IIS6.0 + openssl執行版 + Windows2003--配置篇

一、準備工作

1.windows2003添加組件

添加IIS：勾選“應用程序服務器”，然後雙擊進入下圖，勾選“IIS”和“ASP.NET”

添加證書系統：勾選“證書服務”

添加組件的時候要求填寫的就按照操作填上就行了，然後下一步，直到完成。

2.把openssl(執行版，有的叫編譯後版)解壓到d:下，當然哪個盤都可以。

 

二、獲取IIS證書請求

架設好IIS網站後，在【目錄安全性】選項卡中點擊【服務器證書】按鈕，【下一步】，【新建證書】，【現在準備證書請求－－下一步】，輸入【名稱】,輸入【單位】和【部門】，輸入【公用名稱】，選擇【國家】並輸入【省】和【市縣】並【下一步】，【下一步】，【下一步】，【完成】，IIS的證書請求已經獲取，就是C:\certreq.txt。這裏請牢記輸入的信息。

 

三、開始操作openssl

（cmd –> d:\openssl-0.9.7\out32dll  下執行下面的操作，注意openssl.cnf文件，後面命令都是用它編譯的）

1.生成自簽名根證書

openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -days 3650 -config d:\openssl-0.9.7\apps\openssl.cnf

PEM pass phrase：根證書密碼，當然很重要！
Country Name: CN //兩個字母的國家代號
State or Province Name: guang dong //省份名稱
Locality Name: guang zhou //城市名稱
Organization Name: sunrising //公司名稱
Organizational Unit Name: home //部門名稱
Common Name: besunny //你的姓名(要是生成服務器端的證書一定要輸入域名或者ip地址)
Email Address: Email地址

2.把cakey.pem 拷貝到\demoCA\private, 把cacert.pem拷貝到out32dll\demoCA

copy cakey.pem demoCA\private
copy cacert.pem demoCA

提醒：這時候，已經有cakey.pem:ca的私鑰文件，cacert.pem:ca的自簽名根證書，certreq.txt:IIS的證書請求文件，三個文件。

3.用CA證書cacert.pem爲IIS請求certreq.txt簽發證書server.pem
openssl ca -in certreq.txt -out server.pem -config d:\openssl-0.9.7\apps\openssl.cnf

4.把server.pem轉換成x509格式
openssl x509 -in server.pem -out server.cer

提醒：這時候，你又得到了兩個文件，一個是server.pem，一個是server.cer。現在把bin下的server.cer複製到c:下。

5.將生成的證書server.cer導入到IIS

打開IIS，在【默認網站】上單擊右鍵【屬性】，在【目錄安全性】選項卡中點擊【服務器證書】按鈕，【下一步】，選擇【處理掛起的請求並安裝證書】並【下一步】，正常情況下，您已經看到了文本框中就是c:\server.cer，如果不是，自己點【瀏覽】按鈕去找並【下一步】，【下一步】，【完成】。回到【目錄安全性】選項卡在【安全通信】欄目中單擊【編輯】按鈕，勾上【要求安全通道(SSL)】，勾上【要求128位加密】，選擇【要求客戶端證書】，點擊【確定】按鈕。

6.生成客戶端證書
openssl req -newkey rsa:1024 -keyout clikey.pem -out clireq.pem -days 365 -config d:\openssl-0.9.7\apps\openssl.cnf

證書信息自己填寫，有些內容要與根證書一致。

7.CA簽發客戶端證書
openssl ca -in clireq.pem -out client.crt -config d:\openssl-0.9.7\apps\openssl.cnf

8.將客戶端證書轉換爲pk12格式
openssl pkcs12 -export -clcerts -in client.crt -inkey clikey.pem -out client.p12 -config d:\openssl-0.9.7\apps\openssl.cnf

9.安裝信任的根證書

把cacert.pem改名爲cacert.cer，雙擊cacert.cer文件，打開證書信息窗口，單擊【安裝證書】按鈕，【下一步】。

提醒，下面是最關鍵的：

選擇【將所有的證書放入下列存儲區】，點擊【瀏覽】按鈕

 

選擇【受信任的根證書頒發機構】，勾選【物理存儲區】，選擇【受信任的根證書頒發機構】，點【本地計算機】，並點擊【確定】，【下一步】，【完成】，【是】，根證書安裝完畢！勾選【物理存儲區”，選擇“受信任的根證書頒發機構”，點“本地計算機”，然後點“確定”。

“clent.crt”的安裝也是上面相同的步驟。

10.安裝客戶端證書

找到client.p12文件拷貝到本地計算機，然後雙擊，【下一步】，【下一步】，輸入客戶端證書的密碼並【下一步】，【下一步】，【完成】，【確定】。到此，客戶端的證書也已經安完畢。

 

