SSL is a commonly used WEB Service encryption channel. Its full name is Secure Socket Layer, which is also known as the Secure sockets interface. It uses digital certificates to ensure its security mechanism. The main function is encryption and authentication to protect the security of network transmission. It is in the middle of the HTTP and TCP layers.
SSL encryption and authentication use public keys and private keys. Our users use public keys to encrypt data, and the corresponding private keys must be used to decrypt data.
Reference the SSL communication process: "the communication process using the SSL security mechanism is as follows: after a user establishes a connection with the IIS server, the server sends the digital certificate and public key to the user, the user end generates a session key, encrypts the session key with the public key, and then transmits the key to the server. The server uses the private key for decryption. In this way, the user end and the server end establish a secure channel, only users allowed by SSL can communicate with the IIS server.
An SSL website is different from a common Web site. It uses the "HTTPS" protocol instead of the common "HTTP" protocol. Therefore, its URL (Uniform Resource Locator) format is "https: // website domain name "."
Next, let's take a look at how to use the SSL channel for encryption and authentication after we use the iis web service.
The SSL communication port is 443 by default. Therefore, it is best to disable the firewall or software on the host that occupies port 443 before installing the service to avoid conflict. We use the windows Certificate Service to implement SSL encryption. Therefore, the premise is that the machine that installs the Certificate Service must first install the iis web service.
Open start-settings-control panel-add or delete programs-add or delete windows Components-select "Certificate Service ". Next step-Put down the system CD-the installation window will pop up. 1:
If you install the Certificate Service, you cannot change the domain membership and computer name. If you modify the certificate, the issued CA certificate will be invalid. Ask if you want to install it. After selecting "yes", the following dialog box is displayed in Figure 2:
If our computer is in the domain, we can create an Enterprise CA. Because we are not in the domain, we can only create an independent Root CA ". Then hook "use custom settings to generate the key pair and CA certificate". Next, 3:
Select a CSP. What is CSP? : CSP indicates the encryption service provider. The default value is: Microsoft Strong Cryptographic Provider. The default MD2 MD4 MD5 SHA-1 algorithm is SHA-1 key length. Theoretically, the longer the key, the better the length. Theoretically, the longer the encryption takes, the longest time required. The default value is 2048. Next step, 4:
Fill in the identification information, mainly to fill in the public name and validity period. It is best to enter a representative name, such as cfanhome. Deletable suffix. If a domain is automatically filled in, you can leave it blank or enter one according to the rule. The correct filling method is DC = Name. Let's write DC = com, validity period, the default value is 5 years. We can set it based on our own needs. Next Step 5:
Enter your certificate database, certificate database diary, and shared folder location. If there is no special case, it is default. You can set it as needed. Next Step 6:
If you want to continue installing the Certificate Service, you need to pause the running of the IIS server because you need to install information such as the IIS virtual directory and service. Click "yes" next step, 7:
If you want to enable the Certificate Service properly, you must install the ASP service in IIS. In the extension service, click "yes" to agree to install the ASP service, the system automatically enables ASP services in the IIS extension service. The WEB pages of the Certificate Service are dynamic. Next, after installing the certificate service, you can choose Start> program> Administrative Tools> Certificate Service. You can see the main interface 8:
Four basic functions:
1. Revocation certificate: the revoked certificate is displayed here. After revocation, the certificate becomes invalid. You can restore the revoked certificate,
2. issued certificate: The issued valid certificate is displayed here. You can revoke the certificate.
3. suspended certificate: The certificate has not yet been issued, that is, the certificate you just applied for. Here, you can issue and reject the certificate.
4. Failed certificate: all certificates that failed to be applied, such as network reasons or certificate application failed, are displayed here.
Next, let's take a look at how our WEB server applies for a certificate:
Go to the WEB server, open IE, enter http: // SSLIP/certsrv, and press Enter. Then we can see the Certificate Server application page, 9:
At this time, we are not in a rush to apply, because we still have one thing to do. We need to create a key file to apply for our certificate. How can we create it. Open IIS Service Manager-default website-right-click Properties-Directory Security-10:
Click "server certificate", 11:
Select New certificate, 12
Next, fill in the certificate name, and then fill in cfanhome. The default length is 1024. Here we can select our CSP program, 13:
Next step: Write the unit and department. According to our situation, I wrote the unit: cfanclub department is minks.
Next, enter the public name. If the web server is on the internet, write our DNS name. If the server is on the Intranet, write the Share Name, that is, the computer's Netbios name. I entered cfanclub, 16:
Next, select the home, province, and region. I am in guangzhou, so I will write the graph, guangdong guangzhou, 17:
Next, select the location where the certificate request is to be saved. Select the first location, 18:
The next step is to create the certificate application file. We can see that a certificate request file is generated under the directory we just selected, called certreq.txt. Open it and we can see 19:
This is A string of certificate application characters. We can use CTRL + A to select all of them, and then press CTRL + C to copy them. Wait for the required certificate application.
Go back to the page and click Apply for a certificate to go to the 20 page:
Click "Submit an advanced application" to go to the 21 page:
Click the second "submit a certificate application in the base64 encoded CMC or PKCS #10 file ,......", Go to the certificate application page of 22,
. After we click Submit, our certificate application is complete. 23
The Applied certificate cannot be used immediately because it is suspended. We must wait for the certificate authority to issue the certificate. At this time, we will go to the Certificate Service server. We open the certificate suspended by the certificate service, and we can see the certificate we just applied, right-click the certificate, right-click the certificate, and select 25:
In this way, we can see in the issued certificate that our certificate has been issued, we go to the WEB server to open the WEB page, click "view the status of the suspended Certificate ", we can see the 26 interface:
We can see that our certificate has been issued, click to save the application certificate. On the displayed page, Select Download Certificate. After download and save, we can see 28:
This is our certificate. Its name is cernew. cer. It looks familiar. Right, all the certificates we have seen before are suffixed with cer. Then, go to IIS Manager-default website-right-click Properties-Directory Security-server certificate, 29:
Select "process pending requests and install Certificates ". Next step, 30:
Select our certificate, that is, the certificate we just obtained. After the selection, select the SSL port. The default port is 443. We will use the default port to establish it, 31:
Next, complete the operation. In IIS manager, choose "default website"> "right-click Properties"> "Directory Security". The service certificate is now highlighted. Click here to view the certificate information, 32:
Now the certificate application is almost complete, and the last step is to enable the certificate. How can we enable the certificate? in IIS manager, choose Default website, right-click attribute, choose Directory Security, and click Edit, you can see 33:
If you access our website normally, you will be unable to view the page and prompt that this page must be viewed through a secure channel. We add S to the end of http. Https: // 192.168.0.247/cfanclub. The Security Information Window 35 is displayed on the webpage:
We often see this window on the Internet, such as online banking. Here we can see whether the information is secure and whether the certificate has expired. Click "yes". If not, the website is opened normally. 36:
In this way, a simple SSL security certificate is complete. We can see a small lock under the webpage, which indicates that an SSL Security channel has been established between us and the WEB site, as we can see, the input information transmitted over the network is encrypted, and others cannot see our real content. I hope this tutorial will help you.
We hook up with "require secure channel (SSL)", so that when others access our website, they will not be able to access it through the SSL channel. 34