欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

Windows Server 2008 R2 下配置TLS1.2添加自签名证书的图文教程

程序员文章站 2022-05-07 17:32:02
前言 2017年1月1日起app store上的所有app应用将强制开启ats功能。 苹果的ats(app transport security)对服务器硬性3点要求:...

前言

2017年1月1日起app store上的所有app应用将强制开启ats功能。

苹果的ats(app transport security)对服务器硬性3点要求:

① ats要求tls1.2或者更高,tls 是 ssl 新的别称。

② 通讯中的加密套件配置要求支持列出的正向保密。

③ 数字证书必须使用sha256或者更高级的签名哈希算法,并且保证密钥是2048位及以上的rsa密钥或者256位及以上的ecc密钥。

由于领导舍不得花钱,只能辛苦我们自己搞个不花钱的证书。在网上找了一大堆各种配置证书服务的文章,在ios端运行的时候总是直接报错,很是费解,后来注意到必须是tls1.2或者更高的版本,而按照网上的配置弄好后都是ssl1.0,根本原因没有解决。所以必须先升级服务器ssl的版本,这个升级的文章很多,有用的不多。在这里整理下找到的资料,供大家参考。注意:证书服务可以不用安装,升级ssl后即可正常访问。

1.首先打开服务器组策略,命令行输入gpedit.msc,找到ssl配置设置,双击ssl密码套件顺序,选择已启用,并保存。准备工作完成!

Windows Server 2008 R2 下配置TLS1.2添加自签名证书的图文教程

2.在下面选择您需要的配置并复制,打开powershell直接粘贴。最后会提示是否重启服务器,输入y会直接重启,根据自己的情况而定吧,重启后生效哦~

2.1. configure your iis server with perfect forward secrecy and tls 1.2:

# copyright 2016, alexander hass
# http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
#
# version 1.7
# - windows version compare failed. get-ciminstance requires windows 2012 or later.
# version 1.6
# - os version detection for cipher suites order.
# version 1.5
# - enabled ecdh and more secure hash functions and reorderd cipher list.
# - added client setting for all ciphers.
# version 1.4
# - rc4 has been disabled.
# version 1.3
# - md5 has been disabled.
# version 1.2
# - re-factored code style and output
# version 1.1
# - sslv3 has been disabled. (poodle attack protection)
write-host 'configuring iis with ssl/tls deployment best practices...'
write-host '--------------------------------------------------------------------------------'
# disable multi-protocol unified hello
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\server' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\client' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
write-host 'multi-protocol unified hello has been disabled.'
# disable pct 1.0
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\client' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
write-host 'pct 1.0 has been disabled.'
# disable ssl 2.0 (pci compliance)
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
write-host 'ssl 2.0 has been disabled.'
# note: if you disable ssl 3.0 the you may lock out some people still using
# windows xp with ie6/7. without ssl 3.0 enabled, there is no protocol available
# for these people to fall back. safer shopping certifications may require that
# you disable sslv3.
#
# disable ssl 3.0 (pci compliance) and enable "poodle" protection
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\client' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
write-host 'ssl 3.0 has been disabled.'
# add and enable tls 1.0 for client and server schannel communications
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\client' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\client' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
write-host 'tls 1.0 has been enabled.'
# add and enable tls 1.1 for client and server schannel communications
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\server' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\server' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\client' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\client' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
write-host 'tls 1.1 has been enabled.'
# add and enable tls 1.2 for client and server schannel communications
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\server' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\server' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\client' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\client' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
write-host 'tls 1.2 has been enabled.'
# re-create the ciphers key.
new-item 'hklm:system\currentcontrolset\control\securityproviders\schannel\ciphers' -force | out-null
# disable insecure/weak ciphers.
$insecureciphers = @(
 'des 56/56',
 'null',
 'rc2 128/128',
 'rc2 40/128',
 'rc2 56/128',
 'rc4 40/128',
 'rc4 56/128',
 'rc4 64/128',
 'rc4 128/128'
)
foreach ($insecurecipher in $insecureciphers) {
 $key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\ciphers', $true).createsubkey($insecurecipher)
 $key.setvalue('enabled', 0, 'dword')
 $key.close()
 write-host "weak cipher $insecurecipher has been disabled."
}
# enable new secure ciphers.
# - rc4: it is recommended to disable rc4, but you may lock out winxp/ie8 if you enforce this. this is a requirement for fips 140-2.
# - 3des: it is recommended to disable these in near future. this is the last cipher supported by windows xp.
# - windows vista and before 'triple des 168' was named 'triple des 168/168' per https://support.microsoft.com/en-us/kb/245030
$secureciphers = @(
 'aes 128/128',
 'aes 256/256',
 'triple des 168'
)
foreach ($securecipher in $secureciphers) {
 $key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\ciphers', $true).createsubkey($securecipher)
 new-itemproperty -path "hklm:\system\currentcontrolset\control\securityproviders\schannel\ciphers\$securecipher" -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
 $key.close()
 write-host "strong cipher $securecipher has been enabled."
}
# set hashes configuration.
new-item 'hklm:system\currentcontrolset\control\securityproviders\schannel\hashes' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes\md5' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes\md5' -name enabled -value 0 -propertytype 'dword' -force | out-null
$securehashes = @(
 'sha',
 'sha256',
 'sha384',
 'sha512'
)
foreach ($securehash in $securehashes) {
 $key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\hashes', $true).createsubkey($securehash)
 new-itemproperty -path "hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes\$securehash" -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
 $key.close()
 write-host "hash $securehash has been enabled."
}
# set keyexchangealgorithms configuration.
new-item 'hklm:system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms' -force | out-null
$securekeyexchangealgorithms = @(
 'diffie-hellman',
 'ecdh',
 'pkcs'
)
foreach ($securekeyexchangealgorithm in $securekeyexchangealgorithms) {
 $key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms', $true).createsubkey($securekeyexchangealgorithm)
 new-itemproperty -path "hklm:\system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms\$securekeyexchangealgorithm" -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
 $key.close()
 write-host "keyexchangealgorithm $securekeyexchangealgorithm has been enabled."
}
# set cipher suites order as secure as possible (enables perfect forward secrecy).
$os = get-wmiobject -class win32_operatingsystem
if ([system.version]$os.version -lt [system.version]'10.0') {
 write-host 'use cipher suites order for windows 2008r2/2012/2012r2.'
 $ciphersuitesorder = @(
 'tls_ecdhe_rsa_with_aes_256_cbc_sha384_p521',
 'tls_ecdhe_rsa_with_aes_256_cbc_sha384_p384',
 'tls_ecdhe_rsa_with_aes_256_cbc_sha384_p256',
 'tls_ecdhe_rsa_with_aes_128_cbc_sha256_p521',
 'tls_ecdhe_rsa_with_aes_128_cbc_sha256_p384',
 'tls_ecdhe_rsa_with_aes_128_cbc_sha256_p256',
 'tls_ecdhe_rsa_with_aes_256_cbc_sha_p521',
 'tls_ecdhe_rsa_with_aes_256_cbc_sha_p384',
 'tls_ecdhe_rsa_with_aes_256_cbc_sha_p256',
 'tls_ecdhe_rsa_with_aes_128_cbc_sha_p521',
 'tls_ecdhe_rsa_with_aes_128_cbc_sha_p384',
 'tls_ecdhe_rsa_with_aes_128_cbc_sha_p256',
 'tls_ecdhe_ecdsa_with_aes_256_gcm_sha384_p521',
 'tls_ecdhe_ecdsa_with_aes_256_gcm_sha384_p384',
 'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_p521',
 'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_p384',
 'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_p256',
 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha384_p521',
 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha384_p384',
 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_p521',
 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_p384',
 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_p256',
 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha_p521',
 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha_p384',
 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha_p256',
 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha_p521',
 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha_p384',
 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha_p256',
 'tls_rsa_with_aes_256_gcm_sha384',
 'tls_rsa_with_aes_128_gcm_sha256',
 'tls_rsa_with_aes_256_cbc_sha256',
 'tls_rsa_with_aes_128_cbc_sha256',
 'tls_rsa_with_aes_256_cbc_sha',
 'tls_rsa_with_aes_128_cbc_sha',
 'tls_rsa_with_3des_ede_cbc_sha'
 )
}
else {
 write-host 'use cipher suites order for windows 10/2016 and later.'
 $ciphersuitesorder = @(
 'tls_ecdhe_rsa_with_aes_256_gcm_sha384',
 'tls_ecdhe_rsa_with_aes_128_gcm_sha256',
 'tls_ecdhe_rsa_with_aes_256_cbc_sha384',
 'tls_ecdhe_rsa_with_aes_128_cbc_sha256',
 'tls_ecdhe_rsa_with_aes_256_cbc_sha',
 'tls_ecdhe_rsa_with_aes_128_cbc_sha',
 'tls_ecdhe_ecdsa_with_aes_256_gcm_sha384',
 'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256',
 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha384',
 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256',
 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha',
 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha',
 'tls_rsa_with_aes_256_gcm_sha384',
 'tls_rsa_with_aes_128_gcm_sha256',
 'tls_rsa_with_aes_256_cbc_sha256',
 'tls_rsa_with_aes_128_cbc_sha256',
 'tls_rsa_with_aes_256_cbc_sha',
 'tls_rsa_with_aes_128_cbc_sha',
 'tls_rsa_with_3des_ede_cbc_sha'
 )
}
$ciphersuitesasstring = [string]::join(',', $ciphersuitesorder)
# one user reported this key does not exists on windows 2012r2. cannot repro myself on a brand new windows 2012r2 core machine. adding this just to be save.
new-item 'hklm:\software\policies\microsoft\cryptography\configuration\ssl\00010002' -erroraction silentlycontinue
new-itemproperty -path 'hklm:\software\policies\microsoft\cryptography\configuration\ssl\00010002' -name 'functions' -value $ciphersuitesasstring -propertytype 'string' -force | out-null
write-host '--------------------------------------------------------------------------------'
write-host 'note: after the system has been rebooted you can verify your server'
write-host '  configuration at https://www.ssllabs.com/ssltest/'
write-host "--------------------------------------------------------------------------------`n"
write-host -foregroundcolor red 'a computer restart is required to apply settings. restart computer now?'
restart-computer -force -confirm

2.2 iisresetssltoweakdefaults

# copyright 2016, alexander hass
# http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
#
# version 1.0
# - rollback script created.
write-host 'reset iis to weak and insecure ssl defaults...'
write-host '--------------------------------------------------------------------------------'
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\ciphers' -force
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\ciphersuites' -force
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes' -force
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms' -force
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols' -force
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -force
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -name disabledbydefault -value 1 -propertytype 'dword'
new-item 'hklm:\software\policies\microsoft\cryptography\configuration\ssl\00010002' -force
restart-computer -force

3.最后配置iis站点,添加ssl自签名证书,站点绑定https,并选择刚添加的自签名证书即可。

4.全称无需给服务器安装证书服务,ios客户端证书校验时默认全部通过即可,如果对安全要求严格的客户端可导入证书做校验。