IIS6.0 + openssl执行版 + Windows2003--配置篇

一、准备工作

1.windows2003添加组件

添加IIS：勾选“应用程序服务器”，然后双击进入下图，勾选“IIS”和“ASP.NET”

添加证书系统：勾选“证书服务”

添加组件的时候要求填写的就按照操作填上就行了，然后下一步，直到完成。

2.把openssl(执行版，有的叫编译后版)解压到d:下，当然哪个盘都可以。

 

二、获取IIS证书请求

架设好IIS网站后，在【目录安全性】选项卡中点击【服务器证书】按钮，【下一步】，【新建证书】，【现在准备证书请求－－下一步】，输入【名称】,输入【单位】和【部门】，输入【公用名称】，选择【国家】并输入【省】和【市县】并【下一步】，【下一步】，【下一步】，【完成】，IIS的证书请求已经获取，就是C:\certreq.txt。这里请牢记输入的信息。

 

三、开始操作openssl

（cmd –> d:\openssl-0.9.7\out32dll  下执行下面的操作，注意openssl.cnf文件，后面命令都是用它编译的）

1.生成自签名根证书

openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -days 3650 -config d:\openssl-0.9.7\apps\openssl.cnf

PEM pass phrase：根证书密码，当然很重要！
Country Name: CN //两个字母的国家代号
State or Province Name: guang dong //省份名称
Locality Name: guang zhou //城市名称
Organization Name: sunrising //公司名称
Organizational Unit Name: home //部门名称
Common Name: besunny //你的姓名(要是生成服务器端的证书一定要输入域名或者ip地址)
Email Address: Email地址

2.把cakey.pem 拷贝到\demoCA\private, 把cacert.pem拷贝到out32dll\demoCA

copy cakey.pem demoCA\private
copy cacert.pem demoCA

提醒：这时候，已经有cakey.pem:ca的私钥文件，cacert.pem:ca的自签名根证书，certreq.txt:IIS的证书请求文件，三个文件。

3.用CA证书cacert.pem为IIS请求certreq.txt签发证书server.pem
openssl ca -in certreq.txt -out server.pem -config d:\openssl-0.9.7\apps\openssl.cnf

4.把server.pem转换成x509格式
openssl x509 -in server.pem -out server.cer

提醒：这时候，你又得到了两个文件，一个是server.pem，一个是server.cer。现在把bin下的server.cer复制到c:下。

5.将生成的证书server.cer导入到IIS

打开IIS，在【默认网站】上单击右键【属性】，在【目录安全性】选项卡中点击【服务器证书】按钮，【下一步】，选择【处理挂起的请求并安装证书】并【下一步】，正常情况下，您已经看到了文本框中就是c:\server.cer，如果不是，自己点【浏览】按钮去找并【下一步】，【下一步】，【完成】。回到【目录安全性】选项卡在【安全通信】栏目中单击【编辑】按钮，勾上【要求安全通道(SSL)】，勾上【要求128位加密】，选择【要求客户端证书】，点击【确定】按钮。

6.生成客户端证书
openssl req -newkey rsa:1024 -keyout clikey.pem -out clireq.pem -days 365 -config d:\openssl-0.9.7\apps\openssl.cnf

证书信息自己填写，有些内容要与根证书一致。

7.CA签发客户端证书
openssl ca -in clireq.pem -out client.crt -config d:\openssl-0.9.7\apps\openssl.cnf

8.将客户端证书转换为pk12格式
openssl pkcs12 -export -clcerts -in client.crt -inkey clikey.pem -out client.p12 -config d:\openssl-0.9.7\apps\openssl.cnf

9.安装信任的根证书

把cacert.pem改名为cacert.cer，双击cacert.cer文件，打开证书信息窗口，单击【安装证书】按钮，【下一步】。

提醒，下面是最关键的：

选择【将所有的证书放入下列存储区】，点击【浏览】按钮

 

选择【受信任的根证书颁发机构】，勾选【物理存储区】，选择【受信任的根证书颁发机构】，点【本地计算机】，并点击【确定】，【下一步】，【完成】，【是】，根证书安装完毕！勾选【物理存储区”，选择“受信任的根证书颁发机构”，点“本地计算机”，然后点“确定”。

“clent.crt”的安装也是上面相同的步骤。

10.安装客户端证书

找到client.p12文件拷贝到本地计算机，然后双击，【下一步】，【下一步】，输入客户端证书的密码并【下一步】，【下一步】，【完成】，【确定】。到此，客户端的证书也已经安完毕。

 

