信任来自 IIS 的自签名证书 [英] Trust a self signed cert from IIS

问题描述

我有一个外部托管的 iis 网络服务器，我在其中运行我的网站.我想向该网站添加一个自签名证书并在我的本地客户端上信任它，以从浏览器中删除不安全连接".

到目前为止我所做的如下

1. 在 IIS 中创建了自签名证书:服务器证书 -> 创建自签名证书.证书颁发给服务器名称，例如ABCD01"
2. 使用自签名证书创建了一个带有 https 绑定的网站.
3. 使用以下方式从 IIS 导出自签名证书:服务器证书 -> 导出.这产生了一个 .pfx 文件
4. 在本地客户端导入 .pfx 证书文件:管理计算机证书 -> 受信任的根证书颁发机构 -> 导入
5. 将主机的主机名(ABCD01)和ip添加到hosts文件:C:WindowsSystem32driversetchosts

当我尝试在 Firefox 中打开网站时(使用 https://ABCD01)，我仍然得到您的连接是不安全".我错过了什么?

解决方案

有多个问题:

1. IIS 证书生成器使用现代浏览器中已过时的 SHA1 签名算法创建自签名证书.您必须使用不同的工具来创建测试证书.例如，使用 PowerShell New-SelfSignedCertificate cmdlet，您可以在其中指定签名算法.查看此帖子以获取示例:https://stackoverflow.com/a/45284368/3997611

<上一页>New-SelfSignedCertificate `-DnsName "ABCD01" `-CertStoreLocation "cert:LocalMachineMy" `-FriendlyName测试开发证书"`-TextExtension2.5.29.37={文本}1.3.6.1.5.5.7.3.1"`-KeyUsage DigitalSignature,KeyEncipherment,DataEncipherment `-提供者Microsoft RSA SChannel 加密提供者"`-哈希算法SHA256"

1. IIS 证书生成器无法使用 Google Chrome 所需的 SAN(主题备用名称)证书扩展生成证书.您必须使用不同的工具来创建测试证书.参考上面的例子.

2. Google Chrome 使用内置的 Windows 证书存储来建立信任，而 FireFox 使用自己的证书存储.因此，将证书添加到 Windows 证书存储后，您必须手动将测试证书导入 FireFox.

I have an externally hosted iis webserver where i run my website. I would like to add a self signed certificate to this website and trust it on my local client, to remove "Insecure Connection" from the browser.

What i have done so far is the following

1. Created a self signed certificate in IIS: Server Certificates -> Create self signed Certificate. The cert is issued to the servername e.g "ABCD01"
2. Created a website with a https binding using the self signed certificate.
3. Exported the self signed certificate from IIS using: Server Certificates -> Export. This resulted in an .pfx file
4. Imported the .pfx cert file on the local client: manage computer certificates -> Trusted Root certification authorities -> import
5. Added the hostname (ABCD01) and ip of the host to the hosts file: C:WindowsSystem32driversetchosts

When i try to open the website in firefox (using https://ABCD01), i still get the "Your connection is not secure". What am i missing?

解决方案

There are multiple issues:

1. IIS certificate generator creates self-signed certificates with SHA1 signature algorithm which is obsolete in modern browsers. You have to use different tools to create test certificates. For example, use PowerShell New-SelfSignedCertificate cmdlet where you can specify signature algorithm. Look at this post to get an example: https://stackoverflow.com/a/45284368/3997611

New-SelfSignedCertificate `
    -DnsName "ABCD01" `
    -CertStoreLocation "cert:LocalMachineMy" `
    -FriendlyName "test dev cert" `
    -TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.1" `
    -KeyUsage DigitalSignature,KeyEncipherment,DataEncipherment `
    -Provider "Microsoft RSA SChannel Cryptographic Provider" `
    -HashAlgorithm "SHA256"

2. IIS certificate generator cannot build certificate with SAN (Subject Alternative Names) certificate extension which is required in Google Chrome. You have to use different tools to create test certificates. Look at the example above for reference.

3. Google Chrome uses built-in Windows Certificate store to establish a trust, while FireFox uses its own certificate store. Therefore, after adding the certificate to Windows certificate store, you have to import your test certificate to FireFox manually.

这篇关于信任来自 IIS 的自签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！