發表文章
設定 IIS 6.0 的 HTTPS 服務
若要在用戶端電腦和伺服器之間使用安全的通訊通道來交換資訊時,就必須啟用 Secure Sockets Layer (SSL) 功能。本文將說明如何在 Internet Information Services (IIS) 6.0 中設定 SSL / HTTPS 服務。
1. 從 IIS 網站伺服器中產生憑証申請要求
在【目錄安全設定】選項中點擊【伺服器憑證】按鈕,【下一步】,【建立新憑證】,【現在準備憑證請求】,【下一步】,輸入【名稱】,輸入【單位】和【部門】,輸入【公用名稱】,選擇【國家】並且輸入【省】和【市縣】並【下一步】,【下一步】,【下一步】,【完成】,最後儲存在 C:\certraq.txt 。
2. 準備 OpenSSL 工作環境
把 OpenSSL v0.9.8i (編譯後的 Win32 版本)安裝至系統中,在 bin 目錄下建立目錄 demoCA,在 demoCA 下建立 private 和 newcerts 目錄,並新建 index.txt,如果沒有 serial 檔案,則到OpenSSL 網站上下載 openssl 的源檔案,解壓後,到 apps\demoCA 下,拷貝 serial 檔案過來,兩個目錄兩個檔案都放到新建的 demoCA 下。
3. 使用 OpenSSL 建立專有憑證中心的私有金鑰與簽證檔
C:\OpenSSL\bin>openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -days 3650 -config openssl.cfg
WARNING: can't open config file: openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...............++++++
..++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:TAIWAN
Locality Name (eg, city) []:TAIPEI
Organization Name (eg, company) [Internet Widgits Pty Ltd]:COMPANY
Organizational Unit Name (eg, section) []:UNIT
Common Name (eg, YOUR name) []:NAME
Email Address []:email@hinet.net
這時候會產生 CA 的私有金鑰 (cakey.pem) 與 CA 的簽證檔 (cacert.pem) 兩檔案,再將 cakey.pem 拷貝到 \demoCA\private 目錄下,把 cacert.pem 拷貝到 \demoCA 目錄下。
4. 使用 CA 簽證檔 (cacert.pem) 為 IIS 的憑証申請要求 (certreq.txt) 簽發憑証
C:\OpenSSL\bin>openssl ca -in certreq.txt -out server.pem -config openssl.cfg
WARNING: can't open config file: openssl.cnf
Using configuration from openssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 286 (0x11e)
Validity
Not Before: Dec 9 05:24:00 2008 GMT
Not After : Dec 9 05:24:00 2009 GMT
Subject:
countryName = TW
stateOrProvinceName = TAIWAN
organizationName = COMPANY
organizationalUnitName = UNIT
commonName = NAME
emailAddress = email@hinet.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
94:C0:17:C7:CC:5B:9F:E7:80:08:CF:7B:38:F7:65:3D:EF:8F:41:13
X509v3 Authority Key Identifier:
keyid:5C:E3:71:BC:C1:22:87:24:58:E4:D0:07:65:3C:5B:39:B5:63:0C:23
Certificate is to be certified until Dec 9 05:24:00 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\OpenSSL\bin>
5. 把剛剛產生的 server.pem 轉換成 x509 格式
openssl x509 -in server.pem -out server.cer
然後將 server.cer 搬移至 C 碟的根目錄下 (C:\server.cer)。
6. 在 IIS 上安裝憑證 (server.cer)
在有憑證要求的網站上按一下滑鼠右鍵,點擊【內容】,點擊【目錄安全設定】索引標籤,點擊【伺服器憑證】按鈕,點擊【下一步】,點選【處理擱置要求及安裝憑證】,再點擊【下一步】,輸入CA回應之「憑證授權的檔案」的路徑與名稱,選取C碟的憑證即可 (C:\server.cer),點擊【下一步】,輸入網站使用的SSL連接埠,可採預設值443即可,【下一步】,【完成】,【確定】。 Read more...
