Lm th? no ? l?p tr?nh ci ?t gi?y ch?ng nh?n SSL cho Internet Information Server (IIS)

D?ch tiu ? D?ch tiu ?
ID c?a bi: 313624 - Xem s?n ph?m m bi ny p d?ng vo.
Bung t?t c? | Thu g?n t?t c?

? Trang ny

Quan tr?ng Bi vi?t ny ch?a thng tin v? ch?nh s?a metabase. Tr?c khi b?n ch?nh s?a metabase, ki?m ch?ng r?ng b?n c m?t sao lu m b?n c th? Khi ph?c l?i n?u m?t v?n ? x?y ra. ? c thng tin v? lm th? no ? lm i?u ny, xem cc Ch? i?m tr? gip "C?u h?nh sao lu/khi ph?c l?i" trong Microsoft Management Console (MMC).

TM T?T


Bi t?ng b?c ny m t? lm th? no ? l?p tr?nh t?o v sau ci ?t Secure Sockets Layer (SSL) gi?y ch?ng nh?n cho Internet Information Server (IIS). Trong khi IIS Phin b?n 4.0 v IIS Phin b?n 5.0 m?i cung c?p m?t giao di?n ng?i dng (UI) ? b?n c th? t?o v sau ?n ci ?t my ch? SSL gi?y ch?ng nh?n, b?n c?ng c th? hon t?t tc v? l?p tr?nh.



Cc b?c ? t?o ra v sau ci ?t gi?y ch?ng nh?n SSL

? l?p tr?nh t?o ra v sau ci ?t gi?y ch?ng nh?n SSL IIS my ch?, h?y theo cc b?c sau:
  1. B?n ph?i g?i m?t yu c?u cho cc c quan c?p gi?y ch?ng nh?n ? v?n ? m?t ch?ng ch? my ch?. N?u b?n ? c ch?ng ch?, v sau b?n lu n trong t?p tin trn my ch? IIS, ?ng g?i yu c?u.
  2. Chuy?n nh?p ch?ng ch? ? ch?ng ch? thch h?p c?a hng.
  3. C?u h?nh IIS ? s? d?ng ch?ng ch? m b?n nh?n ?c vo B?c 1.



C?u h?nh IIS ? t?o ra, v sau ci ?t SSL ch?ng nh?n

C?nh bo N?u b?n ch?nh s?a metabase khng chnh xc, b?n c th? gy ra nghim tr?ng v?n ? m c th? yu c?u b?n ph?i ci ?t l?i b?t k? s?n ph?m c s? d?ng metabase. Microsoft khng th? ?m b?o r?ng nh?ng v?n ? gy ra n?u b?n khng chnh xc sa metabase c th? ?c gi?i quy?t. Ch?nh s?a metabase nguy c c?a ring b?n.

Chu y Lun lun sao lu metabase tr?c khi b?n ch?nh s?a n. Lm theo cc b?c sau ? c?u h?nh IIS ? t?o ra v sau ?n ci ?t gi?y ch?ng nh?n SSL:
  1. S? d?ng Microsoft Windows Crypto API ? c ?c cc Candyb?t ?ng s?n c?a ch?ng ch?.
  2. B?n ph?i thi?t l?p cc ti s?n IIS metabase, SSLCertHash, v?i gi tr? c?a cc Candy.
  3. B?n ph?i thi?t l?p cc ti s?n IIS metabase, SSLStoreName, c?a hng m b?n mu?n s? d?ng.
Xem cc o?n bi vi?t cho m?u m? ? c ?c m?t Candy ch?ng ch?, v sau ? c ?c cc SSLCertHash b?t ?ng s?n:
C m? ? c ?c Candy c?a m?t Ch?ng ch? my ch? xc th?c
C m? ? tham gia b?t ?ng s?n SSLCertHash vo vi?c Metabase



Cc b?c ? cho php SSL trn m?t trang Web c? th?

