Hardening security Configuring SSL

The Internet is full of dangers, and many important applications are built on the Internet. You will not want your bank account password to be intercepted by sniffers on the web, and an important way to avoid such problems is to encrypt the network transmission. Among the many encryption methods, SSL encryption is a very mature method of industry standards. This technology is widely used by many e-commerce and electronic payment sites. In the next few articles, we will introduce the encryption of the WEB server transmission if SSL is implemented under the windows platform and the Linux platform. Finally, I will introduce some questions about the principle of SSL encryption. In this article, let's first introduce how to implement SSL protection in the Windows IIS platform.

The author uses Windows Server 2003 (Windows 2003) system as an example to introduce how to apply SSL security encryption mechanism in IIS6 server.

Generating a Certificate Request File

To create a digital certificate for an IIS website, you must first generate a certificate request file for the website using the Web Server Certificate Wizard feature. Go to Control Panel→Administrative Tools→Internet Information Services (IIS) Manager, expand the “Website” directory in the IIS Manager window, right click on the website to use the SSL Secure Encryption function, and select “Properties” from the pop-up menu. , then switch to the Directory Security tab (as shown) and click the Server Certificate button. In the "IIS Certificate Wizard" window, select the "New Certificate" option, click "Next", select "Prepare the certificate request now, but send it later", and then give the certificate a name in the "Name" column, at " In the "Bit length" drop-down list, select "Bit length of the key". Note here that the bit length cannot be set too large, otherwise it will affect the communication quality; then set the certificate unit, department, and geographic information at the site "common name" Enter the domain name of the website in the column, and then specify the location where the certificate request file is saved. Here, the author saves the certificate request text file in "d:\\certreq.txt". This completes the generation of the certificate request file.


Security Site of IIS Site Directory

Applying for IIS Website Certificate

After the certificate request file is generated, you can Start applying for the IIS website certificate. But this process requires the support of Certificate Services. The Windows 2003 system default state does not install this service and needs to be added manually.

Install Certificate Services

Run Add or Remove Programs in the Control Panel and change to the Add/Remove Windows Components page. In the Windows Components Wizard dialog box, Select the "Certificate Service" option, then select the CA type, here I choose "independent root CA", then give the CA server a name, set the validity period of the certificate, it is recommended to use the default value "5 years", and finally specify After the location of the certificate database and the certificate database log, the installation of the certificate service is completed.

Installing Certificate Services

After completing the installation of Certificate Services, you can start applying for IIS website certificates. Run the Internet Explorer browser and type "http://localhost/CertSrv/default.asp" in the address bar. Then click on the "Request a Certificate" link in the "Microsoft Certificate Services" welcome window, then click the "Advanced Certificate Request" link in the certificate request type, and click "Use BASE64-encoded CMC or PKCS#10 file in the Advanced Certificate Request window. Submit the ...." link, then copy the contents of the certificate request file to the "Saved Request" input box, where the author's certificate request file content is saved in "d:\\ certreq.txt", and finally click the "Submit" button. //This article comes from computer software and hardware application network www.45it.com

Request certificate page

Submit application page

Issue IIS website certificate

Although completed After the application for the IIS website certificate, it is still in a suspended state and needs to be issued before it can take effect. In the Control Panel→Administrative Tools, run the Certification Authority program. Expand the directory in the left window of the "Certificate Authority", select the "Pending Application" directory, find the certificate you just applied in the right window, right click on the certificate, and select "All Tasks → Issue".

Certificate

Then click on the "Issued Certificates" directory, open the certificate that was just issued successfully, and switch to the "Details" tab in the "Certificate" dialog box. Click the "Copy to file" button to pop up the certificate export dialog box. Next step, specify the file name in the "File to be exported" column. Here, the author saves the certificate path to "d:\\cce.cer", and finally clicks "Finish". ".

Import IIS Website Certificate

In the "Directory Security" tab of IIS Manager, click the "Server Certificate" button, and the "Suspended Certificate Request" dialog box will pop up. Select the "Handle pending requests and install certificates" option, click "Next", specify the location of the IIS website certificate file just exported, then specify the port used by SSL, it is recommended to use the default "443", and finally click " Done button.

Configuring IIS Server

After completing the import of the certificate, the IIS website has not enabled SSL security encryption at this time. Need to configure the IIS server.

Select the site directory that requires encrypted access (if you want to encrypt the entire site, you can select the entire site), right-click to open the property page, on the "Directory Security" tab, click "Edit" in the secure communication bar. Button, select the "Require secure channel (SSL)" and "Require 128-bit encryption" option, and finally click the "OK" button. If you need advanced functions such as user certificate authentication, you can also choose to display the client certificate selection, and you can also map the specific certificate to the windows user account.

Setting the encryption attribute of the directory

About SSL security encryption mechanism

The full name of SSL (Security Socket Layer) is "encrypted socket protocol layer", which is by Netscape The company's secure communication protocol, located between the HTTP protocol layer and the TCP protocol layer, provides strong protection for credit cards and personal information. SSL establishes an encrypted channel between the client and the server to ensure that the transmitted data is not illegally stolen. The SSL security encryption mechanism is implemented by using a digital certificate.

After applying the SSL encryption mechanism, the data communication process of the IIS server is as follows: First, the client establishes a communication connection with the IIS server, and then IIS sends the digital certificate and the public key to the client. Then use this public key to encrypt the client's session key and pass it to the IIS server. After receiving it, the server decrypts it with a private key. At this time, a secure data channel is created between the client and the IIS server. Clients allowed by the IIS server can communicate with it.