-
New website
Before building a website certificate, we first build our website
1. Basic construction of the website
To create a new website for our project, follow the steps below to
1. Open IIS, right-click the website to pop up the menu, and select the website (as shown in Figure 1.1.1)
Figure 1.1.1
2, as shown in Figure 1.1.2, click Next
、
Figure 1.1.2
3, as shown in Figure 1.1.3, fill in a website name, and then click Next
Figure 1.1.3
4. As shown in Figure 1.1.4, specify a port number for the website ( note that our website is better not to use the default port number 80 )
Figure 1.1.4
5. As shown in Figure 1.1.5, the path should select the directory where the webpage under our ToolPlatform directory is located
Figure 1.1.5
6. As shown in Figure 1.1.6, configure a read permission for the website
Figure 1.1.6
7, as shown in Figure 1.1.7, and finally click Finish, our website is basically created.
Figure 1.1.7
2. Set website properties
1. Right-click the created website name, and the website operation menu will pop up, as shown in Figure 1.2.1
Figure 1.2.1
2. Select the "Properties" menu item, the website properties window will pop up, set the "Home Directory", "Documents", "Asp.NET" options, and set according to the values in the red circles in Figure 1.2.2 to Figure 1.2.4
Figure 1.2.2
Figure 1.2.3
Figure 1.2.4
3
, website permission settings
1. Right-click the created website name, and the website operation menu will pop up, and select permissions, as shown in Figure 1.3.1
Figure 1.3.1
2. The website directory permission setting page will pop up, as shown in Figure 1.3.2
shown, click the Add button
Figure 1.3.3
3. Add IIS_WPG, IUSER-xxx (xxx represents the host name) to modify permissions; take IIS_WPG as an example; Figure 1.3.3 is the add window, click the "Advanced" button
Figure 1.3.3
4, as shown in Figure 1.3.4, click "Find Now"
Figure 1.3.4
5. As shown in Figure 1.3.5, click "IIS_WPG", then click "OK"
Figure 1.3.5
6, as shown in Figure 1.3.6, click "OK"
Figure 1.3.6
7, as shown in Figure 1.3.7, "IIS_WPG" has been added successfully. Pay attention to modify the permissions of "IIS_WPG"
Figure 1.3.7
8. In the same way, add the guest account (IUSR_xxx) in the window as shown in Figure 1.3.8
Figure 1.3.8
-
Server certificate construction
1. Generation of certificate request file
1. Select "Properties" in the pop-up menu, then switch to the "Directory Security" tab, and then click the "Server Certificate" button (as shown in Figure 2.1.1 and Figure 2.1.2).
Figure 2.1.1
Figure 2.1.2
2. In the web wizard window, select Next, as shown in Figure 2.1.3
Figure 2.1.3
3. In the "IIS Certificate Wizard" window, select the "New Certificate" option, click "Next", and select "Prepare the certificate request now, but send it later". As shown in Figure 2.1.4 and Figure 2.1.5.
Figure 2.1.4
Figure 2.1.5
4. Then name the certificate in the "Name" column, and select "Key Bit Length" in the "Bit Length" drop-down list. Note here that the bit length cannot be set too large, otherwise it will affect the communication quality. ; Then set the unit, department, and geographic information of the certificate. Enter the domain name of the website in the "Common Name Field" of the site (as shown in Figure 2.1.6, Figure 2.1.7, Figure 2.1.8 and Figure 2.1.9)
Figure 2.1.6
Figure 2.1.7
Figure 2.1.8
Figure 2.1.9
5. Then specify the storage location of the certificate request file. Here, the author saves the certificate request text file in "c:/certreq.txt". This completes the generation of the certificate request file (Figure 2.1.10, Figure 2.1.11, Figure 2.1.12 and Figure 2.1.13).
Figure 2.1.10
Figure 2.1.11
Figure 2.1.12
Figure 2.1.13
2. Install Certificate Services
After completing the generation of the certificate request file, you can start to apply for the IIS website certificate. But this process requires the support of Certificate Services (Certificate Services). This service is not installed by default in Windows 2003, and needs to be added manually
1. Run "Add or Remove Programs" in "Control Panel", switch to "Add/Remove Windows Components" page, as shown in Figure 2.2.1.
Figure 2.2.1
2. In the "Windows Components Wizard" dialog box, select the "Certificate Services" option, then select the CA type, and select "Yes", as shown in Figure 2.2.2.
Figure 2.2.2
3. Select "Independent Root CA" here, as shown in Figure 2.2.3
Figure 2.2.3
4. Then name the CA server and set the validity period of the certificate. It is recommended to use the default value of "5 years" (as shown in Figure 2.2.4)
Figure 2.2.4
5. After specifying the location of the certificate database and the certificate database log, select "Yes" to complete the installation of the certificate service. As shown in Figure 2.2.5 and Figure 2.2.6.
Figure 2.2.5
Figure 2.2.6
Note: This step may require to install the ISO image file of the system
3. Apply for IIS website certificate
1. Run IE browser, type in the address bar
"http://127.0.0.1/CertSrv/default.asp"。
Then click the "Request a Certificate" link in the "Microsoft Certificate Services" welcome window. As shown in Figure 2.3.1.
