1. Ca (Certificate Server) is installed on the server)
1. Install Ca on the server
Installation with Ca in Win2000 Program . Click Start, control pannel Add/Remove programs, and then click Add/Remove Windows compenents. When Windows component wizard appears, select Certificate Services ). In the next step, you need to specify the server authorization type. Generally, you can select stand-alone Root CA as an independent web server. Then, you need to specify the shared folder, which serves as the configuration data storage location of the Certificate Service, click Next, and the installation is complete.
Note: When you create a CA, the name assigned to the CA is defined by yourself. In IE of the client, the Ca does not initially belong to the root certificate authority trusted by the client, if the client does not add the CA as a trusted root certificate authority, a security warning will appear when the client accesses the website on the server.
2. Create and install a site Certificate
The procedure is as follows:
A. Open IIS, select the site where the certificate is to be installed, right-click, select Properties from the pop-up menu, click the Directory Security properties page in the pop-up dialog box, and click the server certificate button, the IIS certificate wizarddialog box appears. In this step, the function is to generate a secret file for the ca digital certificate, which is saved in the local directory in the format of. txt.
B. Access the registration control and its table through the Certificate Server enrollment page:
The registration control can be accessed from the certificate server administration tools web page at http: // localhost/certsrv on the machine with Certificate Service installed. Select the request ACertificate option and the advance request option on the next page. Note that this option is required when you apply for a digital certificate for a website, because the digital certificate granted to the website must use the specific key file generated in step a to generate a unique digital certificate belonging to the website. Generally, the user certificate request is designed for customers who need to access the website. There are two methods: Web browser certificate and E-mail protection certificate. The customer uses the web browser certificate method to apply for access to websites with SSL protection, while the e-mail protection certificate is to protect the information transmitted when the customer sends and receives emails. Next, in the Advanced Certificate requests on the page, select submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file. This format is consistent with the encryption format of the key file generated in step. Then, you can upload the .txt key file on the current host to the webpage through browseand submit the application. In the final interface, the request is notified that it has been received and is waiting for the certificate authority's approval.
C. Microsoft's certificate service can be managed using MMC:
The server sends a request for digital verification to the ca. After you open start/Program/Administrative Tools/certification authority, you can see the pending request folder, this folder contains all certificate requests waiting for the approval of the root authority. If the CA finds that the application for this website is feasible, right-click and select issue. In this way, the file is moved to issued certificates, indicating that the application is successful, this node contains all certificates approved and published by the certificate service administrator. If the CA determines that the application is not feasible, select deny. The file is transferred to the failed request, indicating that the application failed. This node contains all rejected certificate requests. For a digital certificate that has been successfully applied and published, if the Ca wants to cancel the certificate, right-click the certificate and select revoke. The successfully applied digital certificate is moved to the revoke certificates folder, this node contains all issued but revoked certificates.
D. After waiting for a certain period of time, the website that submits the digital verification can still view the progress of the digital verification application through http: // localhost/certsrv. Select Check on a pending certificate and click Next to continue. Select a candidate request from the option box and click Next to continue. Select base64 encoding for the downloaded file and click the download CA certificate link to start the download process. In this way, the Certificate Authority receives the server certificate file. Open IIS, select a website that has been digitally verified, right-click it, and select Properties. On the properties page, in Directory Security, click server certificate to start the Web service certificate wizard, select process a pending request and install certificate. Select the path of the digital certificate (The. Cer file) downloaded in the previous step to start installation. After the installation is successful, the view certificate and edit buttons on the directory security properties page are changed from disable to enable. The digital verification process for the entire website is complete.
3. About certificate attribute settings
Click the edit button on the directory security properties page to set the website digital verification attribute. First, if you select the require secure channel (SSL) check box, you will not be able to access the site in the form of HTTP. You can only access the site through HTTPS. If this option is not selected, both HTTP and HTTPS Methods coexist and can access this website. If this option is selected, there are three options available: Ignore client certificate, accept client certificate, and require client certificate. Ignore client certificate indicates that the client certificate is not accepted (default): If the client browser has installed the client certificate, an Access Denied message is returned. Accept client certificate indicates accepting the certificate: no matter whether the client has installed the client certificate, access is allowed in both cases. Ignore client certificate indicates that the client certificate is required: access is denied unless the client has a legitimate certificate authorized by the root Ca (here the Certificate Server. To access the website, the customer must first obtain digital verification from the server, that is, the client must first submit an application for digital verification to the website to be accessed, the website can be accessed only after obtaining the digital certificate sent back by the server for information exchange between the two. Otherwise, the website will reject the access of the customer.
Different websites can set these three attributes differently.
4. Client SSL Configuration
Before SSL communication between a browser and a web site, the client must be able to recognize that the server certificate is valid. To achieve this, the client must contact the Certificate Authority of the server, in which case it is a local certificate server. If you fail to implement the preceding steps and directly connect to the SSL site, you will first receive a security warning. The client browser needs to install the certificate in the Trusted Root store of the browser. To install the certificate, click View certificate in the security warning dialog box to display a dialog box that contains the certificate information. Click Install certificate to start the certificate import wizard.
For customers, the SSL configuration is relatively simple. Customers can choose to apply for a digital certificate or not, but if the require client certificate attribute is set for a website accessed by the customer, the customer must obtain the digital verification of the website before accessing the website. In other words, if the customer wants to gain access, he must first apply to the website.
The customer requests for digital verification by visiting http: // servername/certsrv. The procedure is basically the same as that for digital verification on the website, but it does not select advance request, instead, you can use the web browser certificate option under the user certificate request. You only need to enter the corresponding information of the customer and then submit the application, it also downloads the corresponding digital certificate from the Internet to the local machine. In this way, when you access the website, a message box asking the client to verify the number is displayed, and the customer selects the downloaded digital certificate to access the website. Note: If the website port number is not the default port 80, but is defined by yourself, you must also set a port number for the SSL port to show the difference. When accessing HTTP and https, the port numbers are inconsistent. If the website uses the default port 80, SSL does not need to configure a specific port number. Its default port number is 443. 2. The server and the computer with the CA (Certificate Server) are independent
the process for applying for a digital certificate on the website is the same as that in the previous section. However, because the CA and the server are located on the same machine, you can access the local http: // localhost/certsrv, because the CA is independent from the server's computer, the application is also the same as the client's remote access to http: // caname/certsrv. The specific operations are the same as those in the previous section. However, in this case, if require client certificate is set for the website, it is difficult for the customer to access the website because the client cannot send a request for digital verification to the website. Generally, it is best to use accept client certificate. |
