Shulou(Shulou.com)06/02 Report--

IIS deploys PKI and Certificate Services

What is PKI

PKI (Public key Infrastructure) is a technology that ensures information security through the use of public key technology and digital signatures, and is responsible for verifying the identity of digital certificate holders.

The purpose of this experiment is to use SSL in the PKI protocol to add "S" to the web address "http". It is safer to browse the web, so you don't have to worry about the message being intercepted by an illegal third party.

II. Certification authority

Certificate authority, also known as Digital Certificate Certification Authority (Certficate Authority,CA), is not only an authoritative, trusted and impartial third-party organization in PKI applications, but also the basis of trust in electronic transactions. The main function of CA is to produce, distribute and manage the identity digital certificates required by all entities involved in online transactions.

III. Experimental requirements

Build a random web page and use HTTPS (secure Hypertext transfer Protocol) to establish a secure connection.

4. Experimental topology diagram

5. Experimental steps

1. After configuring the corresponding IP address, first configure the certificate authority CA (in practice, CA cannot be built by itself, it is necessary to apply for a certificate like an authoritative CA. )

Add the server role and select "Active Directory Certificate Services" (what you are doing here is a stand-alone CA. If you do enterprise CA, you need AD service)

1.2. issuing a certificate for WEB service needs to be checked with "Certificate Authority Web Registration"

No domain environment will be installed as a separate CA by default.

1.4), after all, select the default settings to complete the installation. (at this point, if the WEB service is not installed on the CA server, the WEB service is installed by default. Because you have to use a web page to apply for a certificate. )

2. Install and configure the web server

Install the WEB server, and choose the default for the later configuration.

2.2), create the root folder of a web page under disk C.

2.3) create a new notepad in the folder and type freely to save it. Change the name of the file to index.html

Open the IIS server.

2.5), right-click the website, and click add site. The name is random, and the physical path points to the folder you just created on disk C.

2.6), first stop the default site and start the newly created site.

2.7), log in with the client to see if you can access it.

3. The website has been built. Start adding S to the web page.

Open the web server IIS manager, and double-click Certificate Services.

3.2), click create Certificate request in the right pane.

3.3) since this is not a real web page, just fill in it casually without real information

3.4), the encryption service can be selected by default.

3.5), apply for a file name for the certificate, you can choose the desktop, any name, the text ending in ".txt" format. (this file does not need to be created in advance, it is created automatically. )

3.6) Open the file just now and copy all the contents in it.

Open a browser, enter the ip address of the CA (certificate server) server (or the computer name of the CA server), and add "/ certsrv"

Click add and add the address of the CA server.

3.9), choose to apply for a certificate.

3.10), and then select the advanced certificate application.

3.11), select the second item, use base64. . Certificate request.

3.12), copy in the pile of garbled codes that you just copied, and click submit.

3.13) shows that the certificate is pending. (if a stand-alone CA needs to issue a certificate manually, the enterprise CA will issue it automatically. )

At this time, go back to the CA server to issue the certificate.

3.15), select the pending application, right-click the certificate just applied for, select all tasks, and click issue.

3.16), go back to the WEB server, log in to the CA website in the browser and select to view the status of the pending certificate application.

3.17), select the saved application certificate.

3.18), you can see that the certificate has been issued, click the Base64 code to download the certificate.

3.19), select a path to save, here saved to the desktop.

Open the IIS Manager, enter the server certificate, and click finish Certificate Application.

3.21), select the certificate you just saved. Easy to remember the name. Whatever.

3.22), right-click the website name and select Edit binding.

Click add, select "https" for the type, and select "a" for the certificate you just added

3.24), double-click ssl Settings

3.25), check "require SSL" and click apply.

4. Verify it on the client.

Enter the website created on the web server, and enter https in front of it. "Security alarm" will pop up, and click OK.

4.2), and prompt the safety alarm. Continue to click "Yes" (because the certificate is not issued by an authoritative CA, it is a self-made CA, so it will not be trusted by the browser. But don't worry. )

4.3), successfully opened the web page, has successfully added "S" to the web page.

The experiment is over

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.