I wrote an article " Security ━━ windows2008 self-built certificate, IIS configuration https server and browser error handling " before, and the configuration methods are similar.
Windows Server 2016 and later versions of IIS have their own built-in certificate manager. It is no longer necessary to install and configure Active Directory Certificate Services, and server certificates can be managed directly through IIS Manager. Using IIS Manager can easily configure and install SSL certificates for IIS sites, and can also easily obtain certificates from various certification authorities (CA) and bind them to IIS sites.
1. IIS preparation
IIS and the certificate can be installed at the same time, this article is separated for easy understanding and distinction.
For the installation of IIS, refer to the installation of IIS components in this article " PHP Development Log ━━ IIS7 Installation How PHP8.0 and Multiple Versions Exist on One Server at the Same Time ".
This article still installs the certificate manager according to the old method. If you don’t want to manage anything, just go to " 3. IIS configuration certificate ".
2. Certificate preparation
1. Open Server Manager, click [Add Roles and Features]
2. Click [Next] by default for the following steps
3. The server role needs to check [Active Directory Certificate Services] and click the [Add Feature] that pops up automatically, and then continue to click [Next]
4. Decide whether to check [Certificate Authority Web Registration] according to your needs
We are here only for iis to configure the https server, no online registration is required, so there is no need to tick .
If ticked, then click the item will pop up 【Add function】
5. Continue the following steps and click [Next] by default.
6. Click [Install] and wait for the installation to complete.
If [Certificate Authority Web Registration] is enabled, more content as shown in the figure will be installed
7. In the server manager, click the prompt in the upper right corner, perform [Configure Active Directory Certificate Services on the target server ], and then click [Next ].
8. The role service configuration needs to check the first two options [Certificate Authority] and [Certificate Authority **Web Registration] at the same time, and then click [Next**] by default in the following steps.
9. It is recommended to set the validity period of the certificate to 50 years, and continue to [Next] until the configuration is complete.
Three, IIS configuration certificate
1. Open [Server Certificate] in IIS
2. Select【Create self-signed certificate】
If Certificate Manager is already installed, a 50-year certificate will already exist in the interface
3. Choose a good name
Certificate storage can be understood as classification.
4. Click OK to generate the ssl certificate
5. Open the [Binding] of the website
6. Add ssl certificate
Select【Add】
7. Select https
the type, ssl certificate, and click OK
8. https is generated
4. Browser Opening Test
1. Open https://127.0.0.1 in the browser and click to continue browsing the website
2. If it can be opened, it means success
Currently, this type of certificate can only be opened in edge, ie, and firefox by default, and Google Chrome will prompt that the website address is wrong.
5. Export the certificate
So how can these signing certificates be exported?
1. Open the Certificate Manager
运行
=> certmgr.msc
2. Locate the certificate
It may be in 个人
the directory, and you can find it yourself when the time comes.
3. Export the certificate
右键菜单
=> 所有任务
=> 导出
Next step
Yes, export private key
selected .pfx
, all certificates
enter password
Specify folder and file name
click finish
success
The target location sees .pfx
the file
6. Convert to openssl certificate
1. Download and install openssl
How to install openssl will not be written here, please refer to: " Environment - Installing OpenSSL under Windows "
Download link: https://slproweb.com/products/Win32OpenSSL.html
It can also be downloaded at csdn v3.1.0版
: https://download.csdn.net/download/snans/87595254
2. Open the dialog box to enter the command
.pfx
Copy the file to the specified directory and execute two openssl commands respectively, and you will be asked to enter the password registered when you just exported.
For convenience, I copied the file directly to the folder .pfx
under the openssl installation directory , because the real body is here~~\bin
openssl.exe
openssl pkcs12 -in 20230320ssl.pfx -out 20230320ssl.crt -nokeys
openssl pkcs12 -in 20230320ssl.pfx -out 20230320ssl.key -nocerts -nodes
3. File generation
Call it a day~~For the
reverse operation, please refer to: How to convert the crt certificate to pfx format (it is very good)
Other references:
Create an OpenSSL self-signed certificate under Windows and convert existing Windows certificate pfx files into key and crt files
Windows Server 2016 operating system to build a self-signed CA certificate server (Microsoft Active Directory Certificate Services)