Figure 2.3.1
Note: The IP address followed by http:// here is determined by the IP address of the server website. Here our website is deployed on the local server, so the IP is 127.0.0.1
2. Then click the "Advanced Certificate Application" link in the certificate application type, and click the "Submit using BASE64-encoded CMC or PKCS#10 file...." link in the advanced certificate application window (as shown in Figure 2.3.2 and Figure 2.3.3 )
Figure 2.3.2
Figure 2.3.3
3,接着将证书请求文件的内容复制到"保存的申请"输入框中,这里我们的证书请求文件内容保存在"c:/ certreq.txt",最后点击"提交"按钮。(如图2.3.4、图2.3.5和图2.3.6)
图2.3.4
图2.3.5
图2.3.6
4、颁发IIS网站证书
1,虽然完成了IIS网站证书的申请后,但这时它还处于挂起状态,需要颁发后才能生效。在"控制面板→管理工具"中,运行"证书颁发机构"程序。(如图2.4.1)
图2.4.1
2,在"证书颁发机构"左侧窗口中展开目录,选中"挂起的申请"目录,在右侧窗口找到刚才申请的证书,鼠标右键点击该证书,选择"所有任务→颁发"。(如图2.4.2和图2.4.3)
图2.4.2
图2.4.3
3,接着点击 "颁发的证书"目录,打开刚刚颁发成功的证书,右键选择"打开",在 "证书"对话框中切换到"详细信息"标签页(如图2.4.4,图2.4.5和图2.4.6所示)
图2.4.4
图2.4.5
图2.4.6
3,点击"复制到文件"按钮,弹出证书导出对话框,一路下一步(如图2.4.7,图2.4.8和图2.4.9)
图2.4.7
图2.4.8
图2.4.9
4,在"要导出的文件"栏中指定文件名,这里我们保存证书路径为"c:/of.cer",最后点击"完成"。(如图2.4.10,图2.4.11和图2.4.12)
图2.4.10
图2.4.11
图2.4.12
5、导入IIS网站证书
1,在IIS管理器的"目录安全性"标签页中,点击"服务器证书"按钮(如图2.5.1)
图2.5.1
2,点击"下一步"这时弹出"挂起的证书请求"对话框,选择"处理挂起的请求并安装证书"选项(如图2.5.2和图2.5.3)
图2.5.2
图2.5.3
3,点击"下一步"后,指定好刚才导出的IIS 网站证书文件的位置,接着指定SSL使用的端口,建议不要使用默认的"443",最后点击"完成"按钮。(如图2.5.4,图2.5.5,图2.5.6和图2.5.7)
图2.5.4
图2.5.5
图2.5.6
图2.5.7
6、配置IIS服务器
1,完成了证书的导入后,IIS网站这时还没有启用SSL安全加密功能,需要对IIS服务器进行配置。选择需要加密访问的站点目录(如果希望全站加密,可以选择整个站点),这里以整个站点为例。右键单击打开属性页(如图2.6.1)
图2.6.1
2,在"目录安全性"标签页点击安全通信栏的"编辑"按钮
图2.6.2
3,选中"要求安全通道(SSL)"和"要求128位加密"选项,并且选择客户端证书,最后点击"确定"按钮即可(如图2.6.3)。
图2.6.3
7、导出根证书
1,打开IE浏览器,找到工具下的Interne选项(如图2.7.1所示)
图2.7.1
2,在Interne选项卡上选择"内容",点击"证书"(如图2.7.2)
图2.7.2
3,在证书选项卡点击"受信任的根证书颁发机构",找到根证书名称。点击该证书,然后再点击"导出"按钮。(如图2.7.3)
图2.7.3
4,点击下一步(如图2.7.4)
图2.7.4
5,这一步,我们可以直接写"c:\root.cer"(如图2.7.5)
图2.7.5
6,最后点击完成,最后在C盘我们就可以看到导出的根证书(如图2.7.6和图2.7.7)
图2.7.6
图2.7.7
三、客户端证书搭建
客户端证书的搭建根证书的搭建是差不多的。首先要做的事情是申请一个证书。
1、申请证书
1,按照申请根证书的步骤,打开申请证书的页面,点击"申请一个证书",如图3.1.1
图3.1.1
2,选择"web浏览器证书,如图3.1.2
图3.1.2
3,打开"更多选项"和"请使用高级证书",如图3.1.3和图3.1.4
图3.1.3
图3.1.4
4,"姓名"是指登陆的用户名,"密钥大小"要选2048,把"标志密钥为可导出"勾上。最后点击提交(如图3.1.5)。此时我们就能成功的申请了客户端证书(如图3.1.6)。
图3.1.5
图3.1.6
2、颁发证书
1,如图3.2.1所示,进入到颁发证书的窗口
图3.2.1
2,在证书颁发的窗口,点击"挂起的证书",可以看到刚才申请的客户端证书。此时就可以按照图3.2.2所示,颁发该证书了。
图3.2.2
3、安装证书
1,打开证书申请的页面,如图3.3.1所示,点击"查看挂起的证书申请的状态"
图3.3.1
2,在查看证书页面,如图3.3.2所示,点击"客户端身份验证证书….."
图3.3.2
3,点击"安装此证书",如图3.3.3所示。
图3.3.3
4,弹出一个警告窗口,选择"是",如图3.3.4。成功安装了证书之后,就会显示如图3.3.5的页面。
图3.3.4
图3.3.4
4、导出证书
1,从IE浏览器进入到证书窗口,点击个人(如图3.4.1)。在个人证书窗口,可以看到之前安装的客户端证书。
图3.4.1
2,导出证书的步骤,跟导出根证书的步骤是差不多的。但是有个导出证书密钥的步骤,这个步骤,默认是不导出证书密钥的,为了安全起见,我们要选择导出密钥,如图3.4.2所示。
图3.4.2
3,导出的格式选择默认的格式,如图3.4.3。
图3.4.3
4,设置证书密码,如图3.4.4所示。
图3.4.4
5,如图3.4.5所示,收到写入文件名。文件名必须以.pfx结尾。
图3.4.5
6,点击图3.4.6窗口的"完成"过后,到c盘下去查看,就可以看到demo.pfx证书了,如图3.4.7。
图3.4.6
图3.4.7