Sau khi b?n th?c hi?n cc b?c trong cc "c?u h?nh IIS ? t?o v Sau , ? ci ?t gi?y ch?ng nh?n SSL"ph?n, sau b?n c th? b?t SSL trn m?t Trang web c? th? ho?c trong m?t th m?c c? th?. ? lm i?u ny, b?n ph?i cho php SSL ty ch?n trong th m?c m b?n mu?n s? d?ng. Cc b?c sau y tng ?ng v?i m?i b?c ?c v?ch ra trong ph?n "C?u h?nh IIS ? t?o ra v sau ? ci ?t SSL Certificates":
  1. Khi b?n g?i cc CEnroll::createPKCS10() phng php, yu c?u ch?ng ch? ?c t?o ra. Thi?t l?p cch s? d?ng gi tr? ?c xc ?nh tr?c sau y: szOID_PKIX_KP_SERVER_AUTH:
    #define szOID_PKIX_KP_SERVER_AUTH       "1.3.6.1.5.5.7.3.1"		
  2. Khi b?n g?i cc ICertRequest::Submit) phng php, m?t yu c?u ch?ng ch? ?c g?i ?n cc ch?ng nh?n authority.
  3. Ch?ng ch? ?c l?y t? cc ch?ng nh?n th?m quy?n, v sau n ?c ci ?t trong cc c?a hng thch h?p. IIS Server Gi?y ch?ng nh?n thu?t s? s? ch? cho gi?y ch?ng nh?n r?ng n c th? s? d?ng cho my ch? xc th?c trong kho ch?ng ch? my tnh c?c b?.




Cc b?c ? c?u h?nh IIS

Sau khi b?n ti?t ki?m gi?y ch?ng nh?n cho cc c?a hng, b?n ph?i c?u h?nh IIS nh sau:
  1. S? d?ng cc CertGetCertificateContextProperty()phng php ? c ?c cc gi tr? c?a cc Candy b?t ?ng s?n v cc CERT_HASH_PROP_ID b?t ?ng s?n. Cc CertGetCertificateContextProperty() ch?c nng s? d?ng cc CryptHashCertificate() phng php ? tnh ton gi tr? cho cc CERT_HASH_PROP_ID b?t ?ng s?n. N?u gi tr? BM khng t?n t?i, CertGetCertificateContextProperty() tr? v? cc SHA1 thu?t ton.
  2. B?n c?n ph?i t?o m?t ti s?n m?i metabase nh? phn, SSLCertHash, m tng ?ng v?i cc trang Web. Thi?t l?p SSLCertHash ? ch?ng ch? Candy r?ng b?n c ?c trong b?c 1 c?a ph?n ny. Khi v?n ? ny x?y ra, cc gi?n ? khng chnh xc xc ?nh cc SSLCertHash b?t ?ng s?n nh l m?t m? r?ng null ng?t chu?i, thay v? d? li?u nh? phn, v sau b?n khng th? s? d?ng cc ?i t?ng Admin IIS ? chuy?n nh?p SSLCertHash. B?n c th? s? d?ng ch? IIS Admin c s? ?i t?ng nh?p gi tr? ny. ? s? d?ng SSLCertHash v?i cc ?i t?ng c s? Admin IIS, b?n ph?i s? d?ng gi tr? th?p phn, 5506.
  3. B?n c?n ph?i t?o m?t chu?i m?i metabase ti s?n, SSLStoreName, cho cc trang Web tng ?ng. Thi?t l?p SSLStoreName ? cc chu?i C?A TI gi tr?. B?n c th? thi?t l?p m?t trong hai SSLStoreName thng qua cc ?i t?ng Admin IIS (v d?, trong k?ch b?n ADSI) ho?c thng qua IIS Admin Base cc ?i t?ng. ? s? d?ng SSLStoreName v?i cc ?i t?ng c b?n IIS Admin, s? d?ng gi tr? th?p phn, 5511.




C m? ? c ?c Candy m?t ch?ng ch? xc th?c

Sau m?u Microsoft C M? m t? lm th? no ? c ?c cc Candy ti s?n c?a m?t ch?ng ch? my ch? xc th?c:
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
#define MY_TYPE  (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING)

//--------------------------------------------------------------------
//    Define the name of the store where the needed certificate
//    can be found. 

#define CERT_STORE_NAME  L"MY"

//--------------------------------------------------------------------
//   Declare local functions.
//   Local function definitions follow main.

void HandleError(char *s);

void main(void)
{
//--------------------------------------------------------------------
// Declare and initialize local variables. 
// This includes initializing a pointer to the message. 
// Usually, the message will exist somewhere and a pointer will
// be passed to the application.

