Document directory
- How to create an HTTPS website? How to configure HTTPS service in IIS
Step 1: Start SSL in IIS
The method takes only three steps:
1. Download IIS 6.0 Resource Kit tools: http://www.microsoft.com/downloads/details.aspx? Familyid = 56fc92ee-a71a-4c73-b628-ade629c89499 & displaylang = en
2. install.
3. "All Programs-> IIS resources-> selfssl", type "selfssl" in the command line, and answer "Y", and you are done.
Now you try to access: https: // localhost in the browser. You will find a window asking if you want to accept an untrusted certificate. Select Yes, and you are in a safe channel now.
Step 2:
How to create an HTTPS website? How to configure HTTPS service in IIS
What is HTTPS?
HTTPS (Secure Hypertext Transfer Protocol) Secure Hypertext Transfer protocol.
It is developed by Netscape and built in its browser. It is used to compress and decompress data and return the results of network upload and return. HTTPS actually uses Netscape's full Socket Layer (SSL) as the child layer of the HTTP application layer. (HTTPS uses port 443 instead of using port 80 as HTTP to communicate with TCP/IP .) SSL uses 40-bit keywords as the RC4 stream encryption algorithm, which is suitable for business information encryption. HTTPS and SSL support X.509 digital authentication. If necessary, you can confirm who the sender is ..
HTTPS is an HTTP channel targeted at security. It is simply a secure version of HTTP. That is, the SSL layer is added under HTTP. The Security Foundation of HTTPS is SSL. For details about encryption, see SSL.
It is a URI Scheme (Abstract identifier system) with syntaxes similar to http: system. Secure HTTP data transmission. Https: the URL indicates that HTTP is used, but HTTPS has a default port different from HTTP and an encryption/authentication layer (between HTTP and TCP ). The system was initially developed by Netscape, which provides authentication and encrypted communication methods and is now widely used for secure and sensitive communications on the World Wide Web, such as transaction payment.
Restrictions
Its security protection relies on the correct implementation of the browser and the support of server software and actual encryption algorithms.
A common misunderstanding is that "bank users Use https online: they can fully protect their bank card numbers from being stolen ." In fact, the encrypted connection with the server can protect the bank card number, only the connection between the user and the server itself. The server itself cannot be absolutely secure, which has even been exploited by attackers. A common example is a phishing attack that imitates the domain name of a bank. A few rare attacks occur when the website transmits customer data. Attackers attempt to intercept data during transmission.
Commercial websites are expected to quickly introduce new special processing programs to the financial gateway as soon as possible, and only retain the transfer code (transaction number ). However, they often store bank card numbers in the same database. In rare cases, databases and servers may be attacked and damaged by unauthorized users.
Before TLS 1.1
This section is only applicable to conditions before TLS 1.1. Because SSL is located at the next layer of HTTP and does not understand higher-level protocols, generally, the SSL server can only issue certificates to specific IP/port combinations. This means that it often cannot be combined with HTTP to form HTTPS on a virtual host (based on a domain name.
This point has been updated in the upcoming TLS 1.1-Domain-based virtual hosts are fully supported.
Install the Certificate Service
To use the SSL security mechanism, you must first install the Certificate Service for Windows Server 2003.
Go to "Control Panel", run "add or delete programs", go to the "Windows component wizard" dialog box, check the "Certificate Service" option, and click "Next, then select the CA type. Select "independent Root CA" and click "Next" to name your CA server, set the validity period of the certificate, and specify the location of the Certificate database and Certificate database logs, to complete the installation of the Certificate Service.
Configure an SSL website
1. Create a request Certificate file
After the Certificate Service is installed, you can create a request Certificate file for the website that uses the SSL security mechanism. Click "Control Panel> Administrative Tools", run "Internet Information Service-IIS manager", expand the "website" directory in the Manager window, right-click the website to use SSL, select "properties", switch to the "Directory Security" tab (figure 1) in the "website properties" dialog box, and click "server certificate. In the "IIS certificate wizard" dialog box, select "New Certificate", click "Next", and select "Prepare certificate request now, but send it later ". Name the certificate in the "name" input box, and then select the key length from the "bit length" drop-down list. Set the public name and geographic information of the Certificate Unit, Department, and site, and specify the storage location of the Request Certificate file. This completes the creation of the Request Certificate file.
2. Apply for a server certificate
After completing the preceding settings, submit the created request Certificate file to the Certificate Server. Enter "http: // localhost/certsrv/default. asp" in the address bar of the IE browser on the server side ". In the "Microsoft images" file, copy the content to the "Save application" input box and click "Submit.
