Windows Server 2008 R2 下配置TLS1.2添加自签名证书的图文教程

前言

2017年1月1日起App Store上的所有App应用将强制开启ATS功能。

苹果的ATS(App Transport Security)对服务器硬性3点要求:

① ATS要求TLS1.2或者更高,TLS 是 SSL 新的别称。

② 通讯中的加密套件配置要求支持列出的正向保密。

③ 数字证书必须使用sha256或者更高级的签名哈希算法,并且保证密钥是2048位及以上的RSA密钥或者256位及以上的ECC密钥。

由于领导舍不得花钱,只能辛苦我们自己搞个不花钱的证书。在网上找了一大堆各种配置证书服务的文章,在ios端运行的时候总是直接报错,很是费解,后来注意到必须是TLS1.2或者更高的版本,而按照网上的配置弄好后都是ssl1.0,根本原因没有解决。所以必须先升级服务器ssl的版本,这个升级的文章很多,有用的不多。在这里整理下找到的资料,供大家参考。注意:证书服务可以不用安装,升级ssl后即可正常访问。

1.首先打开服务器组策略,命令行输入gpedit.msc,找到ssl配置设置,双击ssl密码套件顺序,选择已启用,并保存。准备工作完成!

2.在下面选择您需要的配置并复制,打开Powershell直接粘贴。最后会提示是否重启服务器,输入Y会直接重启,根据自己的情况而定吧,重启后生效哦~

2.1. configure your IIS server with Perfect Forward Secrecy and TLS 1.2:

# Copyright 2016, Alexander Hass
# http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
#
# Version 1.7
# - Windows Version compare failed. Get-CimInstance requires Windows 2012 or later.
# Version 1.6
# - OS version detection for cipher suites order.
# Version 1.5
# - Enabled ECDH and more secure hash functions and reorderd cipher list.
# - Added Client setting for all ciphers.
# Version 1.4
# - RC4 has been disabled.
# Version 1.3
# - MD5 has been disabled.
# Version 1.2
# - Re-factored code style and output
# Version 1.1
# - SSLv3 has been disabled. (Poodle attack protection)
Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...'
Write-Host '--------------------------------------------------------------------------------'
# Disable Multi-Protocol Unified Hello
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'Multi-Protocol Unified Hello has been disabled.'
# Disable PCT 1.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'PCT 1.0 has been disabled.'
# Disable SSL 2.0 (PCI Compliance)
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'SSL 2.0 has been disabled.'
# NOTE: If you disable SSL 3.0 the you may lock out some people still using
# Windows XP with IE6/7. Without SSL 3.0 enabled, there is no protocol available
# for these people to fall back. Safer shopping certifications may require that
# you disable SSLv3.
#
# Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'SSL 3.0 has been disabled.'
# Add and Enable TLS 1.0 for client and server SCHANNEL communications
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.0 has been enabled.'
# Add and Enable TLS 1.1 for client and server SCHANNEL communications
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.1 has been enabled.'
# Add and Enable TLS 1.2 for client and server SCHANNEL communications
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled.'
# Re-create the ciphers key.
New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null
# Disable insecure/weak ciphers.
$insecureCiphers = @(
 'DES 56/56',
 'NULL',
 'RC2 128/128',
 'RC2 40/128',
 'RC2 56/128',
 'RC4 40/128',
 'RC4 56/128',
 'RC4 64/128',
 'RC4 128/128'
)
Foreach ($insecureCipher in $insecureCiphers) {
 $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher)
 $key.SetValue('Enabled', 0, 'DWord')
 $key.close()
 Write-Host "Weak cipher $insecureCipher has been disabled."
}
# Enable new secure ciphers.
# - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.
# - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.
# - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030
$secureCiphers = @(
 'AES 128/128',
 'AES 256/256',
 'Triple DES 168'
)
Foreach ($secureCipher in $secureCiphers) {
 $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher)
 New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
 $key.close()
 Write-Host "Strong cipher $secureCipher has been enabled."
}
# Set hashes configuration.
New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
$secureHashes = @(
 'SHA',
 'SHA256',
 'SHA384',
 'SHA512'
)
Foreach ($secureHash in $secureHashes) {
 $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes', $true).CreateSubKey($secureHash)
 New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$secureHash" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
 $key.close()
 Write-Host "Hash $secureHash has been enabled."
}
# Set KeyExchangeAlgorithms configuration.
New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force | Out-Null
$secureKeyExchangeAlgorithms = @(
 'Diffie-Hellman',
 'ECDH',
 'PKCS'
)
Foreach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) {
 $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm)
 New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$secureKeyExchangeAlgorithm" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
 $key.close()
 Write-Host "KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled."
}
# Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).
$os = Get-WmiObject -class Win32_OperatingSystem
if ([System.Version]$os.Version -lt [System.Version]'10.0') {
 Write-Host 'Use cipher suites order for Windows 2008R2/2012/2012R2.'
 $cipherSuitesOrder = @(
 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521',
 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',
 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',
 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',
 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',
 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',
 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521',
 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521',
 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384',
 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',
 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521',
 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',
 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521',
 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384',
 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521',
 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384',
 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',
 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521',
 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',
 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',
 'TLS_RSA_WITH_AES_256_GCM_SHA384',
 'TLS_RSA_WITH_AES_128_GCM_SHA256',
 'TLS_RSA_WITH_AES_256_CBC_SHA256',
 'TLS_RSA_WITH_AES_128_CBC_SHA256',
 'TLS_RSA_WITH_AES_256_CBC_SHA',
 'TLS_RSA_WITH_AES_128_CBC_SHA',
 'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
 )
}
else {
 Write-Host 'Use cipher suites order for Windows 10/2016 and later.'
 $cipherSuitesOrder = @(
 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
 'TLS_RSA_WITH_AES_256_GCM_SHA384',
 'TLS_RSA_WITH_AES_128_GCM_SHA256',
 'TLS_RSA_WITH_AES_256_CBC_SHA256',
 'TLS_RSA_WITH_AES_128_CBC_SHA256',
 'TLS_RSA_WITH_AES_256_CBC_SHA',
 'TLS_RSA_WITH_AES_128_CBC_SHA',
 'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
 )
}
$cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
# One user reported this key does not exists on Windows 2012R2. Cannot repro myself on a brand new Windows 2012R2 core machine. Adding this just to be save.
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -ErrorAction SilentlyContinue
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null
Write-Host '--------------------------------------------------------------------------------'
Write-Host 'NOTE: After the system has been rebooted you can verify your server'
Write-Host '  configuration at https://www.ssllabs.com/ssltest/'
Write-Host "--------------------------------------------------------------------------------`n"
Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?'
Restart-Computer -Force -Confirm