提醒：

最好把cacert.cer文件作为受新人的根证书安装到本地。我架设的是提供给内网使用的，所以Common Name直接是内网IP，当然可以是域名，如果导入cacert.cer后，本地计算机就识别https://你的地址是可信任网站，直接由服务器就识别客户端的证书，然后就可以登陆了。

如果没有导入cacert.cer根证书，会提示下面的：

点“是”继续就可以了。然后还会弹出选择客户端数字证书的提示框。

 

总结，网上很多上面我写的教程，我拿来也是借花献佛，呵呵。其实不难，但是最后我碰到的问题是，服务器不识别我机器（就是客户端）的数字证书，如下图：

弄的我十分头痛，我实在琢磨不透这种情况，网上也找了很多类似的情况的帖子也没人解答，原来问题出在 9.安装信任的根证书，我直接把根证书安装到“受信任的根证书目录”下了，正确操作应该是勾选“物理存储区”，然后存储在“受信任的根证书目录”下面的“本地计算机”子目录下。

Technorati 标签: IIS,openssl,SSL

 

下面是一个操作例子日志记录

运行：cmd

Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

C:\Documents and Settings\Huangbl>d:

D:\>cd  open*7

D:\openssl-0.9.7>cd out*

下面是生成服务器端根证书的过程
D:\openssl-0.9.7\out32dll> openssl req -x509 -newkey rsa:1024 -keyout cakey.pem
-out cacert.pem -days 3650 -config d:\openssl-0.9.7\apps\openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........++++++
..++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ZZNODE
Organizational Unit Name (eg, section) []:DI
Common Name (eg, YOUR name) []:10.1.1.168
Email Address []:huangbili@263.net

D:\openssl-0.9.7\out32dll>copy cakey.pem demoCA\private
改写 demoCA\private\cakey.pem 吗? (Yes/No/All): y
已复制         1 个文件。

D:\openssl-0.9.7\out32dll>copy cacert.pem demoCA
改写 demoCA\cacert.pem 吗? (Yes/No/All): y
已复制         1 个文件。

D:\openssl-0.9.7\out32dll>openssl ca -in c:\certreq.txt -out server.pem
Using configuration from D:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 286 (0x11e)
        Validity
            Not Before: Jan 20 16:20:51 2006 GMT
            Not After : Jan 20 16:20:51 2007 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = ZZNODE
            organizationalUnitName    = DI
            commonName                = 10.1.1.168
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            52:4A:01:08:B0:DD:5D:B1:48:46:CB:62:6F:31:CA:4D:8A:DA:6C:2F
            X509v3 Authority Key Identifier:
            keyid:A6:4E:E1:7D:EC:BF:59:33:1D:16:30:3B:F3:4B:D4:C8:CC:B5:0E:75

Certificate is to be certified until Jan 20 16:20:51 2007 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

D:\openssl-0.9.7\out32dll> openssl x509 -in server.pem -out server.cer

下面是生成客户端证书的过程：

D:\openssl-0.9.7\out32dll>openssl req -newkey rsa:1024 -keyout clikey.pem -out clireq.pem -days 365 -config d:\openssl-0.9.7\apps\openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........................................................................++++++
.........................++++++
writing new private key to 'clikey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ZZNODE
Organizational Unit Name (eg, section) []:DI
Common Name (eg, YOUR name) []:huangbl
Email Address []:huangbili@263.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:ZZNODE

D:\openssl-0.9.7\out32dll>openssl ca -in clireq.pem -out client.crt
Using configuration from D:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 287 (0x11f)
        Validity
            Not Before: Jan 20 16:23:50 2006 GMT
            Not After : Jan 20 16:23:50 2007 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = ZZNODE
            organizationalUnitName    = DI
            commonName                = huangbl
            emailAddress              = huangbili@263.net
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            95:F4:75:BE:3A:E0:DA:0C:76:49:0C:60:89:4F:64:58:AA:C7:18:F0
            X509v3 Authority Key Identifier:
            keyid:A6:4E:E1:7D:EC:BF:59:33:1D:16:30:3B:F3:4B:D4:C8:CC:B5:0E:75

Certificate is to be certified until Jan 20 16:23:50 2007 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

D:\openssl-0.9.7\out32dll>openssl pkcs12 -export -clcerts -in client.crt -inkey clikey.pem -out client.p12
Loading 'screen' into random state - done
Enter pass phrase for clikey.pem:
Enter Export Password:
Verifying - Enter Export Password:

D:\openssl-0.9.7\out32dll>copy cacert.pem cacert.cer
已复制         1 个文件。

D:\openssl-0.9.7\out32dll>

上面密码我都用的是test，密码比较多，别记混了。