Use Certificate Server 1.0 (Certificate Server 1.0) as Certificate Authority
Wouldn't it be nice if you could give trusted users access to encrypted websites transparently? In this way, whenever these users enter your site, they do not have to always need
To enter their username and password. A way for users to communicate with the encrypted portion of your site without having to provide a username and password is to configure IIS
(Internet Information Server, Interconnect Information Server) after requesting challenge/response authentication, use IE browser on Windows NT systems. But if you
Users are not using NT system or IE browser, then what should do? The answer is: Use Microsoft Certificate Server (Microsoft Certificate Services
Device).
Certificate Server is part of the NT 4.0 Option Pack, which enables you to generate and distribute digital certificates for those who are qualified for authentication.
This allows them to access their NT user accounts without having to provide proof of identity when they log on to the site.
Digital certificates are important for the security of your network. A digital certificate is actually an electronic document that the computer system can use to identify and validate those browsing the network,
The identity of the user who is sending and receiving e-mail and transferring files. One way to obtain a digital certificate is through Certificate authority. These agencies, by verifying the identities of their users, to them or their
System to issue certificates. The Certificate Server (Certificate Server) allows you to act as a certificate authority within the enterprise, enabling you to protect the confidentiality of employees and reduce
Expenditure and improve the quality of service. (For background information on certificate Authority and digital certificates, see the article "You Can be a" in the October 1997 issue of Tao Zhou.
WEB Certification Authority ")
Unfortunately, it is difficult to find valuable documentation about configuring a Certificate Server. On TechNet and Microsoft sites, you might find a few words, but it
Rough materials often make it impossible for you to figure it out quickly. So in this article, I'll walk you through the process of installing and configuring the Certificate Server as I understand it,
This includes how to install a Certificate Server, start the Certificate Authority service, and issue a client certificate.
Starting point
First, you need to install Iis4.0,microsoft Management Console (MMC, Microsoft Management Console) and certificate Server 1.0. These all contain
On the CD-ROM of the Microsoft Windows NT 4.0 Option pack. Microsoft has released its site (http://www.microsoft.com/china/) with
The latest patches for correcting certificate Server1.0 defects. This flaw causes users without certificates to be blocked from the site when the system allows both certificates and anonymous access.
Outside Based on my experience with certificate servers, you don't really need this patch. Because when you configure access permissions, you can avoid this problem. Behind this point I
Will explain. (But, unfortunately, I've encountered some other bugs, and there are no patches for them yet.) )
Install the Certificate Server from the option Pack CD-ROM disc. If you have a Certificate Server installed and just can't make it work, I'll tell you a secret
Tactic. When the Certificate Server installation process prompts you to enter specific information about the CA (Certificate Authority, Certificate authority) in the installation window, as shown in screen 1,
Screen 1
If you do not enter the CA name in the state domain, IIS cannot properly register the CA in its database, causing the Certificate Server not to accept the client ID signed with this CA
Book. If you encounter this problem, you must reinstall the Certificate Server. However, when you reinstall the Certificate Server, you may receive the following two error messages
One--Certificate Server Configuration Wizard (Configuration Wizard) error or Windows NT installation error. In all the cases I've encountered, this information merely indicates
Files Csback.gif, csbull.gif, and cslogo.gif do not have a root directory from certificate Server (usually C:\winnt\system32
\CERTSRV) is copied to the CertEnroll subdirectory. If you receive these error messages, you may wish to manually complete the copies of these files.
Start the Certificate Authority (certificate Authority) service from the services item in the NT Control Panel. If the service does not start, the problem may be that the server cannot find
Microsoft Access database Certmdb.mdb. For unknown reasons, the Certificate Server installs ODBC (open Database connectivity, open
Database connection) The system data source name refers to the certificate Server root, while the Global.asa file in the Certadm subdirectory
Point it to the C:\winnt\system32 directory. In fact, the Certificate Server R installs the Certmdb.mdb file in the C:\winnt\system32 directory. So
The CertSrv system data source name (from Control Panel, ODBC entry) needs to be modified to point to the Certmdb.mdb file, as shown in screen 2. In this way, your CA service
The employment is ready and can be run.
