using SSL to configure HTTPS Web sites in IIS
Due to the popularity of Windows systems, many small and medium-sized enterprises in their own web site and internal office management system are using the default IIS to do Web server use.
By default, the HTTP protocol we use does not have any encryption, all messages are transmitted over the network in clear text, and a malicious attacker can install a listener to obtain communication between us and the server. This harm in some enterprises in the internal network is particularly large, for the use of the hub of the enterprise intranet is simply no security can be said because anyone can see other people on a computer in the network activities, for the use of the switch to networking network, although the security threat is much smaller, However, many times there will be a security breach, such as the switch does not change the default user and password, people go up to their own network interface set as a listener, can still monitor the entire network of activities.
IIS authentication, in addition to anonymous access, Basic authentication, and Windows NT Request/Response, is a more secure authentication that uses digital certificates through the SSL (security Socket Layer) secure mechanism.
As a result, more and more enterprises are using SSL to avoid or reduce the loss caused by the network security.
SSL (the cryptographic Sockets Layer) is between the HTTP layer and the TCP layer, establishing encrypted communication between the user and the server, ensuring the security of the information passed. SSL is based on public and private keys, and any user can obtain a public key to encrypt the data, but the decryption data must pass the corresponding private key. When using the SSL security mechanism, first, the client and the server to establish a connection, the server to its digital certificate and public key one concurrent to the client, the client randomly generated session key, with the public key from the server to encrypt the session key, and the session key on the network passed to the server, The session key can only be decrypted with a private key on the server side, so that the client and server end up with a unique secure channel.
Once SSL security is established, only SSL-enabled customers can communicate with SSL-allowed Web sites, and when using a URL resource Locator, enter https://instead of http://.
Let's take the WIN2000 server version as an example of how to use SSL to encrypt the HTTP channel to enhance IIS security.
Method of Operation
We first need to install Certificate Services in the Control Panel by adding and removing Windows components, which are not installed in the system in the default installation and need to be installed to install the CD.
Then select the installation type of the stand-alone root CA. Then, in the next step, give your CA a name to complete the installation.
Once the installation is complete, we can start our IIS Manager to request a digital certificate, start Internet Manager to select the Web site we need to configure
Select the directory security-Secure Communication-server certificate in the site properties
Since we were configured for the first time, we chose to create a new certificate.
Use the default site name and encryption bit length settings.
Select a place to save a request certificate that we just generated.
Once the above settings are complete, we will submit the server certificate we just generated to the Certificate Server we just installed locally. By default, when the Certificate Server completes the installation, several virtual directories are generated in the Web server in the local IIS.
We open the http://localhost/CertSrv/default.asp.
Select Request Certificate
Select the advanced application when choosing the type of application.
Choose to submit our certificate request using the Base64 encoding method.
Copy the contents of the certreq.txt we just generated in place of the certificate application and select Submit.
After the submission is successful, a page will be returned to us to tell us that the certificate has been successfully submitted and that the pending status is waiting for the CA center to issue the certificate.
Okay, then, start the certification authority in the Admin tool, locate the application in the pending request, and then click the right mouse button to select the issue.
After the award is successful, we find the certificate we just issued in the issued certificate, double-click its Properties section and choose to copy the certificate to the file in the details.
We need to export the certificate to a file where we export the certificate to the C:/sql.cer file.
Re-select the certificate request in the IIS Web Admin interface, and this time the interface is pending certificate requests.
Select the Sql.cer this file for our lead department.
When you are sure that all the information is correct, you can click Next to confirm the installation of SSL.
When the default installation is complete, SSL does not start the encrypted channel we need to SSL for our site, and it is determined that HTTPS uses a port of 443.
The first time to enter the site through HTTPS, there will be a dialog box let us confirm whether to agree with the current certificate, of course, agree ~
Well, when we look at this site, all the information is transmitted in encrypted form on the Internet, and no one can easily understand the content.
Encrypted SSL can be slower than normal, unencrypted web browsing, mainly because the encrypted tunnels take up a bit of CPU resources, and no encrypted SSL channel is required for those Web sites that don't have any secrets to speak of. This is necessary only for those important directories and sites.