zoukankan      html  css  js  c++  java
  • How to Set Up SSL on IIS 7

    Introduction

    The steps for configuring Secure Sockets Layer (SSL) for a site are the same in IIS 7 and IIS 6.0, and include the following:

    • Get an appropriate certificate.
    • Create an HTTPS binding on a site.
    • Test by making a request to the site.
    • Optionally configure SSL options, that is, by making SSL a requirement.

    This document provides some basic information on SSL, then shows how to enable SSL in many several different ways:

    • Using IIS Manager.
    • Using the AppCmd.exe command line tool.
    • Programmatically through Microsoft.Web.Administration.
    • Using WMI scripts.

    SSL Configuration

    The implementation of SSL changed from IIS 6.0 to IIS 7. In IIS 6.0 on Windows Server 2003, all SSL configuration was stored in the IIS metabase, and encryption/decryption occured in User mode (requiring a lot of kernel/user mode transitions). In IIS 7, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections in IIS 7 than that experienced in IIS 6.0.

    Using SSL in kernel mode requires storing SSL binding information in two places. First, the binding is stored in %windir%\System32\inetsrv\config\applicationHost.config for your site. When the site starts, IIS 7 sends the binding to HTTP.sys, and HTTP.sys starts listening for requests on the specified IP:Port (this works for all bindings). Second, the SSL configuration associated with the binding is stored in the HTTP.sys configuration. Use the netsh command at a command prompt to view SSL binding configuration stored in HTTP.sys as in the following example:

    netsh http show sslcert

    When a client connects and initiates an SSL negotiation, HTTP.sys looks in its SSL configuration for the IP:Port pair to which the client connected. The HTTP.sys SSL configuration must include a certificate hash and the name of the certificate store before the SSL negotiation will succeed.

    Troubleshooting Tip: If you're having trouble with an SSL binding, verify that the binding is configured in ApplicationHost.config, and that the HTTP.sys store contains a valid certificate hash and store name for the binding.

    Choosing a Certificate

    When choosing a certificate, consider the following: Do you want end users to be able to verify your server's identity with your certificate? If yes, then either create a certificate request and send that request to a known certificate authority (CA) such as VeriSign or GeoTrust, or obtain a certificate from an online CA in your intranet domain. There are three things that a browser usually verifies in a server certificate:

    1. That the current date and time is within the "Valid from" and "Valid to" date range on the certificate.
    2. That the certificate's "Common Name" (CN) matches the host header in the request. For example, if the client is making a request to http://www.contoso.com/, then the CN must also be http://www.contoso.com/.
    3. That the issuer of the certificate is a known and trusted CA.

    If one or more of these checks fails, the browser prompts the user with warnings. If you have an Internet site or an intranet site where your end users are not people you know personally, then you should always ensure that these three parameters are valid.

    Self-signed certificates are certificates created on your computer. They're useful in environments where it's not important for an end user to trust your server, such as a test environment.

    Using AppCmd

    You cannnot request or create a certificate by using AppCmd.exe. You also cannot use AppCmd.exe to create an SSL binding.

    Configure SSL Settings

    You can use AppCmd.exe to configure a site to accept only server HTTPS connections by modifying the sslFlags attribute in the Access section. For example, you can configure this setting for the "Default Web Site" in the ApplicationHost.config file (for example, commitPath:APPHOST) by using the following command:

    %windir%\system32\inetsrv>AppCmd set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:Ssl

    If successful, the following message is displayed:

    Applied configuration changes to section "system.webServer/security/access" for "MACHINE/WEBROOT/APPHOST/Default Web Site" at configuration commit path "MACHINE/WEBROOT/APPHOST"

    Note: To require 128-bit SSL, change the sslFlags value to Ssl128.

    The following example demonstrates how to view the <access/> section settings for the Default Web Site. The sslFlagsattribute has been set successfully.

    %windir%\system32\inetsrv>AppCmd list config "Default Web Site" -section:access

    Executing the command results in the following entry in the ApplicationHost.config file:

    <system.webServer>
      <security>
        <access flags="Script, Read" sslFlags="Ssl" />
      </security>
    </system.webServer>

    Using WMI

    You cannot request or create a certificate by using the WebAdministration WMI namespace.

