How to Create a Self Signed Certificate in IIS 7.docx
- 文档编号:23258746
- 上传时间:2023-05-15
- 格式:DOCX
- 页数:5
- 大小:16.51KB
How to Create a Self Signed Certificate in IIS 7.docx
《How to Create a Self Signed Certificate in IIS 7.docx》由会员分享,可在线阅读,更多相关《How to Create a Self Signed Certificate in IIS 7.docx(5页珍藏版)》请在冰豆网上搜索。
HowtoCreateaSelfSignedCertificateinIIS7
HowtoCreateaSelfSignedCertificateinIIS7
HowtoCreateaSelfSignedCertificateinIIS7
SSLisanessentialpartofsecuringyourIIS7.0siteandcreatingaself-signedcertificateinIIS7ismucheasiertodothaninpreviousversionsofIIS.SSLcertificatesenabletheencryptionofalltrafficsenttoandfromyourIISwebsite,preventingothersfromviewingsensitiveinformation.Itusespublickeycryptographytoestablishasecureconnection.Thismeansthatanythingencryptedwithapublickey(theSSLcertificate)canonlybedecryptedwiththeprivatekeyandviceversa.
WhentoUseanIISSelfSignedCertificate
Neveruseaselfsignedcertificateonane-commercesiteoranysitethattransfersvaluablepersonalinformationlikecreditcards,socialsecuritynumbers,etc.
AnSSLcertificatehasmultiplepurposes:
distributingthepublickeyand,whensignedbyatrustedthird-party,verifyingtheidentityoftheserversoclientsknowtheyaren’tsendingtheirinformation(encryptedornot)tothewrongperson.Aselfsignedcertificateisacertificatethatissignedbyitselfratherthanatrustedthirdparty.Thismeansyoucan'tverifythatyouareconnectingtotherightserverbecauseanyattackercancreateaselfsignedcertificateandlaunchaman-in-the-middleattack.Becauseofthis,youshouldalmostneveruseaselfsignedcertificateonapublicIISserverthatrequiresanonymousvisitorstoconnecttoyoursite.However,selfsignedcertificatescanbeappropriateincertainsituations:
Selfsignedcertificatescanbeusedonanintranet.Whenclientsonlyhavetogothroughalocalintranettogettotheserver,thereisvirtuallynochanceofaman-in-the-middleattack.
SelfsignedcertificatescanbeusedonanIISdevelopmentserver.Thereisnoneedtospendextracashbuyingatrustedcertificatewhenyouarejustdevelopingortestinganapplication.
Selfsignedcertificatescanbeusedonpersonalsiteswithfewvisitors.Ifyouhaveasmallpersonalsitethattransfersnon-criticalinformation,thereisverylittleincentiveforsomeonetoattacktheconnection.
Justkeepinmindthatvisitorswillseeawarningintheirbrowsers(liketheonebelow)whenconnectingtoanIISsitethatusesaselfsignedcertificateuntilitispermanentlystoredintheircertificatestore.Neveruseaselfsignedcertificateonane-commercesiteoranysitethattransfersvaluablepersonalinformationlikecreditcards,socialsecuritynumbers,etc.
GenerateYourIISSelfSignedCertificate
NowyouknowwhentouseanIISselfsignedcertificateandwhennotto.Nowlet’screateone:
(Clickheretohideorshowtheimages)
ClickontheStartmenu,gotoAdministrativeTools,andclickonInternetInformationServices(IIS)Manager.
ClickonthenameoftheserverintheConnectionscolumnontheleft.Double-clickonServerCertificates.
IntheActionscolumnontheright,clickonCreateSelf-SignedCertificate...
EnteranyfriendlynameandthenclickOK.
YouwillnowhaveanIISSelfSignedCertificatevalidfor1yearlistedunderServerCertificates.Thecertificatecommonname(IssuedTo)istheservername.NowwejustneedtobindtheSelfsignedcertificatetotheIISsite.BindtheSelfSignedCertificate
IntheConnectionscolumnontheleft,expandthesitesfolderandclickonthewebsitethatyouwanttobindthecertificateto.ClickonBindings...intherightcolumn.
ClickontheAdd...button.
ChangetheTypetohttpsandthenselecttheSSLcertificatethatyoujustinstalled.ClickOK.
Youwillnowseethebindingforport443listed.ClickClose.
Nowlet'stesttheIISselfsignedcertificatebygoingtothesitewithhttpsinourbrowser(e.g.).Whenyoudo,youshouldseethefollowingwarningstatingthat"Thesecuritycertificatepresentedbythiswebsitewasissuedforadifferentwebsite'saddress"(anamemismatcherror).