Screen 2
Setting up a CA
The Certificate Server Installer prompts you to create an SSL (secure Sockets Layer, Secure Sockets Layer) key for the server. SSL Server Key Tolerance
Allow secure encrypted sessions between the network server and the client browser. If you do not have an SSL key, IIS 4.0 will not be able to use certificate-based client authentication. In Create New
Key (Create new key) dialog box by selecting "Automatically send" to a online authority (automatically send the request to a
Line authority) option, you can generate and sign SSL server key requests at once, as shown in screen 3.
Screen 3
If you choose to generate a key request file, you can verify the file using the command line utility of the Certificate Server certreq.exe. (You can use this file from the third
The party CA obtains a server key signature. When you get a signed secret key, the Certificate Server installation is done.
Now you have to add the CA you just created to the list of trusted CAs on the server. You can do this by installing a server key in your browser. To do this, start the suit
Internet Explorer 4.0, browse the site http://server name/certsrv/certenroll/cacerts.htm. Title is Certificate Authority
The Certificate List page will appear and will list the CA keys you just generated. Click on this connection and select "Open this file from its"
Location (open this file in its current location), you will see a prompt to install the new site certificate (the certificate for the Web), as shown in screen 4.
Screen 4
Click View Certificate to confirm that the key details are entered correctly, and then click OK. You will see another prompt asking you to add this certificate to the top storage and click OK.
Select the View menu in IE 4.0, select Internet Options, Content, authorities, and check that IE 4.0 has successfully increased the certificate to a trustworthy
List of the authoritative. You will see that the CA that you just generated is in the Certificate Authority list of IE 4.0, as shown in screen 5.
Screen 5
Finally, run the following command under the root directory of the IIS installation (usually C:\winnt\system32\inetsrv). These commands will take advantage of the detailed data of the CA you generated
New IIS Database:
Iisca
Net Stop iisadmin/y
Net start w3svc
Issue a client certificate
Now you can start issuing a client certificate. The client certificate will be installed directly on the browser. (both Netscape and Microsoft's new browsers support client certificates;
However, I will focus on IE 4.0. Browse Http://server name/certsrv/certenroll/ceenroll.asp from the client. Certificate
The Enrollment form (certificate registration form) will allow you to fill in the details of the customer's certificate. Fill in the correct items and click Submit Request. When submitting to
When asked, the Web server enrollment page for IE 4.0 will be invoked (the server's registration pages). Click Download on the page to get the client certificate
Installed in the browser. Select the View menu, select Internet Options, Content, Personal, and check that the client certificate is installed correctly, and you will be
This client certificate is seen in the client authentication (Customer authentication) window of IE 4.0.
After you install the client certificate, you need to let IIS know that the owner of this certificate is authorized to access the secured zone on the site. Because the network security of IIS is based on
Windows NT user account, IIS requires a way to map each client certificate to the account number of an NT user or group on the server. In fact, IIS is using
This is accomplished by using the Client Certificate mapping table (client certificate Mapping table). In order to create a client certificate mapping, you must separate each certificate from the
Introduce IIS in a text file. This is a tedious process, but it may be the only way to create a corresponding mapping. So, you have to find some way to capture the customer's bangs.
and store the client certificate installed in the browser in a text file. The easiest way to do this is to modify the ASP (Active Server Pages, dynamic Server Pages) code to actually
Is. Listing 1 lists the ASP code that writes the client certificate to a text file.