3. Issue a server certificate
Click "Control Panel> Administrative Tools" and run "Certificate Authority ". Expand the tree directory in the main window, click "pending applications" (Figure 2), find the certificate you just applied for, right-click this item, and select "all tasks> issue ". After the certificate is successfully issued, click "issued certificate" in the tree directory and double-click the issued certificate. In the "details" tab of the "certificate" dialog box that appears, click "Copy To File". The certificate export wizard is displayed. Click "Next", specify the file name in the "file to be exported" dialog box, and click "finish ".
4. Install the server certificate
Log on to the "Directory Security" tab of IIS manager and click "server certificate". In the "pending certificate requests" dialog box, select the "process pending requests and install Certificates" option, click "Next", specify the location of the exported server certificate file, set the SSL port, use the default "443", and click "finish.
On the "Directory Security" tab, click the "edit" button in the secure communication column, select the "require secure channel (SSL)" option, and click "OK" to enable SSL.
Configure SSL for Web Servers
To enable SSL in IIS, you must first obtain a certificate used to encrypt and decrypt information transmitted over the network. IIS has its own certificate request tool. You can use this tool to send Certificate requests to the Certificate Authority. This tool simplifies the process of obtaining certificates. If you are using Apache, you must obtain the certificate manually.
In IIS and Apache, you will receive a certificate file from the certificate authority, which must be configured on the computer. Apache uses the sslcacertificatefile command to read the certificate from its source file. In IIS, you can use the directory security option card of the website or folder attribute to configure and manage certificates.
You can migrate certificates from Apache to IIS. However, Microsoft recommends that you create a new IIS certificate or obtain a new one.
This process assumes that your site already has a certificate.
1. log on to the web server computer as an administrator.
2. Click Start, point to settings, and then click Control Panel.
3. Double-click the management tool and then double-click Internet Service Manager.
4. Select a website from the list of different service sites in the left pane.
5. Right-click the website, folder, or file for which you want to configure SSL communication, and then click Properties.
6. Click the Directory Security tab.
7. Click Edit.
8. To require SSL communication for websites, folders, or files, click require SSL ).
9. Click require 128-bit encryption to configure 128-bit (instead of 40-bit) encryption support.
10. To allow users to connect without providing a certificate, click Ignore client certificate.
Alternatively, if you want users to provide a certificate, use the client certificate.
11. to configure client ing, click Enable client certificate ing, and then click Edit to map client certificates to users.
If this feature is configured, You can map customer certificates to each user in Active Directory. You can use this function to automatically identify users based on the certificates provided when users access the website. You can map a user to a certificate (a certificate identifies a user), or map many certificates to a user (according to specific rules, match a specific user against the certificate list. The first valid match is ing .)
12. Click OK.
The following describes how to configure the required certificate file through the IIS certificate wizard. (From: it168)
Step 1: Start the IIS editor through IIS manager in "Administrative Tools.
Step 2: Right-click the default website and select "properties ". (11)
Figure 11
Step 3: click the "Directory Security" tab in the default website Properties window and click "server certificate" in the security communication area. (12)
Figure 12
Step 4: The Web server certificate wizard is automatically opened. (13)
Figure 13
Step 5: Select "New certificate" in the server certificate area, and then continue. (14)
Figure 14
Step 6: Select "Prepare certificate request now, but send it later" for the delay or immediate request ". (15)
Figure 15
Step 7: Set the Certificate Name and specific positioning length. Keep the default website name. Select 512 from the drop-down menu. (16)
Figure 16
Tip: bit length is mainly used for secure encryption. The longer the bit length, the more secure it is. However, the transmission efficiency will be affected, and the website performance will also be affected. Generally, 512 is enough.
Step 8: Enter the organization information, including the organization and department. (17)
Figure 17
Step 9: Enter localhost in the public site name window. (18)
Figure 18
Step 10: Enter the geographic information as needed. (19)
Figure 19
Step 2: Set the name of the file requested by the certificate. We can save it to the table to make it easy to use. The saved file name is certreq.txt. (20)
Figure 20
Step 2: complete the IIS certificate wizard configuration and save the corresponding certificate file to the desktop as required. (21)
To use the SSL security mechanism, you must first install the Certificate Service for Windows Server 2003.
Go to "Control Panel", run "add or delete programs", go to the "Windows component wizard" dialog box, check the "Certificate Service" option, and click "Next, then select the CA type. Select "independent Root CA" and click "Next" to name your CA server, set the validity period of the certificate, and specify the location of the Certificate database and Certificate database logs, to complete the installation of the Certificate Service.