SSL Certificate Configuration

Because the NT system is easy to maintain, more and more small and medium-sized enterprises use it on their own websites and internal office management systems, and many use the default IIS for Web servers. Of course, it cannot be denied that the recent vulnerabilities that threaten the NT System are caused by improper IIS configuration. Moreover, it is foreseeable that many new IIS vulnerabilities and security problems will be discovered in the future, however, as long as we make reasonable security configurations, we can still avoid many security risks. This article does not systematically describe how to configure IIS in full security. I just want to enhance IIS security by using SSL to encrypt the HTTP channel.
1. Establish an SSL Security Mechanism
In addition to anonymous access, basic authentication, and Windows NT request/response methods, IIS identity authentication also provides a more secure authentication, that is, using SSL (Security Socket Layer) security Mechanisms use digital certificates. SSL (encrypted SOCKET protocol layer) is located between the HTTP layer and the TCP layer. encrypted communication between users and servers is established to ensure the security of transmitted information. SSL is based on a public key and a private key. Any user can obtain a public key to encrypt the data. However, to decrypt the data, the corresponding private key must be used. When using the SSL security mechanism, the client first establishes a connection with the server. The server sends its digital certificate and public key to the client, and the client generates a random session key, encrypt the session key with the public key obtained from the server and upload the session key to the server over the network. The session key can be decrypted only on the server, the client and the server establish a unique security channel.
After an SSL security mechanism is established, only customers allowed by SSL can communicate with the websites allowed by SSL. When using the URL Resource Locator, enter https: // instead of http: //.
Simply put, by default, the HTTP protocol we use does not have any encryption measures. All messages are transmitted in plain text on the network. Malicious attackers can install listeners. Program To obtain the communication content between us and the server. This hazard is especially serious in some enterprises' internal networks, for the enterprise intranet that uses the hub, there is no security, because anyone can see other people's activities on the network on a computer, although the security threats to networks using vswitches are much smaller, there are still security breakthroughs in many cases. For example, the default users and port orders of vswitches are not changed, you can set your network interface as a listener to monitor all activities of the entire network.
Therefore, fully encryption of the entire network transmission tunnel is indeed a good security measure, it is a pity that there is a specific network for IIS to configure SSL Article Not a lot. I simply tried to share my experience with you.
Ii. Procedure
For example, we need to add and delete Windows Components in the control panel to install the Certificate Service, this service is not installed in the system by default. You need to install it on a CD.

Then select the installation type of the independent Root CA. In the next step, give your ca a name to complete the installation.
After the installation is complete, we can start our IIS manager to apply for a digital certificate, and start Internet manager to select the web site we need to configure:

Choose "Directory Security"> "Secure Communication"> "server certificate" in the site attributes.

Since this is the first configuration, we chose to create a new certificate.

Use the default site name and encryption length settings.

In fact, the above settings are very simple. You can easily set the settings by looking at some of the settings I caught. You 'd better choose a place to save the request certificate we just generated.

After completing the above settings, we will submit the server certificate we just generated to the Certificate Server we just installed locally. By default, after the Certificate Server is installed, several virtual directories are generated on the Web servers in the local IIS.

Let's open http: // localhost/certsrv/default. asp

Select Apply for Certificate

When selecting the application type, select Advanced application.

Select the base64 encoding method to submit our certificate application.

Copy the content of certreq.txt that we just generated to the certificate application, and then select and submit.

After the certificate is successfully submitted, a page will be returned to tell us that the certificate has been successfully submitted. Now it is suspended and waiting for the CA to issue the certificate.
Next, start the Certificate Authority in the management tool, find the application entry we just applied for in the pending application, and right-click and select issue.

After the certificate is issued successfully, find the issued certificate in the issued certificate, double-click its attribute column, and then select copy certificate to file in details.

We need to export the certificate to a file. Here we export the certificate to the C: SQL. Cer file.

Return to the IIS web management interface and select a new certificate application. At this time, the certificate request is suspended.

Select the SQL. Cer file at the export location.

After confirming that all the information is correct, you can click Next to confirm the installation of SSL.

After the installation is complete by default, SSL does not start the encrypted channel that we need to add to our site SSL, and we are sure that the HTTPS port is 443.

When you enter the site through https for the first time, there will be a dialog box asking us to confirm whether we agree with the current certificate. Of course, we agree ~

Now, when we look at this website, all the information is transmitted encrypted on the Internet. No one can understand the content easily.

Next, let's take a look at the two Iris listening results after encryption:

Encrypted SSL is a little slower than normal unencrypted web browsing, mainly because the encrypted tunnel consumes a little more CPU resources, websites that do not have any secrets do not need an encrypted SSL channel. This is only necessary for important directories and sites.