Listing 1 ASP code that writes a client certificate to a text file
<title>client Certificate capture</title>
<body>
<%
' Instantiate the ASP FileSystemObject in order
' To create a text file
Set fs = Server.CreateObject ("Scripting.FileSystemObject")
' Create text file using append mode
Set OutStream = fs. OpenTextFile ("C:\Inetpub\wwwroot\certificates\cert.txt", 8, True)
' Save certificate issuer information to text file
Outstream.writeline ("# Issuer:" & Request.clientcertificate ("Issuer"))
' Extract certificate subject (user) and account information
' From certificate
Su = request.clientcertificate ("Subject")
mx = len (su)
For x = 1 to MX
If Mid (su,x,1) =CHR (a) or mid (su,x,1) =CHR Then
Su=left (su,x-1) + ";" +right (Su,mx-x)
End If
Next
Outstream.writeline ("# Subject:" & su)
Outstream.writeline ("# Account:" & Request.ServerVariables ("Remote_user"))
' Extract encrypted certificate text from certificate; Encode text as 64-bit data
Uue = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789+/"
Outstream.writeline ("-----BEGIN Certificate-----")
CER = request.clientcertificate ("certificate")
lCERs = Len (CER)
L = 0
For x = 1 to lCERs step 3
A1 = ASC (Mid (cer,x,1))
If x+1 <= lCERs Then
A2 = ASC (Mid (cer,x+1,1))
If x+2 <=lcer Then
a3 = ASC (Mid (cer,x+2,1))
Else
a3 = 0
End If
Else
a2 = 0
a3 = 0
End If
Outstream.write Mid (Uue, (A1 and 252)/4 +1, 1)
Outstream.write Mid (Uue, (A1 and 3) *16 + (A2 and 240)/16 +1, 1)
If x+1 <= lCERs Then
Outstream.write Mid (Uue, (A2) *4 + (A3 and 192)/64 +1, 1)
If x+2 <= lCERs Then
Outstream.write Mid (Uue, (A3 and 63) +1, 1)
Else
Outstream.write "="
End If
Else
Outstream.write "= ="
End If
L = L +4
If L = Then
Outstream.writeline ("")
L = 0
End If
Next
If l > 0 Then
Outstream.writeline ("")
End If
Outstream.writeline ("-----End Certificate-----")
Response.Write "Your certificate information has been received and logged successfully <br>"
Response.Write "You'll be notified when we have configured your secured access to this Site"
%>
</body>
Create a directory on your Web server to store this ASP file and modify the path in the code appropriately so that it can write the certificate information to the correct location. The Modified Road
Diameter as shown in Listing 1. To enable this ASP program to create a text program (Cert.txt in Listing 1), you need to set permissions in IIS to allow write operations on this directory.
setting allows the directory hosting this ASP file to be accessed simultaneously in both HTTPS and anonymous, so that you can create a prompt to request a user to submit a certificate. In order to use HTTPS and
Anonymous access, use https://instead of http://to refer to this ASP file. Customers running this ASP file will receive a prompt to submit a client certificate. Knot
The information submitted by the user will be written to the text file and recorded.
If a customer browses to this ASP file and no client certificate is displayed in the Customer Verification window, there may be a problem with the CA information in the IIS metabase. To resolve this issue,
Re-run the three commands mentioned above (IISCA, net STOP iisadmin/y, and Net START w3svc) in the IIS root directory. Now the CERT.TX should contain
The customer certificate content, as shown in Listing 2. Copy the contents of listing 2 to your favorite text editor and save it to a file.
Now you can generate a mapping relationship between a client certificate and an NT user account. Select the directory you want to protect in the IIS 4.0 Directory Security tab, and follow
Set permission permissions for the Secure Communications dialog box as shown in 129 page screen 6.
Screen 6
This combination of permissions sets a request for a valid certificate for a Web visitor. Click Edit in the Secure Communications dialog box to create a client certificate
Shoot. (You can generate wildcard mappings, but I'll just introduce a single mapping here.) Determine that you selected the Basic tab in the Account Mappings dialog box.
As shown in screen 7, click Add to introduce the certificate text file that you copied from listing 2.
Screen 7
You will see the prompts to ask for the certificate text file. Enter the path and file name of the file and click OK. On the Basic tab of the Account Mappings dialog box, for this mapping
Specify a name, enter the appropriate NT account name for the user who needs access to this security zone (such as Iusr_server, and so on), and then enter and confirm its NT user password. Success
The mapping will look like screen 7.
Congratulations--you're a CA.
That's all! You have created a client certificate for the user, captured the certificate to write to a text file, and eventually mapped the certificate to an NT user account. Your users are now visiting
Ask your secure network area when you don't have to use the traditional username and password mechanism. Your users will be happier with easier access, and you will be more
Heart, because your safe network area is really safe.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.