2.2 iisresetssltoweakdefaults

# Copyright 2016, Alexander Hass
# http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
#
# Version 1.0
# - Rollback script created.
Write-Host 'Reset IIS to weak and insecure SSL defaults...'
Write-Host '--------------------------------------------------------------------------------'
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name DisabledByDefault -value 1 -PropertyType 'DWord'
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Force
Restart-Computer -Force

3.最后配置IIS站点,添加ssl自签名证书,站点绑定https,并选择刚添加的自签名证书即可。

4.全称无需给服务器安装证书服务,ios客户端证书校验时默认全部通过即可,如果对安全要求严格的客户端可导入证书做校验。

(0)

相关推荐

  • Windows server 2003证书服务器配置方法(图文)

    Windows server 2003证书服务器配置方法(图文)

    Windows CA 证书服务器配置(一) -- Microsoft 证书服务安装2008-09-2410:03安装准备:插入Windows Server 2003 系统安装光盘 添加IIS组件: 点击'确定',安装完毕后,查看IIS管理器,如下: 添加"证书服务"组件 如果您的机器没有安装活动目录,在勾选以上'证书服务'时,将弹出如下窗口: 由于我们将要安装的是独立CA,所以不需要安装活动目录,点击'是',窗口跳向如下: 默认情况下,'用自定义设置生成密钥对和CA证书'没有勾选,我们

  • Windows Server 2008 R2 下配置TLS1.2添加自签名证书的图文教程

    Windows Server 2008 R2 下配置TLS1.2添加自签名证书的图文教程

    前言 2017年1月1日起App Store上的所有App应用将强制开启ATS功能. 苹果的ATS(App Transport Security)对服务器硬性3点要求: ① ATS要求TLS1.2或者更高,TLS 是 SSL 新的别称. ② 通讯中的加密套件配置要求支持列出的正向保密. ③ 数字证书必须使用sha256或者更高级的签名哈希算法,并且保证密钥是2048位及以上的RSA密钥或者256位及以上的ECC密钥. 由于领导舍不得花钱,只能辛苦我们自己搞个不花钱的证书.在网上找了一大堆各种配置

  • Windows Server 2008 R2 下配置证书服务器和HTTPS的图文教程

    Windows Server 2008 R2 下配置证书服务器和HTTPS的图文教程

    前言 2017年1月1日起App Store上的所有App应用将强制开启ATS功能. 苹果的ATS(App Transport Security)对服务器硬性3点要求: ① ATS要求TLS1.2或者更高,TLS 是 SSL 新的别称. ② 通讯中的加密套件配置要求支持列出的正向保密. ③ 数字证书必须使用sha256或者更高级的签名哈希算法,并且保证密钥是2048位及以上的RSA密钥或者256位及以上的ECC密钥. 配置环境 Windows版本:Windows Server 2008 R2 E

  • IIS7.0 Windows Server 2008 R2 下配置证书服务器和HTTPS方式访问网站的教程图文详解

    IIS7.0 Windows Server 2008 R2 下配置证书服务器和HTTPS方式访问网站的教程图文详解

    配置环境 Windows版本:Windows Server 2008 R2 Enterprise Service Pack 1 系统类型: 64 位操作系统 了解HTTPS 为什么需要 HTTPS ? 在我们浏览网站时,多数网站的URL都是以HTTP开头,HTTP协议我们比较熟悉,信息通过明文传输; 使用HTTP协议有它的优点,它与服务器间传输数据更快速准确; 但是HTTP明显是不安全的,我们也可以注意到,当我们在使用邮件或者是在线支付时,都是使用HTTPS; HTTPS传输数据需要使用证书并对

  • Windows server 2008 r2下MySQL5.7.17 winx64安装版配置方法图文教程

    win下安装mysql5.7,供大家参考,具体内容如下 @Author GQ 2017年04月4日 刚买了一个阿里云winServer 2008R2 标准版,需要安装一个MySql数据库,一路的坑已填平. 1.MySql官网下载https://dev.mysql.com/downloads/mysql/ zip格式 2.解压到服务器C盘目录,可自定义 3.默认有一个my-defult.ini配置文件(注意并且目录中是没有data文件的(生成data文件往下看) 4.在cmd中切到mysql/bi

  • 在Windows Server 2008 R2服务器下架设VPN服务器的方法

    在Windows Server 2008 R2服务器下架设VPN服务器的方法

    系统环境: Windows Server 2008 R2 Enterprise 6.1.7600.16385 RRAS 5.2.0000 NPS 6.1.7600.16385 测试目的:架设VPN服务器并通过VPN访问内部网络 操作步骤: 1.在服务器管理器中添加角色"网络策略和访问服务",并安装以下角色服务: 下一步直到安装完成. 2.在 开始->管理工具->路由和远程访问 中打开RRAS,简陋的界面如下: 点击服务器状态,可看到目前只有一台服务器(就是本机).以我的计算

  • Windows Server 2008 R2 负载平衡安装配置入门篇

    Windows Server 2008 R2 负载平衡安装配置入门篇

    一.简单介绍负载均衡 负载均衡也称负载共享,它是指负载均衡是指通过对系统负载情况进行动态调整,把负荷分摊到多个操作节点上执行,以减少系统中因各个节点负载不均衡所造成的影响,从而提高系统的工作效率. 在常用的大型服务器系统当中都存在着负载均衡组件,常用的像微软的网络负载平衡NLB.甲骨文的Oracle RAC.思科的负载均衡(SLB),Apach+Tomcat 负载均衡,它们能从硬件或软件不同方面实现系统各节点的负载平衡,有效地提高大型服务器系统的运行效率,从而提升系统的吞吐量.本篇文章以微软的网

  • Windows server 2008 R2配置多个远程连接的教程

    本文为大家分享了Windows server 2008 R2配置多个远程连接的具体步骤,供大家参考,具体内容如下 1.右键计算机属性--远程设置--出现系统属性对话框--选择"远程"选项卡,按如下图操作:. 2.默认只有administrator具有远程桌面的权限,其他用户都没有权限远程桌面连接服务器.因此,我们还得将需要进行远程桌面连接的其他用户也添加进来,赋予他们权限 3.运行,gpedit.msc命令.计算机配置--管理模版--Windows组件--远程桌面服务--远程桌面回话主

  • Windows Server 2008 R2 IIS7.5配置FTP图文教程

    本文为大家分享了IIS 配置FTP 网站的具体过程,供大家参考,具体内容如下 说明:服务器环境是Windows Server 2008 R2,IIS7.5. 1. 在 服务器管理器的Web服务器(IIS) 上安装 FTP 服务 2. 在IIS管理器 添加FTP网站 端口可以不用默认的,自己设置 身份认证选基本,用户则建议添加一个专门用来登录ftp的用户,然后指定给这个用户授权 3. 配置防火墙规则 新增入站规则 注意:这里要添加的端口是刚刚添加FTP网站时候填写的那个端口.为一般VPS只会开放少

  • WIN2008 R2 Active Directory 之一 部署企业中第一台Windows Server 2008 R2域控制器

    WIN2008 R2 Active Directory 之一 部署企业中第一台Windows Server 2008 R2域控制器

    前言 对于活动目录(AD)来讲,从Windows 2000到现在有非常多的文章在对其进行探讨,微软公司每推出一代新的Windows系统,这一重要服务技术不管是从功能上还是从性能上都在不断进步.在此,以最新Windows Server 2008 R2(以后简称WIN08R2)系统为例,从零开始讲述关于WIN08R2活动目录相关技术.希望能一直坚持写完! --胖哥 通过多年来AD在企业中的部署,技术人员几乎都知道与活动目录相关的一系列概念了,如:域.域树.域林.OU和站点,还有域控制器(DC)等.那

  • Windows Server 2008 R2常规安全设置及基本安全策略

    Windows Server 2008 R2常规安全设置及基本安全策略

    用的腾讯云最早选购的时候悲催的只有Windows Server 2008 R2的系统,原来一直用的Windows Server 2003对2008用起来还不是非常熟练,对于一些基本设置及基本安全策略,在网上搜了一下,整理大概有以下17个方面,如果有没说到的希望大家踊跃提出哈! 比较重要的几部 1.更改默认administrator用户名,复杂密码 2.开启防火墙 3.安装杀毒软件 1)新做系统一定要先打上补丁 2)安装必要的杀毒软件 3)删除系统默认共享 4)修改本地策略-->安全选项 交互式登

随机推荐