假如你能付与可托用户通明地会见加密网站的权限,岂不是很好?如许的话,每当这些用户在进入你的站点的时分,就不用老是需
要输出他们的用户名和口令了。用户可以同你的网站上的加密局部停止通讯,而不必供应用户名和口令的一个办法是,在设置装备摆设IIS
(Internet Information Server,互连网信息办事器)请求质询/呼应认证以后,在Windows NT体系上利用IE阅读器。但假如你
的用户利用的并非NT体系或IE阅读器,那又该怎样办呢?谜底就是:利用Microsoft Certificate Server(微软证书办事
器)。
Certificate Server 是 NT 4.0 Option Pack 的构成局部之一,它使你可以为那些身份验证及格的用户生成并发放数字证书,
从而使他们在登录站点时可以不用供应身份证实就能够会见本人的NT用户帐号。
数字证书关于收集的平安性十分主要。数字证书实践上是一份电子文档,盘算机体系可以使用它来肯定和验证那些正在阅读收集,
收发电子邮件和传输文件的用户的身份。获得数字证书的一条路子是经由过程证书威望。这些机构经由过程核适用户的身份而向他们或他们
的体系发表证书。证书办事器(Certificate Server)让你充任企业外部的证书威望的脚色,使你可以回护员工的秘密性,增添
开支并进步办事质量。(想取得关于证书威望和数字证书的后台信息,请参阅1997年10月期上Tao Zhou的文章"You Can Be a
Web Certification Authority")
Certificate Server 装置法式将提醒为办事器创立一个SSL (Secure Sockets Layer,平安套接层) 密匙。SSL 办事器密匙允
许收集办事器和客户阅读器停止平安加密的会话。假如没有SSL 密匙, IIS 4.0将没法利用基于证书的客户验证。在Create New
Key(创立新密匙)对话框中经由过程选择"Automatically send the request to an online authority(主动将请求发送到某在
线威望)"选项,你可以一次生成并签名SSL办事器密匙恳求,如屏幕3所示。
如今,你必需把你刚创立的CA增添到办事器的可托CA列表中去。经由过程在你的阅读器中装置办事器密匙可以做到这点。为此,启动服
务器上的IE 4.0 ,阅读站点http://server name/certsrv/certenroll/cacerts.htm。题目为Certificate Authority
Certificate List 的网页将会呈现,并将列出你刚生成的CA密匙。点击此毗连并选择"Open this file from its current
location(在以后地位翻开此文件)",你将看到装置New Site Certificate(新站点证书)的提醒,如屏幕4所示。
<head>
<title>Client Certificate Capture</title>
</head>
<body>
<%
'Instantiate the ASP FileSystemObject in order
'to create a text file
Set fs = Server.CreateObject("Scripting.FileSystemObject")
'Create text file using append mode
Set outStream = fs.OpenTextFile( "C:\Inetpub\wwwroot\certificates\cert.txt", 8, True )
'Save certificate issuer information to text file
outStream.WriteLine( "# Issuer: " & Request.ClientCertificate("Issuer") )
'Extract certificate subject (user) and account information
'from certificate
su = Request.ClientCertificate( "Subject" )
mx = len(su)
for x = 1 to mx
if mid(su,x,1)=chr(10) or mid(su,x,1)=chr(13) then
su=left(su,x-1)+";"+right(su,mx-x)
end if
next
outStream.WriteLine( "# Subject: " & su )
outStream.WriteLine( "# Account: " & Request.ServerVariables("REMOTE_USER") )
'Extract encrypted certificate text from certificate; encode text as 64-bit data
uue = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
for x = 1 to lcer step 3
a1 = asc(mid(cer,x,1))
if x+1 <= lcer then
a2 = asc(mid(cer,x+1,1))
if x+2 <=lcer then
a3 = asc(mid(cer,x+2,1))
else
a3 = 0
end if
else
a2 = 0
a3 = 0
end if
outStream.Write mid(uue, (a1 and 252)/4 +1 ,1)
outStream.Write mid(uue, (a1 and 3)*16 + (a2 and 240)/16 +1 ,1)
if x+1 <= lcer then
outStream.Write mid(uue, (a2 and 15)*4 + (a3 and 192)/64 +1 ,1)
if x+2 <= lcer then
outStream.Write mid(uue, (a3 and 63) +1 ,1)
else
outStream.Write "="
end if
else
outStream.Write "=="
end if
l = l +4
if l = 64 then
outStream.WriteLine("")
l = 0
end if
next
if l > 0 then
outStream.WriteLine( "" )
end if
outStream.WriteLine( "-----END CERTIFICATE-----" )
Response.Write "Your certificate information has been received and logged successfully <br>"
Response.Write "You will be notified when we have configured your secured access to this Site "
%>
假如客户阅读此ASP文件时,而没有客户证书显示在客户验证窗口内,则多是IIS元数据库中的CA信息出了成绩。要处理此成绩,
从头在IIS根目次下运转上文提到的三个号令(Iisca, NET STOP iisadmin /y,和 NET START w3svc)。如今cert.tx将应当包括
客户证书内容,如清单2所示。将清单2的内容拷贝到你喜欢的文本编纂器中,并保留到文件。