//--------------------------------------------------------------------
// System store handle

HCERTSTORE hStoreHandle;   

//--------------------------------------------------------------------
// Pointer to a certificate

PCCERT_CONTEXT pCert;
PCCERT_CONTEXT pPrevCert;
 
LPBYTE pEncodedBytes = NULL;
LPBYTE pHash;
DWORD cbData, i;

//--------------------------------------------------------------------
// Open a certificate store.

if ( !( hStoreHandle = CertOpenStore(
   CERT_STORE_PROV_SYSTEM,
   0,
   NULL,
   CERT_SYSTEM_STORE_LOCAL_MACHINE,
   CERT_STORE_NAME)))
{
     HandleError("The MY store could not be opened.");
}


pPrevCert = NULL;

for (; ((pCert = CertEnumCertificatesInStore(hStoreHandle, pPrevCert)) 
	                                         != NULL);
    pPrevCert = pCert)
{
    CERT_ENHKEY_USAGE *pKeyUsage;
    DWORD j, nLen;
    BOOL bFound = FALSE;
    char certName[1024];

    nLen = sizeof(certName);
    certName[0] = 0;
    if (CertNameToStr(MY_TYPE, &(pCert->pCertInfo->Subject),
        CERT_X500_NAME_STR,
        certName,
        sizeof(certName)))
    {
        printf("Checking %s certificate\n", certName);
    }

    cbData = 0;
    if (!CertGetEnhancedKeyUsage(pCert,
        0,
        NULL,
        &cbData) || cbData == 0)
    {
        if (GetLastError() == CRYPT_E_NOT_FOUND)
        {
            printf("%s certificate is for all key usages\n", certName);
            break;
        }
        else
            printf("CertGetEnhancedKeyUsage failed with error code : %08X\n",
                GetLastError());
    }
    pKeyUsage = (CERT_ENHKEY_USAGE *)
        HeapAlloc(GetProcessHeap(), 0, cbData);
    if (pKeyUsage == NULL)
    {
        printf("HeapAlloc failed with error code : %08X\n",
            GetLastError());
        HandleError("Certificate not found.");
    }
    if (!CertGetEnhancedKeyUsage(pCert,
        0,
        pKeyUsage,
        &cbData))
    {
        if (GetLastError() == CRYPT_E_NOT_FOUND)
        {
            printf("%s certificate is for all key usages\n", certName);
            HeapFree(GetProcessHeap(), 0, pKeyUsage);
            break;
        }
        else
        {
            printf("CertGetEnhancedKeyUsage failed with error code : %08X\n",
                GetLastError());
            HeapFree(GetProcessHeap(), 0, pKeyUsage);
            continue;
        }
    }

    if (pKeyUsage->cUsageIdentifier == 0)
    {
        printf("%s certificate is for all key usages\n", certName);
        HeapFree(GetProcessHeap(), 0, pKeyUsage);
        break;
    }

    bFound = FALSE;
    for (j = 0; j < pKeyUsage->cUsageIdentifier; j++)
    {
        if (strcmpi(pKeyUsage->rgpszUsageIdentifier[j], 
			        szOID_PKIX_KP_SERVER_AUTH) == 0)
        {
            printf("%s certificate is for Server Authentication\n", 
				   certName);
            bFound = TRUE;
            break;
        }
    }

    HeapFree(GetProcessHeap(), 0, pKeyUsage);
    if (bFound)
        break;
}

if (pCert == NULL)
   HandleError("Certificate not found.");

if (pPrevCert)
{
    CertFreeCertificateContext(pPrevCert);
    pPrevCert = NULL;
}

/// CASE 2 Get the hash from the certificate
pHash = NULL;
cbData = 0;
CertGetCertificateContextProperty(pCert, CERT_HASH_PROP_ID, NULL, &cbData);
if (cbData == 0)
{
   HandleError("CertGetCertificateContextProperty 1 failed");
}

pHash = (LPBYTE)HeapAlloc(GetProcessHeap(), 0, cbData);
if (pHash == NULL)
{
   HandleError("HeapAlloc failed");
}
if (!CertGetCertificateContextProperty(pCert, CERT_HASH_PROP_ID, pHash, 
	                                   &cbData))
{
   HandleError("CertGetCertificateContextProperty 2 failed");
}

printf("CERT_HASH_PROP_ID Length is %d\n", cbData);
printf("CERT_HASH_PROP_ID BYTES [", cbData);

for (i = 0; i < cbData; i++)
{
    printf("%02X", pHash[i]);
}
printf("]\n");

