如何配置IIS服务器使用的中间证书( 微软 KB954755)
2014-02-18 10:18
1596 查看
How to configure intermediate certificates on a computer that is running IIS for server authentication
如何配置IIS服务器使用的中间证书
原文:http://support.microsoft.com/kb/954755
INTRODUCTION
介绍
When a client computer tries to establish server-authenticated Secure Sockets Layer (SSL) connections with an Internet Information Services (IIS) Web server, the server certificate chain is validated on the client computer. For this certificate validation to
complete successfully, the intermediate certificates in the server certificate chain must be configured correctly on the server. If these certificates are configured incorrectly, the server authentication may fail. This also applies to any program that uses
SSL/ Transport Layer Security (TLS) for authentication.
Impact
影响
Client computers cannot connect to the server that is running IIS. This occurs because the client computers cannot authenticate the servers that do not have intermediate certificates that are configured correctly.
Recommendation
Correctly configure the intermediate certificates on the server. For more information, see the "More information" section.
MORE INFORMATION
更多信息
Technical details
技术细节
X.509 certificate validation consists of several phases. These phases include certificate path discovery and path validation.
As part of certificate path discovery, the intermediate certificates must be located to build the certificate path up to a trusted root certificate. An intermediate certificate is a certificate that is useful in determining if a certificate was ultimately issued
by a valid root certification authority (CA). These certificates can be obtained from the cache or from the certificate store on the client computer. Servers can also provide this information to the client computer.
In the SSL negotiation, the server certificate is validated on the client. In this case, the server provides the certificates to the client computer together with the intermediate issuing certificates that the client computer can use to build the certificate
path. The complete certificate chain, except for the root certificate, is sent to the client computer.
IIS determines the set of certificates that it sends to clients for TLS/SSL by building a certificate chain of a configured server authentication certificate in the local computer context. The intermediate certificates must be configured correctly by adding
them to intermediate CA certificate store in the local computer account on the server.
If a server operator installs an SSL certificate together with the relevant issuing CA certificates, and then the server operator later renews the SSL certificate, the server operator must make sure that the intermediate issuing certificates are updated at
the same time.
How to configure intermediate certificates
如何配置中间证书
Open the Certificates Microsoft Management Console (MMC) snap-in. To do this, follow these steps:
At a command prompt, type Mmc.exe.
If you are not running the program as the built-in Administrator, you will be prompted for permission to run the program. In the Windows Security dialog box, click Allow.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click the Certificates snap-in in the Available snap-ins list, click Add, and then click OK.
In the Certificates snap-in dialog box, click Computer account, and then click Next.
In the Select computer dialog box, click Finish.
In the Add or Remove Snap-ins dialog box, click OK.
To add an intermediate certificate, follow these steps:
In the Certificates MMC snap-in, expand Certificates, right-click Intermediate Certification Authorities, point toAll Tasks, and then click Import.
In the Certificate Import Wizard, click Next.
In the File to Import page, type the file name of the certificate that you want to import in the File name box, and then click Next.
Click Next, and then complete the Certificate Import Wizard.
Back to the top | Give Feedback
REFERENCES 引用
For more information about how the CryptoAPI function builds certificate chains and validates revocation status, visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc700843.aspx
Support
For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions
and issues that do not qualify for the specific update in question.
Security resources
For more information about security in Microsoft products, visit the following Microsoft TechNet Web site:
http://www.microsoft.com/technet/security/default.mspx
Disclaimer
The information that is provided in the Microsoft Knowledge Base article is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been
advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Back to the top | Give Feedback
Collapse imageProperties
Article ID: 954755 - Last Review: July 1, 2008 - Revision: 1.1
APPLIES TO
Microsoft Internet Information Services 7.0
Microsoft Internet Information Services 6.0
Microsoft Internet Information Services 5.1
Keywords:
kbhowto kbexpertiseadvanced kbinfo KB954755
Back to the top | Give Feedback
如何配置IIS服务器使用的中间证书
原文:http://support.microsoft.com/kb/954755
INTRODUCTION
介绍
When a client computer tries to establish server-authenticated Secure Sockets Layer (SSL) connections with an Internet Information Services (IIS) Web server, the server certificate chain is validated on the client computer. For this certificate validation to
complete successfully, the intermediate certificates in the server certificate chain must be configured correctly on the server. If these certificates are configured incorrectly, the server authentication may fail. This also applies to any program that uses
SSL/ Transport Layer Security (TLS) for authentication.
Impact
影响
Client computers cannot connect to the server that is running IIS. This occurs because the client computers cannot authenticate the servers that do not have intermediate certificates that are configured correctly.
Recommendation
Correctly configure the intermediate certificates on the server. For more information, see the "More information" section.
MORE INFORMATION
更多信息
Technical details
技术细节
X.509 certificate validation consists of several phases. These phases include certificate path discovery and path validation.
As part of certificate path discovery, the intermediate certificates must be located to build the certificate path up to a trusted root certificate. An intermediate certificate is a certificate that is useful in determining if a certificate was ultimately issued
by a valid root certification authority (CA). These certificates can be obtained from the cache or from the certificate store on the client computer. Servers can also provide this information to the client computer.
In the SSL negotiation, the server certificate is validated on the client. In this case, the server provides the certificates to the client computer together with the intermediate issuing certificates that the client computer can use to build the certificate
path. The complete certificate chain, except for the root certificate, is sent to the client computer.
IIS determines the set of certificates that it sends to clients for TLS/SSL by building a certificate chain of a configured server authentication certificate in the local computer context. The intermediate certificates must be configured correctly by adding
them to intermediate CA certificate store in the local computer account on the server.
If a server operator installs an SSL certificate together with the relevant issuing CA certificates, and then the server operator later renews the SSL certificate, the server operator must make sure that the intermediate issuing certificates are updated at
the same time.
How to configure intermediate certificates
如何配置中间证书
Open the Certificates Microsoft Management Console (MMC) snap-in. To do this, follow these steps:
At a command prompt, type Mmc.exe.
If you are not running the program as the built-in Administrator, you will be prompted for permission to run the program. In the Windows Security dialog box, click Allow.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click the Certificates snap-in in the Available snap-ins list, click Add, and then click OK.
In the Certificates snap-in dialog box, click Computer account, and then click Next.
In the Select computer dialog box, click Finish.
In the Add or Remove Snap-ins dialog box, click OK.
To add an intermediate certificate, follow these steps:
In the Certificates MMC snap-in, expand Certificates, right-click Intermediate Certification Authorities, point toAll Tasks, and then click Import.
In the Certificate Import Wizard, click Next.
In the File to Import page, type the file name of the certificate that you want to import in the File name box, and then click Next.
Click Next, and then complete the Certificate Import Wizard.
Back to the top | Give Feedback
REFERENCES 引用
For more information about how the CryptoAPI function builds certificate chains and validates revocation status, visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc700843.aspx
Support
For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions
and issues that do not qualify for the specific update in question.
Security resources
For more information about security in Microsoft products, visit the following Microsoft TechNet Web site:
http://www.microsoft.com/technet/security/default.mspx
Disclaimer
The information that is provided in the Microsoft Knowledge Base article is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been
advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Back to the top | Give Feedback
Collapse imageProperties
Article ID: 954755 - Last Review: July 1, 2008 - Revision: 1.1
APPLIES TO
Microsoft Internet Information Services 7.0
Microsoft Internet Information Services 6.0
Microsoft Internet Information Services 5.1
Keywords:
kbhowto kbexpertiseadvanced kbinfo KB954755
Back to the top | Give Feedback
相关文章推荐
- 如何配置证书服务器以便在 IIS 上与 SSL 结合使用
- 如何配置证书服务器以便在 IIS 上与 SSL 结合使用
- 如何配置Win2003的NTFS文件系统权限及IIS权限设置参考(供使用Win2003服务器参考)(转)
- 如何配置Win2003的NTFS文件系统权限及IIS权限设置参考(供使用Win2003服务器参考)
- SERVER2008IIS服务器不能正常使用(由于扩展配置问题而无法提供您请求的页面,如果该页面是脚本...)
- 黄聪:VPS服务器如何配置PHP.ini解决wordpress使用WP-Mail-SMTP插件发邮件出现Could not connect to SMTP host的解决办法
- 使用红帽企业版Linux如何配置一个点对点(PPP)拨号服务器?
- 如何配置IIS服务器?
- 错误:为 Web 项目“XXX”配置的 URL“http://localhost/”的网站同时存在于本地 IIS Web 服务器和 IIS Express Web 服务器上。您需要使用 IIS 管理器在 IIS 中更改此网站的绑定。
- 项目()已配置为使用IIS Web服务器,但此计算机上...
- 如何使用 Apache Web 服务器配置多个站点
- php使用iis服务器怎么配置zend studio的代码调试功能
- 使用ssl加密的IIS客户端证书访问配置
- Web应用程序项目OxiteSite已配置为使用IIS.在本地计算机上找不到服务器
- 如何在 IIS 6.0 上配置托管的 Web 应用程序时使用 SPN(包括Network service ,domain acount, NLB, host header等各种情况)
- IIS服务器多站点 的 https证书使用443端口 解决方案
- PHP 开发环境的搭建和使用 01--apache服务器配置以及 IIS端口冲突解决
- xp下使用Openssl来制作证书,在IIS中配置Https笔记
- 服务器证书安装配置指南(IIS7.5)
- centos 安装git服务器,配置使用证书登录并你用hook实现代码自动部署