Iis 7 ssl https configuration method

Iis 7 ssl https tutorial configuration method
In iis6 (windows2003), all ssl configuration information is stored in iis metadata and encrypted and decrypted in user mode (this consumes a lot of kernel/user mode conversion ). In iis7, http. sys operates ssl encryption and decryption in kernel mode, which improves performance by nearly 20% compared with iis6.
 

When ssl runs in kernel mode, it stores the ssl binding information in two places. In the first place, the binding configuration is saved in % windir % system32inetsrvconfigapplicationhost. config. When the site is started, iis7 sends the binding information to http. sys, http. sys listens to requests at specific ip addresses and ports. In the second place, the ssl configuration associated with the binding is saved in the http. sys configuration. Run the netsh command to view the ssl binding configuration stored in http. sys:

Netsh http show sslcert

When a client starts connection and initializes ssl negotiation, http. sys searches for the ssl configuration corresponding to this ip: port in its configuration. This ssl configuration must include the certificate hash value and name:

L check whether the binding exists in applicationhost. config.

L whether http. sys contains the hash value of the valid certificate and whether the name exists

When selecting a certificate, consider the following:

Do you want end users to confirm the uniqueness of your server through the certificate you provide?

If yes, then

Either create a certificate request and send the certificate request to the Certificate Authority (ca), such as verisign or geotrust;

Either obtain a certificate from the online ca on the intranet

The browser generally uses three items to confirm the validity of the server certificate:

1. The current date is within the validity period of the certificate

2. The "common name" (cn) of the certificate matches the host name in the request. For example, if the customer initiates a request to the http://www.contoso.com, the cn must be like this: http://www.contoso.com/

3. The issuer of the certificate is a known and trusted ca.

If one of them fails, the browser will warn the user. If you have an internet site or an intranet user you are not familiar with, make sure all three items pass.
 

Self-signed certificates can be created on your computer. If end users are unimportant, they trust your server, or they are used to test the environment, this self-signed certificate will be very useful.

Use wmi to bind an ssl Certificate

The wmi namespace cannot be used to request or create a certificate. Establish ssl binding

The following script shows how to create an ssl binding and add relevant information to http. sys:

Set oiis = getobject ("winmgmts: rootwebadministration ")
'''''''''''''''''''''''''''''''''''''''' ''''' Create ssl binding ''''''''''''''''''''''''''''''' ''' oiis. get ("sslbinding "). create _" * ", 443," 4dc67e0ca1d9ac7dd4efb3daaeb15d708c9184f8 "," my"
'''''''''''''''''''''''''''''''''''''''' ''''' Add ssl binding to site ''''''''''''''''''''''''''''' ''''''''''''''''
Set obinding = oiis. get ("bindingelement"). spawninstance _ obinding. bindinginformation = "*: 443:" obinding. protocol = "https"
Set osite = oiis. get ("site. name = 'default website'") arrbindings = osite. bindings
Redim preserve arrbindings (ubound (arrbindings) + 1) set arrbindings (ubound (arrbindings) = obinding
Osite. bindings = arrbindings set opath = osite. put _

Note: The hash value and name of the certificate must reference the real and useful certificate on your service. If one of them is false, an error occurs.
 

Configure ssl settings

The following script shows how to set ssl through the iis7 wmi provider.

Const ssl = 8
Set oiis = getobject ("winmgmts: rootwebadministration ")
Set osection = oiis. get (_
"Accesssection. path = 'machine/webroot/apphost', location = 'default website '")
Osection. sslflags = osection. sslflags or ssl
Osection. put _
 

Use the iis manager to bind an ssl Certificate

Obtain a certificate

Select a server node in the tree directory, and double-click the server certificates icon on the right side:

Iis 7 ssl https configuration method
In iis6 (windows2003), all ssl configuration information is stored in iis metadata and encrypted and decrypted in user mode (this consumes a lot of kernel/user mode conversion ). In iis7, http. sys operates ssl encryption and decryption in kernel mode, which improves performance by nearly 20% compared with iis6.
 