//--------------------------------------------------------------------
// Clean up and free memory.

if (pEncodedBytes)
    HeapFree(GetProcessHeap(), 0, pEncodedBytes);

if (pHash)
    HeapFree(GetProcessHeap(), 0, pHash);

if(pCert)
     CertFreeCertificateContext(pCert);
if(CertCloseStore(
      hStoreHandle, 
      CERT_CLOSE_STORE_CHECK_FLAG))
{
    printf("The store closed and all certificates are freed. \n");
}
else
{
    printf("Store closed -- \n"
          "not all certificates, CRLs or CTLs were freed");
}
} // End of main

//--------------------------------------------------------------------
//  This example uses the function HandleError, a simple error
//  handling function, to print an error message to the standard error 
//  (stderr) file and exit the program. 
//  For most applications, replace this function with one 
//  that does more extensive error reporting.

void HandleError(char *s)
{
    fprintf(stderr,"An error occurred in running the program. \n");
    fprintf(stderr,"%s\n",s);
    fprintf(stderr, "Error number %x.\n", GetLastError());
    fprintf(stderr, "Program terminating. \n");
    exit(1);
} // End of HandleError




C m? ? tham gia b?t ?ng s?n SSLCertHash vo vi?c Metabase

M?u m? sau y m t? lm th? no ? s? d?ng cn c? Admin IIS cc ?i t?ng ? thi?t l?p cc SSLCertHash phng php trong metabase. Cc m? sau y s? d?ng m?t ty ? nh? phn m?ng nh m?t ch?ng ch? Candy. M? th?c t? s? s? d?ng cc Candy gi tr? m b?n c ?c khi b?n ch?y m? cc "xin vi?c Candy m?t ch?ng ch? xc th?c my ch?"ph?n. Ty thu?c vo cch b?n xc ?nh cc SetData phng php bin d?ch lc, b?n c th? thi?t l?p m?t trong hai SSLCertHash, ho?c, n?u b?n ? c?u h?nh SSL cho trang Web, b?n c th? l?y cc SSLCertHash m t?n t?i. SSLCertHash phng php tr? v? hi?n t?i CertHash:
#define UNICODE // unicode must be defined for Metabase access
#define INITGUID 
#include <windows.h>
#include <httpfilt.h>
#include <stdio.h> 

#define SETDATA

#include <iadmw.h>    // COM Interface header 
#include <iiscnfg.h>  // MD_ & IIS_MD_ #defines 



extern "C" wmain (int argc, TCHAR ** argv)
{  
	IMSAdminBase  *pIMeta;  
	METADATA_HANDLE MyHandle; 
    HRESULT hres;
   	METADATA_RECORD record = {0};
    TCHAR szError [2048];
	BYTE *myData=NULL;
    DWORD dwSize = sizeof (record);
 	DWORD i;

	// this just a sample of some thumbprint
	BYTE bar[]={0x24, 0xC6, 0xBA, 0xBB, 0x81, 0x76, 0x05, 0xC9, 0xC3, 
		        0x97, 0x6D, 0x4D, 0xEB, 0x85, 0x8F, 0x4F, 0xBF, 0x38,
				0xFD};
    
    
    CoInitialize (NULL);
    
    // get a pointer to the IIS Admin Base Object
	hres = CoCreateInstance(CLSID_MSAdminBase, NULL, CLSCTX_ALL, 
			IID_IMSAdminBase, (void **) &pIMeta);  
	if (FAILED(hres))  
	{
	    wsprintf (szError, L"CoCreateInstance Failed. Error: %x\n", hres);
        printf ("%S\n", szError);
		CoUninitialize();
        return TRUE;  
	}
    
    // for this test use only 1st server instance
    hres = pIMeta->OpenKey(METADATA_MASTER_ROOT_HANDLE, L"/LM", 
		METADATA_PERMISSION_READ|METADATA_PERMISSION_WRITE, 20, &MyHandle); 
	if (FAILED (hres) )
	{
		wsprintf (szError, L"OpenKey Failed. Error: %x\n", hres);
        printf ("%S\n", szError);
		goto clean;
	}
    
