[Original address]
Tip/TRICK: enabling SSL on IIS 7.0 using self-signed certificates
SSL
Allow the browser to exchange information with the Web server over a secure channel to prevent eavesdropping, tampering, and message forgery. You should always use SSL on the login page (the user enters the user name and password) and all other security-sensitive webpages on the website, for example, accounts that display financial or personal information.
In earlier versions of IIS in Windows, it was very painful to configure SSL. I had to figure out how to install and manage certificates, and how to associate certificates with a website, I dare say that most web developers do not know how to do things.
The good news is that IIS 7.0 makes configuring and enabling SSL a piece of cake. IIS 7.0 now has built-in support for creating self-signed certificates. Self-signed certificates allow you to easily create test or personal certificates, then you can use it to quickly enable SSL for a website for development or testing purposes.
If you use IIS 7.0, you can enable SSL for an existing website within 30 seconds. The following tutorial demonstrates how to do this.
Step 1: Create a new website
Use the new IIS 7.0 management tool to create a new website. This management tool completely overwrites the results of previous IIS management tools (all written in managed code using Windows Forms) and provides a more logical structure for web features. It provides a GUI management experience for all ASP. NET and IIS settings:
To create a new website on the machine, right-click the "website" node in the left-hand Tree View and select "add web site) "context menu options. Enter the appropriate details to create a new website:
One of the great features of iis7 on Windows Vista is that the number of websites you can have on your computer is no longer limited (IIS versions on earlier Windows clients only allow one website ). In earlier versions of Windows client IIS, the limit of 10 concurrent requests no longer exists on IIS 7.0.
After completing the above steps, a brand new website is running on our IIS Web server.
Step 2: Create a new self-Signed ticket
Before binding an SSL rule to our new website, we must first introduce and establish a security certificate for SSL binding.
In IIS 7.0, you can manage certificates by clicking root machine node in the left-hand tree view Manager ), then select the "server certificate" pattern in the feature window on the right:
This will list all certificates registered on the machine and allow you to introduce or create new certificates.
I can also purchase a certificate from a Certificate Authority like Verisign and use this management interface to introduce it. Alternatively, I can create an "self-signed certificate", which is a test certificate and can be used to test my website during development. You can do this by clicking the "create self-signed certificate" link on the right hand side of the management tool:
Enter a name for the certificate (for example, "test") and click OK. then iis7 will automatically create a self-Signed encryption certificate (self-Signed crypto Certificate) for you and register the certificate with the machine:
Step 3: Enable HTTPS binding for our website
To enable SSL for the website we created earlier, select a website node in the Tree View window on the left side, and then click "actions" on the right side of the screen) click the bindings link in the window:
This will bring up a dialog box listing all the binding rules (host-header/IP Address/Port Combination) that direct visitors (Traffic) to the website):
To enable SSL for a website, click Add. This will bring up a "add binding" dialog box, which can be used to add HTTPS support. You can select the self-signed certificate we created from the SSL Certificate drop-down box in the dialog box. This indicates that the certificate is used when the content is encrypted on SSL:
Click OK, and we now have SSL enabled for our site: Click OK to enable SSL for our website:
Step 4: test our website
Add a "default. aspx" webpage to the website, and enter
Https: // localhost/default. aspx
To access this page. Pay attention to the usage of "HTTPS" (instead of "HTTP"), indicating that you want to connect through SSL.
If you use IE7, you will see this anti-phishing error message:
If this happens, don't be afraid. It's just that IE wants to help you and shows you that the self-signed certificate for your local machine looks a little suspicious. Click the "continue to this website" link to skip this security warning and continue to connect to this website. You will find that your default. aspx webpage is currently running under SSL protection:
So far, all done!
Appendix: Several Notes on SSL
Finally, several considerations related to SSL:
The IIS 7.0 management tool has an "SSL Settings" node. You can select each website, directory, or file, this allows you to control whether SSL requests are required for execution of specific resources. This is useful for webpages such as login. aspx, because you must ensure that users can enter their identity information only when submitting information through the encrypted channel. If you configure login. asp to require SSL, IIS 7.0 blocks browser access, unless it is accessed through SSL.
In ASP. net web page or processor (handler), you can check the request. the issecure attribute, Which is programmed to check whether the current request uses SSL (if the incoming browser request uses SSL, this attribute returns true ).
You can set the web. the "requiressl" attribute of the configuration section in the config file requires ASP.. Net form authentication system ensures that form authentication cookies can be set and used only on SSL-enabled web pages and URLs. This avoids the risk that hackers attempt to intercept authentication cookies on a web page that is not protected by SSL, and then try to use "replay attack" on another machine to impersonate users.