提醒：

最好把cacert.cer文件作爲受新人的根證書安裝到本地。我架設的是提供給內網使用的，所以Common Name直接是內網IP，當然可以是域名，如果導入cacert.cer後，本地計算機就識別https://你的地址是可信任網站，直接由服務器就識別客戶端的證書，然後就可以登陸了。

如果沒有導入cacert.cer根證書，會提示下面的：

點“是”繼續就可以了。然後還會彈出選擇客戶端數字證書的提示框。

 

總結，網上很多上面我寫的教程，我拿來也是借花獻佛，呵呵。其實不難，但是最後我碰到的問題是，服務器不識別我機器（就是客戶端）的數字證書，如下圖：

弄的我十分頭痛，我實在琢磨不透這種情況，網上也找了很多類似的情況的帖子也沒人解答，原來問題出在 9.安裝信任的根證書，我直接把根證書安裝到“受信任的根證書目錄”下了，正確操作應該是勾選“物理存儲區”，然後存儲在“受信任的根證書目錄”下面的“本地計算機”子目錄下。

Technorati 標籤: IIS,openssl,SSL

 

下面是一個操作例子日誌記錄

運行：cmd

Microsoft Windows XP [版本 5.1.2600]
(C) 版權所有 1985-2001 Microsoft Corp.

C:\Documents and Settings\Huangbl>d:

D:\>cd  open*7

D:\openssl-0.9.7>cd out*

下面是生成服務器端根證書的過程
D:\openssl-0.9.7\out32dll> openssl req -x509 -newkey rsa:1024 -keyout cakey.pem
-out cacert.pem -days 3650 -config d:\openssl-0.9.7\apps\openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........++++++
..++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ZZNODE
Organizational Unit Name (eg, section) []:DI
Common Name (eg, YOUR name) []:10.1.1.168
Email Address []:[email protected]

D:\openssl-0.9.7\out32dll>copy cakey.pem demoCA\private
改寫 demoCA\private\cakey.pem 嗎? (Yes/No/All): y
已複製         1 個文件。

D:\openssl-0.9.7\out32dll>copy cacert.pem demoCA
改寫 demoCA\cacert.pem 嗎? (Yes/No/All): y
已複製         1 個文件。

D:\openssl-0.9.7\out32dll>openssl ca -in c:\certreq.txt -out server.pem
Using configuration from D:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 286 (0x11e)
        Validity
            Not Before: Jan 20 16:20:51 2006 GMT
            Not After : Jan 20 16:20:51 2007 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = ZZNODE
            organizationalUnitName    = DI
            commonName                = 10.1.1.168
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            52:4A:01:08:B0:DD:5D:B1:48:46:CB:62:6F:31:CA:4D:8A:DA:6C:2F
            X509v3 Authority Key Identifier:
            keyid:A6:4E:E1:7D:EC:BF:59:33:1D:16:30:3B:F3:4B:D4:C8:CC:B5:0E:75

Certificate is to be certified until Jan 20 16:20:51 2007 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

D:\openssl-0.9.7\out32dll> openssl x509 -in server.pem -out server.cer

下面是生成客戶端證書的過程：

D:\openssl-0.9.7\out32dll>openssl req -newkey rsa:1024 -keyout clikey.pem -out clireq.pem -days 365 -config d:\openssl-0.9.7\apps\openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........................................................................++++++
.........................++++++
writing new private key to 'clikey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ZZNODE
Organizational Unit Name (eg, section) []:DI
Common Name (eg, YOUR name) []:huangbl
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:ZZNODE

D:\openssl-0.9.7\out32dll>openssl ca -in clireq.pem -out client.crt
Using configuration from D:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 287 (0x11f)
        Validity
            Not Before: Jan 20 16:23:50 2006 GMT
            Not After : Jan 20 16:23:50 2007 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = ZZNODE
            organizationalUnitName    = DI
            commonName                = huangbl
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            95:F4:75:BE:3A:E0:DA:0C:76:49:0C:60:89:4F:64:58:AA:C7:18:F0
            X509v3 Authority Key Identifier:
            keyid:A6:4E:E1:7D:EC:BF:59:33:1D:16:30:3B:F3:4B:D4:C8:CC:B5:0E:75

Certificate is to be certified until Jan 20 16:23:50 2007 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

D:\openssl-0.9.7\out32dll>openssl pkcs12 -export -clcerts -in client.crt -inkey clikey.pem -out client.p12
Loading 'screen' into random state - done
Enter pass phrase for clikey.pem:
Enter Export Password:
Verifying - Enter Export Password:

D:\openssl-0.9.7\out32dll>copy cacert.pem cacert.cer
已複製         1 個文件。

D:\openssl-0.9.7\out32dll>

上面密碼我都用的是test，密碼比較多，別記混了。