IIS7:如何将 SSL 证书绑定到 Https 主机头?
[英]IIS7: How to bind SSL Certificate to Https Host Header?
问题描述
I have the following Web Farm:
我有以下网络农场:
1. http: mydomain1.com port: 80
2. http: mydomain2.com port: 80
3. https: port: 443 SSL Certificate: myCertificate
In II7 when you select https binding, the host name will be disabled.在 II7 中,当您选择 https 绑定时,主机名将被禁用。 I used the appcmd to bind the host name "admin.mydomain2.com" to the website.我使用 appcmd 将主机名“admin.mydomain2.com”绑定到网站。
appcmd set site /site.name:"admin" /+bindings.[protocol='https',bindingInformation='*:443:admin.mydomain2.com']
A new item was added to the bindings.绑定中添加了一个新项目。
3. a. https: port: 443 SSL Certificate: myCertificate
b. https: admin.mydomain2.com port:443 SSL Certificate: None
If for example I want to remove the first item (a), is it possible to assign a certificate to the second binding (b)?例如,如果我想删除第一项 (a),是否可以将证书分配给第二个绑定 (b)?
3 个解决方案
解决方案1
4 2014-11-19 17:54:41
Links as answers are not the best way to do it, because often those links go cold.链接作为答案并不是最好的方法,因为这些链接通常会变冷。 Here's a summary of the answer posted above, along with supporting information from elsewhere.这是上面发布的答案的摘要,以及来自其他地方的支持信息。
When it comes to SSL, host headers are really left out in the cold.谈到 SSL,主机标头真的被冷落了。 The purpose of SSL is to encrypt your traffic, and part of that traffic is the HTTP headers sent by the browser to the server. SSL 的目的是加密您的流量,部分流量是浏览器发送到服务器的 HTTP 标头。 One of those headers would be the "Host" header which IIS uses to determine which site to load up with the request.这些标头之一是“主机”标头,IIS 使用它来确定要加载请求的站点。 Since the certificate needs to be loaded to establish the secure connection BEFORE the request headers are sent, IIS has to select the certificate based only upon the IP address and port number, thus rendering the host header useless.由于需要在发送请求标头之前加载证书以建立安全连接,因此 IIS 必须仅根据 IP 地址和端口号选择证书,从而使主机标头无用。 This, however, does not relieve us of having to comply with STIG v6724 as it relates to IIS Site configuration.但是,这并不能免除我们必须遵守 STIG v6724,因为它与 IIS 站点配置有关。 So, instead of allowing you to enter the information even though it's useless, Microsoft attempts to out-wit you by not allowing you to enter it at all.因此,Microsoft 不会允许您输入无用的信息,而是试图通过根本不允许您输入来欺骗您。 There is, however, a way around this.然而,有一种方法可以解决这个问题。
Please note that this answer assumes that your certificate has already been generated, added to the certificate store, and added to IIS.请注意,此答案假定您的证书已生成、添加到证书存储区并添加到 IIS。 It also assumes you do not want any other bindings to your website besides the SSL one.它还假设除了 SSL 之外,您不希望任何其他绑定到您的网站。
First, we need to gather some information.首先,我们需要收集一些信息。 We need the hash, the application ID and the host name.我们需要散列、应用程序 ID 和主机名。
- Open IIS, select your server and double click on "Server Certificates" in the bottom section.打开 IIS,选择您的服务器并双击底部的“服务器证书”。 Note the "Issued To" address.请注意“颁发给”地址。 This is our host name.这是我们的主机名。 Save this.保存这个。
- Select your site选择您的站点
- Bind your site to port 80 using the http protocol使用 http 协议将您的站点绑定到端口 80
- Remove all other bindings删除所有其他绑定
- Bind your site to port 443 using the https protocol使用 https 协议将您的站点绑定到端口 443
Open a command prompt
打开命令提示符netsh http show sslcertSave the Certificate Hash and the Application ID
保存证书哈希和应用程序 ID- Remove the https binding on your site删除站点上的 https 绑定
At the command prompt:
在命令提示符下:netsh http add sslcert ipport=0.0.0.0:443 certstorename=my certhash=<put Certificate Hash here> appid={<put Application ID here>} appcmd set site /site.name:"<put site name here>" /+bindings.[protocol='https',bindingInformation='*:443:<put host name here>']
NOTE: Appcmd.exe can be found in c:\\windows\\system32\\insetsrv.注意:Appcmd.exe 可以在 c:\\windows\\system32\\insetsrv 中找到。 You may need to be in that folder for this command to work.您可能需要在该文件夹中才能使用此命令。
- Remove the http binding from your site从您的站点中删除 http 绑定
NOTE: You can leave the http binding if you want to have your site auto-redirect to https, but that is another topic.注意:如果您想让您的站点自动重定向到 https,您可以保留 http 绑定,但这是另一个主题。
解决方案2
0 2020-09-03 16:22:41
REM Solution to bind https for "Default Web Site" on IIS 7
cmd /c
pushd %systemroot%\System32\inetsrv
set sitename=Default Web Site
appcmd set site /site.name:"%sitename%" /+bindings.[protocol='https',bindingInformation='*:443:']
REM To assign ssl certificate to "Default Web Site" on IIS7
REM Go to inetmgr assign ssl certificate manually to the "Default Web Site" in Edit Bindings
REM Go to DOS command prompt use command (netsh http show sslcert) and get the Certificate Hash (certhash) and Application ID (appid) information
REM Execute the netsh command
netsh http add sslcert ipport=0.0.0.0:443 certhash=******** appid={********}
解决方案3
-1 2011-05-17 17:48:52
This blog post might help you.这篇博文或许能帮到你。 It got me to the point of having the host header defined in IIS and the correct SSL cert assigned to it, and while it worked fine locally if we pointed 127.0.0.1 to the site's address in the hosts file, it just timed out when put in production.它让我在 IIS 中定义了主机头并为其分配了正确的 SSL 证书,虽然如果我们将 127.0.0.1 指向主机文件中的站点地址,它在本地运行良好,但它只是在放置时超时在生产中。 Hopefully it'll get you a little further:希望它能让你更进一步:
http://www.awesomeideas.net/post/How-to-configure-SSL-on-IIS7-under-Windows-2008-Server-Core.aspx http://www.awesomeideas.net/post/How-to-configure-SSL-on-IIS7-under-Windows-2008-Server-Core.aspx
Remove all your bindings, assign the SSL cert with the command line, then add the SSL bindings with host header via the command line.删除所有绑定,使用命令行分配 SSL 证书,然后通过命令行添加带有主机头的 SSL 绑定。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.