1.windows2003 Add Components
Add IIS: Check "Application Server", then double-click to enter the following figure, and check "IIS" and "ASP". Net ".
Add Certificate System: Select Certificate Service.
When adding a component, just fill in the required content according to the operation, and then go to the next step until it is completed.
2. Decompress openssl (executive version, some called compiled version) to D:, of course, any disk will do.
Second, request IIS certificate.
After setting up the IIS Web site, click the Server Certificate button in the Directory Security tab. Next, create a new certificate, and now prepare the certificate request-next, enter the name, company and department, public name, country, province and city, next, next, finish. The certificate request of IIS has been obtained. The certificate is C: \ certreq.txt. Please remember the information you entered here.
Third, start operating openssl.
(cmd-& gt; d:\openssl-0.9.7\out32dll?
Do the following under, pay attention to the openssl.cnf file, which is used to compile the following commands)
1. Generate a self-signed root certificate
openssl?
req-x509-new key RSA: 1024-keyut cakey . PEM-out cacert . PEM-days 3650-config?
d:\ OpenSSL-0 . 9 . 7 \ apps \ OpenSSL . CNF?
Pemppassphrase: The password of the root certificate is of course important! ?
Country?
Name: CN // two-letter country code?
State or province name: Guangdong//province name?
Locality?
Name: Guangzhou//City name?
Organization name: Rising Sun//Company name?
Name of organizational unit: home//department name?
Common name: besunny?
//Your name (if you want to generate a server-side certificate, you must enter a domain name or ip address)?
Email address: email address
2. copy cakey.pem to \demoCA\private,?
Copy cacert.pem to out32dll\demoCA.
Copy cakey.pem?
demoCA\private?
Copy cacert.pem?
Demoka
Reminder: At this time, there are three files: cakey.pem: the private key file of CA, cacert.pem: the self-signed root certificate of CA, and certreq.txt: the certificate request file of IIS.
3. use CA certificate cacert.pem to request certreq.txt for IIS and issue the certificate server.pem?
OpenSSL ca-in certreq . txt-out server . PEM-config?
d:\ OpenSSL-0 . 9 . 7 \ apps \ OpenSSL . CNF
4. Convert server.pem to x509 format?
openssl?
x509 -in server.pem -out?
server.cer
Reminder: At this time, you have two more files, one is server.pem and the other is server.cer. Now copy the server.cer under bin to C:
5. Import the generated certificate server.cer into IIS.
Open IIS, right-click the properties of the default web site, and then click the server certificate button in the directory security tab. Next, choose to process the pending request and install the certificate, and then proceed to the next step. Normally, you have seen c:\server.cer in the text box. If not, please click the "Browse" button to find it yourself and go to the next step. Next, finish. Return to the Directory Security tab, click the Edit button in the secure communication column, check Require Secure Channel (SSL), check Require 128-bit encryption, select Require Client Certificate, and then click OK.
6. Generate a client certificate?
openssl?
req-new key RSA: 1024-keyut clikey . PEM-out clireq . PEM-days 365-config?
d:\ OpenSSL-0 . 9 . 7 \ apps \ OpenSSL . CNF
Fill in the certificate information by yourself, and some contents should be consistent with the root certificate.
7.CA issues customer certificates?
openssl ca -in?
CLI req . PEM-out client . CRT-config d:\ OpenSSL-0 . 9 . 7 \ apps \ OpenSSL . CNF
8. Convert the client certificate to pk 12 format?
OpenSSL pkcs 12-export-CLC ERTs-in client . CRT-inkey clikey . PEM-out?
client . p 12-config d:\ OpenSSL-0 . 9 . 7 \ apps \ OpenSSL . cn f
9. Install a trusted root certificate
Rename cacert.pem to cacert.cer, double-click the cacert.cer file to open the certificate information window, and then click the Install Certificate button. Next.
As a reminder, the following are the most critical:
Select to put all certificates in the following storage area, and then click the browse button.
[URL = file:///C:/Documents][/URL]?
Select a trusted root certification authority, check the physical storage area, select a trusted root certification authority, click Local Computer, and then click OK. Next, finish. Yes, the root certificate has been installed! Check the physical storage area, select a trusted root certification authority, click Local Computer, and then click OK.
[URL = file:///C:/Documents][/URL]?
The installation of "clent.crt" is also the same step as above.
10. Install the client certificate
Locate the client.p 12 file and copy it to your local computer, and then double-click. Next, enter the password of the client certificate, and then complete and confirm. At this point, the client's certificate has been installed.