ThisisdisplayedbecauseIISalwaysusestheserver'sname(inthiscaseWIN-PABODPHV6W3)asthecommonnamewhenitcreatesaselfsignedcertificate.Thistypicallydoesn'tmatchthehostnamethatyouusetoaccessthesiteinyourbrowser().FormanysituationswhereIISselfsignedcertificatesareused,thisisn'taproblem.Justclick"Continuetothiswebsite"eachtime.However,ifyouwanttocompletelygetridoftheerrormessages,you'llneedtofollowthenexttwostepsbelow.
GenerateaSelfSignedCertificatewiththeCorrectCommonName
Thisstepisonlyrequiredifyouwanttogetridofthewarningmessagedisplayedbecausethecommonnameontheselfsignedcertificatedoesn'tmatchthewebsite'shostname.Inordertoresolvethisproblem,we'llneedtocreatetheselfsignedcertificateusingthesamemethodthatisusedtocreateaselfsignedcertificateinIIS6.0(withSelfSSLinsteadofthroughIIS).
DownloadtheInternetInformationServices(IIS)6.0ResourceKitToolsandinstallSelfSSL1.0(ifyoudoaCustominstallyoucanuncheckeverythingexceptforSelfSSL).Onceitisinstalled,clickontheStartmenu,gotoIISResources,thenSelfSSL,andrunSelfSSL.
PasteinthefollowingcommandandreplacewiththehostnameofyourIISsite.Ifyoureceivetheerorr"Erroropeningmetabase:
0x80040154",justignoreit.Wewillbemanuallybindingthecertificatetothewebsite.
SelfSSL/N:
CN=/V:
1000
Afterthecommandisfinished,youwillhaveanIISselfsignedcertificatewiththecorrectcommonnamelistedintheServerCertificatessectionofIIS.NowfollowtheinstructionsabovetobindthecertificatetoyourIISwebsite.
AfteryouhaveboundthenewcertificatetoyourIISsite,visititwithhttpsinyourwebbrowserandyouwillencounteranothererror:
"Thesecuritycertificatepresentedbythiswebsitewasnotissuedbyatrustedcertificateauthority."(theSSLCertificateNotTrustederror)
Don'tworry;thisisthelasterrorwewillneedtofix.ThisisanormalerrorforselfsignedcertificatesbecausethecertificateissignedbyitselfinsteadofatrustedSSLprovider.Allvisitorstothesitewillseethaterrorunlesstheyimporttheself-signedcertificateintotheirTrustedRootCertificationAuthoritiesstore(ortheappropriateSSLcertificatestoreforthebrowsertheyareusing).YoucaneasilyaddtheIISselfsignedcertificatetothestoreontheserverbyfollowingthetheinstructionsbelow.IfyouneedtoimportthecertificateonanotherWindowsmachine,justfollowtheinstructionsonhowtoMoveorcopyanSSLcertificatefromaWindowsserver.
AddtheSelfSignedCertificatetoTrustedRootCertificateAuthorities
ClickontheStartmenuandclickRun.
TypeinmmcandclickOK.
ClickontheFilemenuandclickAdd/RemoveSnap-in...
Double-clickonCertificates.
ClickonComputerAccountandclickNext.
LeaveLocalComputerselectedandclickFinish.
ExpandtheCertificatesitemontheleftandexpandthePersonalfolder.ClickontheCertificatesfolderandright-clickontheselfsignedcertificatethatyoujustcreatedandselectCopy.
ExpandtheTrustedRootCertificationAuthoritiesfolderandclicktheCertificatesfolderunderneathit.Right-clickinthewhiteareabelowthecertificatesandclickPaste.
Nowyoucanvisityoursitewithhttpsinyourwebbrowserandyoushouldn'treceiveanyerrorsbecauseWindowswillnowautomaticallytrustyourIISselfsignedcertificate.FormoreinformationongeneratinganIISselfsignedcertificate,seethefollowinglinks:
InstallinganSSLCertificateinWindowsServer2008(IIS7.0)
Tip/Trick:
EnablingSSLonIIS7.0UsingSelf-SignedCertificates
IISSelfSignedCertificatesonIIS7–theEasyWayandtheMostEffectiveWay
OriginallypostedonSatOct23,2010PleaseenableJavaScripttoviewthe<ahref="rel="nofollow">commentspoweredbyDisqus.</a>
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- How to Create Self Signed Certificate in IIS
链接地址:https://www.bdocx.com/doc/23258746.html