel to enhance IIS security.

Procedure

First, we need to add and delete Windows Components in the control panel to install the Certificate Service. This service is not installed in the system by default, and must be installed on a CD.

 

Then select the installation type of the independent Root CA. In the next step, give your ca a name to complete the installation.

After the installation is complete, we can start our IIS manager to apply for a digital certificate, start Internet manager to select the web site we need to configure

 

Choose "Directory Security"> "Secure Communication"> "server certificate" in the site attributes.

 

Since this is the first configuration, we chose to create a new certificate.

 

Use the default site name and encryption length settings.

 

 

Select a place to save the request certificate we just generated.

 

After completing the above settings, we will submit the server certificate we just generated to the Certificate Server we just installed locally. By default, after the Certificate Server is installed, several virtual directories are generated on the Web servers in the local IIS.

Let's open http: // localhost/certsrv/default. asp

 

Select Apply for Certificate

 

When selecting the application type, select Advanced application.

 

Select the base64 encoding method to submit our certificate application.

 

Copy the newly generated certreq.txt content to the certificate application, and then select submit.

 

After the certificate is successfully submitted, a page will be returned to tell us that the certificate has been successfully submitted. Now it is suspended and waiting for the CA to issue the certificate.

Next, start the Certificate Authority in the management tool, find the application entry we just applied for in the pending application, and right-click and select issue.

 

After the certificate is issued successfully, find the issued certificate in the issued certificate, double-click its attribute column, and then select copy certificate to file in details.

 

 

We need to export the certificate to a file. Here we export the certificate to the C: \ SQL. Cer file.

Return to the IIS web management interface and select a new certificate application. At this time, the certificate request is suspended.

 

 

Select the SQL. Cer file at the export location.

 

After confirming that all the information is correct, you can click Next to confirm the installation of SSL.

 

 

After the installation is complete by default, SSL does not start the encrypted channel that we need to SSL for our site, and it is determined that the port used by HTTPS is 443.

 

When we enter the site through https for the first time, there will be a dialog box asking us to confirm whether we agree with the current certificate. Of course, we agree ~

 

Now, when we look at this website, all the information is transmitted encrypted on the Internet. No one can understand the content easily.

encrypted SSL is a little slower than normal unencrypted web browsing, mainly because the encrypted tunnel consumes a little more CPU resources, websites that do not have any secrets do not need an encrypted SSL channel. This is only necessary for important directories and sites.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.