In IIS7, HTTP. sys operates SSL encryption and decryption in kernel mode, which improves performance by nearly 20% compared with IIS6.
When SSL runs in kernel mode, it stores the SSL binding information in two places. In the first place, the binding configuration is saved in % windir % \ System32 \ inetsrv \ config \ applicationHost. config. When the site is started, IIS7 sends the binding information to HTTP. sys, HTTP. sys listens to requests at specific IP addresses and ports. In the second place, the SSL configuration associated with the binding is saved in the HTTP. sys configuration. Run the netsh command to view the SSL binding configuration stored in HTTP. sys:
Netsh http show sslcert
When a client starts connection and initializes SSL negotiation, HTTP. sys searches for the SSL configuration corresponding to this IP: Port in its configuration. This SSL configuration must include the certificate hash value and name:
L check whether the binding exists in ApplicationHost. config.
L whether HTTP. sys contains the hash value of the valid certificate and whether the name exists
When selecting a certificate, consider the following:
Do you want end users to confirm the uniqueness of your server through the certificate you provide?
If yes, then
Either create a certificate request and send the certificate request to the Certificate Authority (CA), such as VeriSign or GeoTrust;
Either obtain a certificate from the online CA on the Intranet
The browser generally uses three items to confirm the validity of the server certificate:
1. The current date is within the validity period of the certificate
2. The "Common Name" (CN) of the certificate matches the host Name in the request. For example, if the customer initiates a request to the http://www.contoso.com, the CN must be like this: http://www.contoso.com/
3. The issuer of the certificate is a known and trusted CA.
If one of them fails, the browser will warn the user. If you have an Internet site or an Intranet user you are not familiar with, make sure all three items pass.
Self-signed certificates can be created on your computer. If end users are unimportant, they trust your server, or they are used to test the environment, this self-signed certificate will be very useful.
Use WMI to bind an SSL Certificate
The WMI namespace cannot be used to request or create a certificate.
Establish SSL binding
The following script shows how to create an SSL binding and add relevant information to HTTP. sys:
Copy codeThe Code is as follows: Set oIIS = GetObject ("winmgmts: root \ WebAdministration ")
'''''''''''''''''''''''''''''''''''''''' '''''
'Create SSL BINDING
'''''''''''''''''''''''''''''''''''''''' '''''
OIIS. Get ("SSLBinding"). Create _
"*", 443, "4dc67e0ca1d9ac7dd4efb3daaeb15d708c9184f8 ", "MY "''''''''''''''''''''''''''''''''''''' ''''''''
'Add SSL BINDING TO SITE
'''''''''''''''''''''''''''''''''''''''' '''''
Set oBinding = oIIS. Get ("BindingElement"). SpawnInstance _
OBinding. BindingInformation = "*: 443 :"
OBinding. Protocol = "https"
Set oSite = oIIS. Get ("Site. Name = 'default website '")
ArrBindings = oSite. Bindings
ReDim Preserve arrBindings (UBound (arrBindings) + 1)
Set arrBindings (UBound (arrBindings) = oBinding
OSite. Bindings = arrBindings
Set oPath = oSite. Put _
Note: The hash value and name of the certificate must reference the real and useful certificate on your service. If one of them is false, an error occurs.
Note: The hash value and name of the certificate must reference the real and useful certificate on your service. If one of them is false, an error occurs.
Configure SSL settings
The following script shows how to set SSL through the IIS7 WMI provider.Copy codeThe Code is as follows: const ssl = 8
Set oIIS = GetObject ("winmgmts: root \ WebAdministration ")
Set oSection = oIIS. Get (_
"AccessSection. Path = 'machine/WEBROOT/apphost', Location = 'default website '")
OSection. SslFlags = oSection. SslFlags OR SSL
OSection. Put _
Use IIS manager to bind an SSL Certificate
Obtain a certificate
Select a Server node in the tree directory, and double-click the Server Certificates icon on the right side:
Click Create Self-Signed Certificate... Button:
Enter the name of the new certificate and click OK.
Now you have a self-signed certificate. This certificate is marked as "server-side Verification"
Establish SSL binding
Select a site and click Bindings… on the Actions Panel .... The add, modify, and delete binding dialog box is displayed. Click Add... Button to add a new SSL binding.
The default setting is port 80. In the type drop-down box, select https. In the SSL Certificate drop-down box, select the name of the Self-signed Certificate you just created, and click OK.
Now that you have completed the establishment of SSL binding, the rest is to confirm whether it works properly.
ØValidation of SSL binding
On the Actions Panel, under Browse web site, click the added binding
Because this certificate is a self-signed certificate, IE7 will display an error page.
Click Continue to this website (not recommended). Continue
ØConfigure SSL settings
You need to configure SSL settings when you require users to use a certificate or to connect using SSL. Double-click SSL Settings, for example: