Many friends like to use the Windows-brought component IIS to build their own Web servers, but IIS uses the HTTP protocol by default, which transmits data in clear text, so hackers can easily steal some important information from you or your friends during the transfer of information, To prevent information from being illegally stolen by others, it is necessary to set up an SSL encryption mechanism for your IIS Web site.
The principle of SSL encryption
The Chinese meaning of SSL (security socket Layer) is "Secure Sockets Protocol", which is a kind of secure communication which is introduced by Netscape Company, and SSL can establish an encrypted secure channel between client and server, which can ensure that the transmitted information is not illegally stolen by others. The SSL security encryption mechanism is mainly implemented by using digital certificates. When the SSL encryption mechanism is used, the client first establishes a communication connection with the IIS server, the IIS server sends the digital certificate and the public key to the client, exchanges the password with the client, The general choice is the RSA cipher algorithm (also has the choice Diffie-hellman and Fortezza-kea cipher algorithm), when the authentication confirms, this public key encrypts the client's session key and transmits it to the IIS server, After the IIS server receives the session key, the session key is decrypted, and the user establishes an encrypted communication channel with the IIS server.
Enable the SSL encryption mechanism
The following is an example of an IIS 6 server that describes the enabling process for the SSL security encryption mechanism.
1th Step: Open Internet Information Services (IIS) Manager, then in the IIS Manager window, expand Web sites, then right-click on the Web site where you want to enable the SSL secure encryption mechanism and TAP properties in its context menu;
2nd Step: Click "Directory security tab → server certificate" in the Website Properties window, then click "Next" in the pop-up "Welcome to the Web Server Certificate Wizard" window, then select "New Certificate" entry in the "Server Certificate" window that appears and click "Next" in the " Late or Immediate request window, select the "Now prepare certificate requests, but send later" entry, click "Next", in the "Name and security Settings" window that appears, give the new certificate a "name" and set the "bit length" of the password.
Note: The longer the bit length, the higher the security, but if the bit length is set too large, it will affect the communication speed.
3rd Step: Click "Next", enter your organization and department name in the "Unit information" that appears, then click "Next" and set the "common name" in the "Site Common name" window that appears, set the method: If the server is located on the Internet, you should enter a valid DNS name. If it is in the internal network, use the NetBIOS name of the computer only;
4th step: After clicking "Next", enter your geographic information in the "Geographic Information" that appears, then click "Next", click "Browse" in the "Certificate Request file name" window that appears, we can set the location of the certificate save, and finally complete the certificate request file generation according to the prompt to complete the final steps.
5th step: Open the Windows Components Wizard window, then select Certificate Services under the Components list, then select the CA type, for example, select stand-alone root CA, set the name and validity period of the CA server, specify the location where the certificate database and the certificate database log are saved, This will complete the installation of Certificate Services.
6th step: Enter http://localhost/CertSrv/default.asp in the browser, click "Request a Certificate" in the open page, then click on the "Advanced Certificate Request" link in the page that appears, then click " Use the Base64 encoded CMC or PKCS#10 file to submit ... link, then open the certificate request file that you just generated, and copy and paste the contents of the file into the text box under the saved requests page that you opened, and click Submit.
7th step: After the submission, the certificate after the application of its status is suspended, need to be issued before it takes effect, click on "Control Panel → administrative tools → certification authority", expand the directory in the left window, and then select "Pending Request", then in the right window, click on the suspended certificate and tap "All Tasks → issued." Select issued certificate, then in the right window, double-click the certificate you just issued, click the "Details" tab in the Open Certificate window, then click the "Copy to File" button, click "Next" in the pop-Up Certificate Export Wizard window, and then in the "file to export" that appears window to set the save path of the certificate, click "Done".
8th step: Click on the "Server Certificate" button in the "Directory Security" tab of IIS Manager, then select "Process pending request and install certificate" entry in the "Pending Certificate Request" window that appears, then click "Next" to specify the path to the certificate Export in the window that appears, using the default settings until you click "Done".
9th step: On the Directory Security tab, in the Secure Communications column, click the Edit button, and then select the Require Secure channel (SSL) entry and select the Require 128-bit encryption item and click OK.
10th step: On the Directory Security tab, in the authentication and access control bar, click Edit, then in the window that appears, cancel the "Enable anonymous access" and "Integrated Windows Authentication" entries, you need to select Basic Authentication, and then click OK.
Collected in 2009-04-08
This article is from the "Five Corners" blog, please be sure to keep this source http://hi289.blog.51cto.com/4513812/1754986
IIS Web site setting SSL encryption mechanism