    Create an SSL Binding

    The following script demonstrates how to create a new SSL binding and how to add the appropriate configuration for both HTTP.sys and IIS 7:

    Set oIIS = GetObject("winmgmts:root\WebAdministration")
    '''''''''''''''''''''''''''''''''''''''''''''
    ' CREATE SSL BINDING
    '''''''''''''''''''''''''''''''''''''''''''''
    
    oIIS.Get("SSLBinding").Create _ 
       "*", 443, "4dc67e0ca1d9ac7dd4efb3daaeb15d708c9184f8", "MY"
    '''''''''''''''''''''''''''''''''''''''''''''
    ' ADD SSL BINDING TO SITE
    '''''''''''''''''''''''''''''''''''''''''''''
    
    
    Set oBinding = oIIS.Get("BindingElement").SpawnInstance_
    oBinding.BindingInformation = "*:443:"
    oBinding.Protocol = "https"
     
    
    Set oSite = oIIS.Get("Site.Name='Default Web Site'")
    arrBindings = oSite.Bindings
    
    ReDim Preserve arrBindings(UBound(arrBindings) + 1)
    Set arrBindings(UBound(arrBindings)) = oBinding
    
    oSite.Bindings = arrBindings
    Set oPath = oSite.Put_

    Note: The certificate hash and store must reference a real, functional certificate on your server. If the certificate hash and/or store name are bogus, an error is returned.

    Configure SSL Settings

    The following script demonstrates how to set SSL settings by using the IIS 7 WMI provider. You can find this value in the IIS_Schema.xml file.

    CONST SSL = 8
    Set oIIS = GetObject("winmgmts:root\WebAdministration")
    Set oSection = oIIS.Get( _
       "AccessSection.Path='MACHINE/WEBROOT/APPHOST',Location='Default Web Site'")
    oSection.SslFlags = oSection.SslFlags OR SSL
    oSection.Put_

    IIS Manager

    Obtain a Certificate

    Select the server node in the treeview and double-click the Server Certificates feature in the listview:
    image

    Click Create Self-Signed Certificate... in the Actions pane.
    image

    Enter a friendly name for the new certificate and click OK.

    Now you have a self-signed certificate.  The certificate is marked for "Server Authentication" use; that is, it uses as a server-side certificate for HTTP SSL encryption and for authenticating the identity of the server.

    Create an SSL Binding

    Select a site in the tree view and click Bindings... in the Actions pane.  This brings up the bindings editor that lets you create, edit, and delete bindings for your Web site. Click Add... to add your new SSL binding to the site.

    image

    The default settings for a new binding are set to HTTP on port 80.  Select https in the Type drop-down list. Select the self-signed certificate you created in the previous section from the SSL Certificate drop-down list and then click OK.

    image

    Now you have a new SSL binding on your site and all that remains is to verify that it works.
    image

    Verify the SSL Binding

    In the Actions pane, under Browse Web Site, click the link associated with the binding you just created.
    image

    Internet Explorere (IE) 7 will display an error page because the self-signed certificate was issued by your computer, not by a trusted Certificate Authority (CA).  IE 7 will trust the certificate if you add it to the list of Trusted Root Certification Authorities in the certificates store it on the local computer, or in Group Policy for the domain.
    Click Continue to this website (not recommended).
    image

    Configure SSL Settings

    Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates. Click the site node in the tree view to go back to the site's home page. Double-click the SSL Settings feature in the middle pane.

    image

    Summary

    In this walkthrough, we successfully used the command-line tool AppCmd.exe, the scripting provider WMI, and IIS Manager to set up SSL on IIS 7.


    作者:Angelo Lee
    本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利.
  • 相关阅读:
    该伙伴事务管理器已经禁止了它对远程/网络事务的支持
    HDU 4883 TIANKENG’s restaurant (贪心)
    Android:创建可穿戴应用
    debian支持ll命令
    mongodb进阶一之高级查询
    Hadoop之——又一次格式化hdfs系统的方法
    J2EE的13个规范之(二) JDBC 及其使用
    2015欧冠决赛--脑力劳动结硕果
    运行计划之误区,为什么COST非常小,SQL却跑得非常慢?
    QVariant与自定义数据类型转换的方法
  • 原文地址:https://www.cnblogs.com/yefengmeander/p/2887654.html
Copyright © 2011-2022 走看看