	// SSLCertHash = 5506
	record.dwMDIdentifier =  5506;
    record.dwMDAttributes =METADATA_INHERIT;
    record.dwMDUserType=IIS_MD_UT_SERVER;
    record.dwMDDataType= BINARY_METADATA;
    record.pbMDData = (unsigned char *) myData;

#ifndef SETDATA
#pragma message ("Building for GetData\n")    
	again:
    hres = pIMeta->GetData (MyHandle,argv[1], &record, &dwSize);
   	if (FAILED (hres) )
	{
		if (hres == MD_ERROR_DATA_NOT_FOUND)
		{
			printf ("%S\n", L"Data not found, no certificate is set!");
			goto clean;
		}
		else if (HRESULT_CODE(hres)==ERROR_INSUFFICIENT_BUFFER)
		{
			record.dwMDDataLen=dwSize;
			myData = (LPBYTE)HeapAlloc(GetProcessHeap(), 0, dwSize);
			record.pbMDData  = (unsigned char *)myData;
		    goto again;
		}
		else  
		{
			wsprintf (szError, L"GetData Failed. Error: %x\n", hres);
			printf ("%S\n", szError);
			goto clean;;
		}
	}

	printf ("%S", L"Got thumbprint. You can compare" 
		          L" it with the MMC for IIS value:\n");	
	for ( i=0; i<(record.dwMDDataLen/sizeof (BYTE)); i++)		
		printf ("%2X ", myData[i]);  
	HeapFree(GetProcessHeap(), 0, myData);
#else
#pragma message ("Building for SetData\n")

	
	record.pbMDData = bar;
	record.dwMDDataLen = 19; // in real code it should be the size 
                                                   // of the thumbprint buffer
	hres = pIMeta->SetData (MyHandle,argv[1], &record);
	if (FAILED (hres) )
	{
		printf ("Set data failed: 0x%x!\n", hres);
		goto clean;
	}
	else
		printf ("New thumbprint is set\n");
#endif

clean:
	pIMeta->CloseKey(MyHandle); 
	pIMeta->SaveData();
	pIMeta->Release();
	CoUninitialize();

	return 1;
}



THAM KH?O

? bi?t thm thng tin, h?y b?m vao s? bi vi?t sau ? xem bi vi?t trong C s? Ki?n th?c Microsoft:
315588Lm th? no ? b?o ?m m?t ASP.NET ?ng d?ng b?ng cch s? d?ng gi?y ch?ng nh?n pha khch hng

Thu?c tnh

ID c?a bi: 313624 - L?n xem xt sau cng: 27 Thang Tam 2011 - Xem xt l?i: 2.0
p d?ng
  • Microsoft Internet Information Services 5.0
T? kha:
kbcrypt kbapi kbhowtomaster kbsecurity kbisapiext kbhowto kbmt KB313624 KbMtvi
My d?ch
QUAN TRONG: Bi vi?t ny ?c d?ch b?ng ph?n m?m d?ch my c?a Microsoft ch? khng ph?i do con ng?i d?ch. Microsoft cung c?p cc bi vi?t do con ng?i d?ch v c? cc bi vi?t do my d?ch ? b?n c th? truy c?p vo t?t c? cc bi vi?t trong C s? Ki?n th?c c?a chng ti b?ng ngn ng? c?a b?n. Tuy nhin, bi vi?t do my d?ch khng ph?i lc no c?ng hon h?o. Lo?i bi vi?t ny c th? ch?a cc sai st v? t? v?ng, c php ho?c ng? php, gi?ng nh m?t ng?i n?c ngoi c th? m?c sai st khi ni ngn ng? c?a b?n. Microsoft khng ch?u trch nhi?m v? b?t k? s? thi?u chnh xc, sai st ho?c thi?t h?i no do vi?c d?ch sai n?i dung ho?c do ho?t ?ng s? d?ng c?a khch hng gy ra. Microsoft c?ng th?ng xuyn c?p nh?t ph?n m?m d?ch my ny.
Nh?p chu?t vo y ? xem b?n ti?ng Anh c?a bi vi?t ny:313624

Cung cp Phan hi

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com