View the properties of this website in IIS. Click the Directory Security tab. Click Edit under Secure Communications. Click the required secure channel (SSL). Now, the client must browse to this virtual directory using HTTPS.
/re eyan/blog/item/95670 ccaf 8 e 864 f 552664 f9f . html
This paper gives a method to configure IIS to access through SSL secure channel, and on this basis, discusses in detail how IIS sets authentication requirements for client certificates provided by clients. Application and installation of IIS SSL server certificate, thus configuring SSL secure access channel. Application and installation of client certificate, how IIS maps client certificate to windows account on the server, etc.
First, the test environment configuration
Prepare three machines, all of which are windows 2003 operating systems. The functions of each machine and the services and configurations to be installed on it are as follows:
1, win2003 system _ 1
IP: 192. 168. 1. 1 1
Computer name: win2003base 1
Role of server: This server is used to install certificate services and provide certificate services as a CA.
1. 1. Install IIS to host the CA certificate service.
1.2. Install the certificate service and set the common name of the CA to TestCA.
During the installation of Certificate Services, a certificate of Certificate Services will be generated, and the certificate issued to yourself will be the root certificate of this CA:
After Certificate Services is installed, this TestCA certificate will be saved in multiple locations in the certificate store:
L Individuals, trusted root certification authorities and intermediate certification authorities in the local computer storage area, including certificates and certificate revocation lists under intermediate certification authorities (why do they appear in the certificate revocation list? )。
L "Personal" in the current user store.
2, win2003 system _2
IP: 192. 168. 1. 12
Computer name: win2003base2
The role of the server: the server is used as a web server to establish a website, which is set to SSL secure channel access and requires a client certificate to access.
2. 1. Install IIS
The default website is used as the website for testing client certificate access.
3, win2003 system _3
IP: 192. 168. 1. 13
Machine name: win2003base3
Function of the machine: This machine only applies for a client certificate as a simple IE client, and uses the certificate to access the web server.
Second, the configuration process
1, win2003 System _2 apply for and configure the SSL server certificate of IIS.
1. 1. Generate a certificate application file.
In the properties of the website that IIS will visit, click Directory Security-Server Certificate and select a new certificate:
Next step:
Next step:
The wizard uses the current website name as the default name. It is not used in certificates, but as a friendly name to help administrators identify it. Next step:
Units and departments, this information will be put in the certificate application, so make sure it is correct. The CA will verify this information and put it in the certificate. Users who browse your website need to review this information to decide whether they accept the certificate. Next step:
The common name is one of the most important information at the end of the certificate. It is the DNS name of the website (that is, the name that users type when browsing your website). If the certificate name does not match the site name, a certificate problem will be reported when users browse your site.
If your website is online and named www.contoso.com, this is the common name you should specify.
If your site is an internal site and users browse by computer name, please enter the NetBIOS or DNS name of the computer.
Here, because the machine name of the win2003 system _2 server is WIN2003ASE2, * * uses the name WIN2003ASE2.
Next step:
Next step:
You will be asked for the file name of the certificate application, which is the Base 64 encoded representation of your certificate application. The application contains the information entered into the wizard, as well as your public key and information signed with your private key.
Send this application file to the ca. Then, the CA will use the public key information in the certificate application to verify the information signed with your private key. CA also verifies the information provided in the application.
When you submit an application to CA, CA will send back the certificate in the form of a file. Then, you should restart the Web server certificate wizard.
Next step:
Complete the application generation process.
1.2. Submit a certificate application.
Now you can send the certificate request to CA for verification and processing. After receiving the certificate response from the CA, you can use the IIS Certificate Wizard again to continue installing the certificate on the Web server.
Use Notepad to open the certificate file generated in the previous procedure and copy all its contents to the clipboard.
Start Internet Explorer, navigate to http:/192.168.1.1/certsrv, and point to the certificate service of win2003 system _ 1
Click Request Certificate, and then click Next.
On the Select Application Type page, click Advanced Application, and then click Next.
On the Advanced Certificate Request page, click Submit Certificate Request with PKCS# 10 file encoded in Base64, and then click Next.
On the Submit Saved Application page, click the Base64 encoded certificate application (PKCS # 10 or #7) text box, hold down CTRL+V, and then paste the certificate application that was previously copied to the clipboard.
Click "Submit".
1.3. Issue certificates
After submitting the application, the certificate authority on win2003 system _ 1 machine is approved to issue the win2003base2 certificate.
Verify that the certificate is displayed in the Issued Certificates folder, and then double-click to view it.
On the Details tab, click Copy to File to save the certificate as a Base-64 encoded X.509 certificate.
Close the certificate's properties window.
Install the certificate on 1.4.
On the win2003 System _2 web site in IIS, click Properties, and then click the Directory Security tab.
Click server certificate to start the Web server certificate wizard.
Click to process the pending request and install the certificate, and then click Next.
Enter the path and file name of the file containing the CA response, and then click Next.
Review the certificate overview, click Next, and then click Finish.
Now, the certificate has been installed on the Web server.
The win2003base2 certificate will be installed on the win2003 system _2 computer, and the certificate will be installed on the "personal" in the local computer store where the certificate is stored.
1.5. Configure the website to require SSL access.
View the properties of this website in IIS. Click the Directory Security tab. Click Edit under Secure Communications. Click the required secure channel (SSL). Now, the client must browse to this virtual directory using HTTPS.