IIS built in Windows is the most common Web server. However, in the system's default configuration, IIS uses the "HTTP protocol" to transmit data in plaintext format, without any encryption means, and the transmitted important data is easily stolen. This is far from enough for websites with high security requirements. To ensure that important data is safe, IIS also provides an SSL security encryption mechanism. Next we will introduce how to use the SSL security encryption mechanism in the IIS server.
Taking Windows Server 2003 (Windows 2003 for short) as an example, the author introduces how to apply the SSL security encryption mechanism function in the IIS6 Server. To create a digital certificate for an IIS website, you must first use the Web server certificate wizard function to generate a certificate request file for the website. Go to "Control Panel> Administrative Tools> Internet Information Service (IIS) manager", expand the "website" directory in the IIS manager window, right-click the website to use the SSL encryption function, select "properties" from the menu, switch to the "Directory Security" tab, and click "server certificate. In the "IIS certificate wizard" window, select the "New certificate" option, click "Next", and select "Prepare certificate request now, but send it later ", in the "name" column, enter a name for the certificate. In the "bit length" drop-down list, select "bit length of the key". Note that the bit length cannot be too large, otherwise, the communication quality will be affected. Set the unit, department, and geographical information of the certificate, and enter the Domain Name of the website in the "public name" column of the site, then specify the storage location of the certificate request file. Here, the author saves the certificate request text file in "d \ certreq.txt ". In this way, the certificate request file is generated.
Apply for an IIS website Certificate
After the certificate request file is generated, you can apply for an IIS website certificate. However, this process requires the support of the Certificate Service. In Windows 2003, this service is not installed by default and must be manually added.
● Install the Certificate Service
On the Control Panel, Run "add or delete programs" and switch to the "Add/delete Windows Components" Page. In the "Windows component wizard" dialog box, select the "Certificate Service" option, next, select the CA type. Here I select "independent Root CA", and then name the CA server to set the validity period of the certificate. We recommend that you use the default value "5 years, after specifying the location of the Certificate database and Certificate database logs, the certificate service is installed.
After the Certificate Service is installed, you can apply for an IIS website certificate. Run Internet Explorer and enter "localhost/CertSrv/default. asp" in the address bar ". Click the "apply for a certificate" link in the "Microsoft Certificate Service" Welcome window, and then click the "Advanced Certificate Application" link in the certificate application type, in the advanced certificate application window, click "Submit a BASE64-encoded CMC or PKCS #10 file ...." Link, and then copy the content of the certificate request file to the "Save application" input box. Here, the content of the certificate request file is saved in "d: certreq.txt", and then click "Submit.
Issue IIS website Certificate
After you have completed the application for the IIS website certificate, it is still suspended and must be issued before it takes effect. In control panel → Administrative Tools, run the Certificate Authority program. In the left-side window of "Certificate Authority", expand the directory, select the "pending applications" directory, find the certificate you just applied for in the right-side window, right-click the certificate, select "all tasks> issue ".
Click the "issued certificate" directory to open the issued certificate. In the "certificate" dialog box, switch to the "details" tab. Click "Copy to file" to bring up the certificate Export Dialog Box. Next, specify the file name in the "file to export" column. Here, the author saves the certificate path as "d: cce. cer, and then click Finish ".
Import IIS website Certificate
On the "Directory Security" tab of the IIS manager, click the "server certificate" button. In the displayed "pending certificate requests" dialog box, select the "process pending requests and install Certificates" option, click "Next", specify the location of the exported IIS website Certificate file, and then specify the port used for SSL. We recommend that you use the default "443", and then click "finish ".
Configure IIS server
After the certificate is imported, the IIS website does not enable SSL security encryption. You need to configure the IIS server.
On the "Directory Security" tab, click the "edit" button in the secure communication column and select the "require secure channel (SSL)" and "require 128-bit encryption" options, click OK.
Then, click the edit button in the "authentication and Access Control" column to cancel the "enable Anonymous Access" and "integrate Windows Authentication" options in the dialog box, select the "Basic Authentication" option and click "OK.
Figure 1
SSL security encryption mechanism
The Chinese full name of SSL (Security Socket Layer) is "encrypted Socket protocol Layer", which is a secure communication protocol launched by Netscape. It is located between the HTTP protocol Layer and the TCP protocol Layer, strong protection for credit card and personal information. SSL establishes an encryption channel between the customer and the server to ensure that the transmitted data is not illegally stolen. The SSL security encryption mechanism relies on digital certificates.
After the SSL encryption mechanism is applied, the data communication process of the IIS server is as follows: first, the client establishes a communication connection with the IIS server, and then IIS sends the digital certificate and public key to the client. Use this public key to encrypt the client session key and pass it to the IIS server. After receiving the key, the server uses the private key for decryption, in this case, a secure data channel is created between the client and the IIS server. Only customers allowed by the IIS server can communicate with the secure data channel.