SSL configuration of IIS

Here: http://wenku.baidu.com/view/443644c26137ee06eff91838.html

Contents

 

1. SSL configuration of the IIIs Server

The SSL configuration of the IIS server is divided into two parts: Configuring the server certificate and configuring the SSL options. The server certificate configuration includes two methods, except the method described in Section 1 of this chapter, another method is listed in Chapter 2nd reference. However, we recommend that you use this chapter to configure the server certificate.

1.1 Configure the server certificate

Step 1: Run "à internet Internet (Internet Service Manager)" to open the Service Manager.

Step 2: Right-click the Web site that uses the SSL protocol, select "properties", and enter the SSL port 443 in the Web site option view. (You can also modify the port as needed)

 

Step 3: Select "Directory Security,

 

 

 

Step 4: select the server certificate and click Next. the IIS server certificate setting wizard appears,

 

 

Step 5: Select "Create a new certificate" and follow the Wizard to fill in the relevant content to generate a certificate application form. Use this application to issue a server certificate to the CA.Note that the certificate application information entered in the CA must be the same as the certificate application information entered here.

 

Step 6: After the certificate is issued, open the wizard again. Now the options are different. Follow the Wizard to import the certificate. Detailed descriptions are provided in each step of the wizard.

1.2 Configure SSL options

Step 7: now that your server has your own certificate, you can configure the SSL option. In the "Secure Communication" option view, select the "edit" option.

 

 

The following screen is displayed:

 

 

 

Step 8: Select "apply for Secure Channel (SSL)" Here To establish an SSL channel. Under "customer Certificate", you can select a specific method to verify the customer certificate, "Ignore customer Certificates" means that customer certificates are not required to be verified. "Receive customer Certificates" means that customers with certificates are verified with certificates, and customers without certificates are verified by other methods. "Apply for a customer Certificate" only communicates with the customer that owns the certificate. We can select as needed.Select "apply for customer Certificate" for two-way authentication ".

 

Step 9:Import the CA root certificate on the server

On the IIS server, double-click to open the CA root certificate (must be the CA that issued the IIS server certificate ). CA

The root certificate can be downloaded from the CA website.

Click Install certificate. The certificate Installation Wizard appears.

Click Next to select the certificate storage area,

Select "put all certificates in the following storage regions" and click "Browse" to display the select storage region dialog box,

Select "show physical storage area", select "Trusted Root Certificate Authority-> Local Computer", and click OK.

Show the path we just selected and click Next to display the settings we just made

Click Finish to import the CA root certificate.

 

Step 10:Cancel IIS verification of CRL list information

In the Public Security PKI/PMI System, verification of certificate validity is carried out in applications. Therefore, you need to cancel the CRL check on IIS.

Go to the C: \ Inetpub \ adminscripts directory on the console (this directory is automatically generated after IIS is installed)

Run the following command to cancel the CRL verification in IIS:

Cscript adsutil. vbs set w3svc/certcheckmode 1

The following screen is displayed, indicating that the setting is successful.

 

 

2 reference: How to directly import a pfx certificate as a server certificate

Before proceeding with the following configuration, you must first obtain a. pfx Certificate file allocated to the server.

Step 1: Click Start> Run, enter MMC, and click OK. For example:

The pop-up console window is as follows:

 

Step 2. Click "file --> Add/delete snap-in" to bring up the Add/delete snap-in. At this time, there is no information under the root node of the console.

 

Step 3. Select "add". The "add independent unit" window is displayed. Select "certificate" and click "add.

The Certificate Management Unit is displayed. Select the account for managing certificates as needed, and select "computer account ".

Select "Local Computer" and click Finish.

 

Step 4. Close the "add independent management unit" window and view the "certificate" information under the root node of the console.

Click "OK" to return to the console interface.

 

Step 5: Double-click "certificate --> personal --> Certificate" under "Console Root Node ". Right-click the certificate. Select "import ".

The certificate import wizard is displayed:

 

Step 6. Click "Next" and select the. pfx file to be imported as prompted.

Enter the certificate password:

Select "personal" by default for certificate storage ".

Complete Certificate import:

 

Save the current configuration and exit the console.

 

For iis6.0 or later versions, you do not need to configure the console. You can directly import the certificate to iis6.0.