When ssl runs in kernel mode, it stores the ssl binding information in two places. In the first place, the binding configuration is saved in % windir % system32inetsrvconfigapplicationhost. config. When the site is started, iis7 sends the binding information to http. sys, http. sys listens to requests at specific ip addresses and ports. In the second place, the ssl configuration associated with the binding is saved in the http. sys configuration. Run the netsh command to view the ssl binding configuration stored in http. sys:

Netsh http show sslcert

When a client starts connection and initializes ssl negotiation, http. sys searches for the ssl configuration corresponding to this ip: port in its configuration. This ssl configuration must include the certificate hash value and name:

L check whether the binding exists in applicationhost. config.

L whether http. sys contains the hash value of the valid certificate and whether the name exists

When selecting a certificate, consider the following:

Do you want end users to confirm the uniqueness of your server through the certificate you provide?

If yes, then

Either create a certificate request and send the certificate request to the Certificate Authority (ca), such as verisign or geotrust;

Either obtain a certificate from the online ca on the intranet

The browser generally uses three items to confirm the validity of the server certificate:

1. The current date is within the validity period of the certificate

2. The "common name" (cn) of the certificate matches the host name in the request. For example, if the customer initiates a request to the http://www.contoso.com, the cn must be like this: http://www.contoso.com/

3. The issuer of the certificate is a known and trusted ca.

If one of them fails, the browser will warn the user. If you have an internet site or an intranet user you are not familiar with, make sure all three items pass.
 

Self-signed certificates can be created on your computer. If end users are unimportant, they trust your server, or they are used to test the environment, this self-signed certificate will be very useful.

Use wmi to bind an ssl Certificate

The wmi namespace cannot be used to request or create a certificate. Establish ssl binding

The following script shows how to create an ssl binding and add relevant information to http. sys:

Set oiis = getobject ("winmgmts: rootwebadministration ")
'''''''''''''''''''''''''''''''''''''''' ''''' Create ssl binding ''''''''''''''''''''''''''''''' ''' oiis. get ("sslbinding "). create _" * ", 443," 4dc67e0ca1d9ac7dd4efb3daaeb15d708c9184f8 "," my"
'''''''''''''''''''''''''''''''''''''''' ''''' Add ssl binding to site ''''''''''''''''''''''''''''' ''''''''''''''''
Set obinding = oiis. get ("bindingelement"). spawninstance _ obinding. bindinginformation = "*: 443:" obinding. protocol = "https"
Set osite = oiis. get ("site. name = 'default website'") arrbindings = osite. bindings
Redim preserve arrbindings (ubound (arrbindings) + 1) set arrbindings (ubound (arrbindings) = obinding
Osite. bindings = arrbindings set opath = osite. put _

Note: The hash value and name of the certificate must reference the real and useful certificate on your service. If one of them is false, an error occurs.
 

Configure ssl settings

The following script shows how to set ssl through the iis7 wmi provider.

Const ssl = 8
Set oiis = getobject ("winmgmts: rootwebadministration ")
Set osection = oiis. get (_
"Accesssection. path = 'machine/webroot/apphost', location = 'default website '")
Osection. sslflags = osection. sslflags or ssl
Osection. put _
 

Use the iis manager to bind an ssl Certificate

Obtain a certificate

Select a server node in the tree directory, and double-click the server certificates icon on the right side:

 

Select a server node in the tree directory, and double-click the server certificates icon on the right: Click create self-signed certificate... Button: enter the name of the new certificate and click OK. Now you have a self-signed certificate. This certificate is marked as "server-side Verification" to create an ssl binding. Select a site and click bindings… on the actions Panel .... The add, modify, and delete binding dialog box is displayed. Click add... Button to add a new ssl binding. The default setting is port 80. In the type drop-down box, select https. In the ssl certificate drop-down box, select the name of the Self-signed certificate you just created, and click OK. Now that you have completed the establishment of ssl binding, the rest is to confirm whether it works properly. Ø Validation of ssl bindingOn the actions Panel, under browse web site, click the added binding. Because the certificate is a self-signed certificate, ie7 will display an error page. Click continue to this website (not recommended). continue Configure ssl settingsYou need to configure ssl settings when you require users to use a certificate or to connect using ssl. Double-click ssl settings, for example: