配置SSL的Web服务 [英] Configure ssl for the web services

问题描述

所有，我试图让通过以下方法<一个用于SSL我的web服务（自签名证书） href=\"http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx\"相对=nofollow>说明。但到目前为止，我卡住它没有回答。

All, I was trying to enable my web service for ssl(self-signed certificate) by following this instructions. But so far I get stuck with it without answer.

有一件事情我还以为错过了作家没有设置高级设置 - ＆GT;启用的协议HTTPS = 。我认为这是必要的。
而在我的情况下，我需要客户端和服务器之间传输的数据进行加密。所以我想我需要设置 SSL设置 - ＆GT;客户端证书：。要求（？我应该做的），就像下面

One thing I thought the writer missed is not set Advanced setting->Enabled Protocols=https. I think it is necessary. And In my case, I need to encrypt the data transported between client and server. So I thought I need to set ssl setting->client certificate:required.(Should I do that?) Just like below.

和我已经设置了SSL端口， 7002 我的Web服务。并规定新建的自签名证书为我的Web服务。就像下面。

and I had set the ssl port is 7002 for my web services. and specified the new created self-signed certificate for my web services. just like below.

Web服务成功启动。但是，当我访问的URL与 https：//开头本地主机：7002 / xxx.asmx 。
我得到一个错误消息说：

The web services started successfully. But when I accessed the url with https://localhost:7002/xxx.asmx. I got a error message says :

HTTP错误403.7 - 禁止您试图访问的页面
  要求你的浏览器有安全套接字层（SSL）客户端
  Web服务器可以识别证书。

HTTP Error 403.7 - Forbidden The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.

我不知道如果我做错了什么，或错过了一些重要的。请您告诉我，如果你发现它.thanks。

I don't If I did something wrong or missed something important . please kindly tell me if you found it .thanks.

我的电脑是Win7的64位操作系统和IIS 7.0。

My computer is Win7 64 bit OS, and IIS 7.0.

推荐答案

您必须取消选中要求的客户端证书，选择接受或忽略，而不是选项。通过选择要求您所期望的客户端 - 浏览器/你有任何的Firefox浏览器 - 让您在它信任的证书存储区的证书

You must uncheck the "Require" option below client certificates by selecting "Accept" or "Ignore" instead. By selecting "Require" you expect the client - the explorer/firefox whatever browser you have - to have a certificate that you trust in it's certificate store.

要求客户有一个证书被称为相互认证和不需要实现通信加密。

Requiring the client to have a certificate is known as mutual authentication and is unnecessary to achieve traffic encryption.

在相互SSL有四个主要组成部分，
（1）服务器的信任链，
（2）客户机的信任链，
（3）客户端证书，
（4）服务器证书。

In mutual SSL there are four main components, (1) the trust chain for the server, (2) the trust chain for the client, (3) the client certificate, (4) the server certificate.

证书（3和4）将具有信任链（1和2） - 其可以是相同的，一个根CA和常用中间CA该登录彼此在序列上建立的一链中的真实性，根签署这反过来签署它的中间上方等，直到最后一个在链标志证书的中间。因此，一个自签名证书标志本身既是一个证书和一个信任链。在一个非自签名的服务器证书的情况下，你期望的信任链，可在客户端上，以便它可以通过检查它的签名验证证书的出处。在相互认证还要求服务器具有客户端的信任链，以便它可以检查它的出处。

Certificates (3 & 4) will have trust chains (1 & 2) - which may be the same, a "root CA" and commonly a chain of "intermediate CA" that sign each other in sequence to establish their authenticity, the root signs the intermediate which in turn signs the intermediate above it and so on until the last one in the chain signs the certificate. A self signed certificate signs itself and is therefore both a certificate and a trust chain. In the case of a non self signed server certificate you expect the trust chain to be available on the client so that it can validate the provenance of the certificate by checking it's signature. In mutual authentication you also require the server to have the trust chain of the client so that it can check it's provenance.

这篇关于配置SSL的Web服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！