We often encounter Errors When configuring HTTPS and IE client certificates for IIS. This article describes how to configure SSL in the actual production environment, so that you can see where you may be wrong?
When enterprises need to publish more confidential data on the web, we usually configure IIS to the HTTPS mode. At the same time, if we only want internal staff to access and do not want to log on, We can configure "browser certificate" (Root CA) on the client) or "user certificate" (Enterprise CA), the specific practices can be divided into the following steps:
1. Install the certificate CA Server Function in Windows 2003.
This step is prone to errors mainly because the IIS function of the CA server is not installed during the installation of the CA certificate service, which may cause access failure through the browser,
That is:Http: // ca_server/certsrv.
The solution is to use the command line
"Certutil-Vroot"
You can automatically install the corresponding web functions on IIS to provide CA services to other machines.
2. Apply for a server certificate from the CA through the certificate application function in the IIS of the Web server. Its function is to "Verify the identity of the remote server ".
The main error-prone problem in one step is that we need to add the Web server URL in the name or note name when applying for the certificate. It is better that the internal URL and external URL should be the same, for example: www.boc.cn
3. After the application is completed, install it in IIS. If you click "edit" in the certificate box of "Directory Security" to check "require secure channel (SSL)", it will be OK.
This step is prone to errors. in the production environment, if the CA server and the Web server are not the same machine, the web server and the client PC must "trust" the CA server, you can access the web of CA on a Web server or a PC client.
Http: // ca_server/certsrv/certcarc. asp
"Install CA certificate chain.
4. Complete the following steps to access the web of CA from the client: Apply for a "Web browser Certificate" or "user" Certificate-send the certificate to the CA Server with MMC-then install the certificate through IE on the client.
Enter: If you are afraid of mistakes, you will fill in the country or something. In fact, you only need to write a name.
Type: when accessing the web application of CA, it is best to open "more options" and "Advanced Certificate Application". Fill in the URL of the web server in the "note name" column, such as www.boc.cn
Please note: The certificate must be determined upon applicationCan the private key be exported?. Therefore, if you want the certificate to be used by others, you must check this option when applying. Otherwise, you can only re-apply for the certificate.
5. In IIS of the web server, you can enable two-way SSL authentication by checking "client certificate required.
In the test environment, however, in the production environment, the client ie always displays the error that the SSL server considers "Certificate Revocation.
Everyone thinks that as long as the client certificate is the same as the server certificate authority, it will be OK. In fact, everyone is wrong.
Once this check box is checked, you must confirm"CRL distribution point"There are two URLs in the field. At least one URL is accessible for IIS with SSL Enabled.
In the production environment, CA and SSL Web are not always together, and due to the relationship between DNS and internal name, this"CRL distribution point"The URL is not accessible to the IIS server.
Therefore, the SSL issue of 80% is actually because this URL cannot be accessed by IIS.
Finally, if you are a beginner and haven't encountered this problem, please first take a look at the followingArticle, How to encounter problems, let's take a look at this article.
IIS client certificate access configuration http://www.cnblogs.com/chnking/archive/2008/08/18/1270063.html
And how to use a certificate on the client to connect to the web server. However, in the actual production network of an enterprise