2010/02/03

備份:以GPO 更新 CA 憑證

原始網址:


    os :server 2003 ,使用IIS。公司的內部網站是採用自訂憑證。
    想了解一下一般的作法。第一次發行的憑證,有效期間是一年,今再更新一次,有效期間仍為一年,不是說第二次申請的有效期限可以到五年,不知是如何辦到的呢?



    再者,server的憑證尚未過期,只是預先作準備,一旦網站的憑證更新,client端的憑證即將發生錯誤,如此一來,不就跟過期發生錯誤是相同的意思。
    不知可有緩衝期?  因為不論過期或未過期,更新憑證後, USER進入即會有錯呢!!

Dear Karen,
您是要更新IIS SSL 憑証是嗎? IIS的憑証就要換上去就會生效,只是client也要有相同的憑証.

1.這裡有類似的範例供參考:http://blogs.technet.com/sbs/archive/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx

2.可用Group policy將憑証佈置給每位User.:
A couple of notes for more advanced users:
(1) You can create a group policy object and import this certificate into "Computer Settings\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities".  Link the GPO at the domain level to have it apply to all computers in the organization.
(2) You can set up a certification authority on your SBS server, deploy the CA certificate via GPO as described above, and re-sign your web site certificate with the CA.  Installing Certificate Services is somewhat complicated, but it can be convenient to centralize (and mostly automate) the process of issuing and revoking certificates.
One of these days, I'll write up a short how-to on CA deployment on Windows SBS 2003 R2.
Matthew

沒有留言: