在Windows中有时候一些服务需要配置证书。这时候就迫切需要一张证书来配置服务。对于测试环境，建立CA过于繁琐，使用openssl又要去找安装包很不方便，因为官方没有发布安装包需要自己编译或者找三方编译的包。

     现在Windows的powershell终于可以方便的创建自签发的证书了。命令如下

New-SelfSignedCertificate -Subject test.ca.local -DNSName "test", "test.ca.local","192.168.124.27" -FriendlyName "Joe test" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddMonths(240)

      这个命令可以创建一张20年的自签发证书，其中可以自己随意定义common name和SAN名字和友好名称等。还是很实用的。注意powershell需要以管理员身份运行。

Introduction

The steps for configuring Secure Sockets Layer (SSL) for a site are the same in IIS 7 and above and IIS 6.0, and include the following:

• Get an appropriate certificate.
• Create an HTTPS binding on a site.
• Test by making a request to the site.
• Optionally configure SSL options, that is, by making SSL a requirement.

This document provides some basic information on SSL, then shows how to enable SSL in the following ways:

• Using IIS Manager.
• Using the AppCmd.exe command line tool.
• Programmatically through Microsoft.Web.Administration.
• Using WMI scripts.

This article contains the following sections:

• SSL Configuration
• Using AppCmd
• Using WMI
• Using IIS Manager
• Summary

SSL Configuration

Whether you are running your web site on your own server, or in the cloud, using SSL to secure your site is probably extremely important to you, as many websites are turning to it to protect user's privacy. If you need to configure SSL on your server, it's important to realize that the implementation of SSL changed from IIS 6.0 to IIS 7 and above. In IIS 6.0 on Windows Server 2003, all SSL configuration was stored in the IIS metabase, and encryption/decryption occurred in User mode (requiring a lot of kernel/user mode transitions). In IIS 7 and above, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections in IIS 7 and above than that experienced in IIS 6.0.

Using SSL in kernel mode requires storing SSL binding information in two places. First, the binding is stored in %windir%\System32\inetsrv\config\applicationHost.config for your site. When the site starts, IIS sends the binding to HTTP.sys, and HTTP.sys starts listening for requests on the specified IP:Port (this works for all bindings). Second, the SSL configuration associated with the binding is stored in the HTTP.sys configuration. Use the netsh command at a command prompt to view SSL binding configuration stored in HTTP.sys as in the following example:

netsh http show sslcert

When a client connects and initiates an SSL negotiation, HTTP.sys looks in its SSL configuration for the IP:Port pair to which the client connected. The HTTP.sys SSL configuration must include a certificate hash and the name of the certificate store before the SSL negotiation will succeed.

Troubleshooting Tip: If you're having trouble with an SSL binding, verify that the binding is configured in ApplicationHost.config, and that the HTTP.sys store contains a valid certificate hash and store name for the binding.

Choosing a Certificate

When choosing a certificate, consider the following: Do you want end users to be able to verify your server's identity with your certificate? If yes, then either create a certificate request and send that request to a known certificate authority (CA) such as VeriSign or GeoTrust, or obtain a certificate from an online CA in your intranet domain. There are three things that a browser usually verifies in a server certificate:

1. That the current date and time is within the "Valid from" and "Valid to" date range on the certificate.
2. That the certificate's "Common Name" (CN) matches the host header in the request. For example, if the client is making a request to https://www.contoso.com/, then the CN must be www.contoso.com.
3. That the issuer of the certificate is a known and trusted CA.

If one or more of these checks fails, the browser prompts the user with warnings. If you have an Internet site or an intranet site where your end users are not people you know personally, then you should always ensure that these three parameters are valid.

Self-signed certificates are certificates created on your computer. They're useful in environments where it's not important for an end user to trust your server, such as a test environment.

Using AppCmd

You cannot request or create a certificate by using AppCmd.exe. You also cannot use AppCmd.exe to create an SSL binding.

Configure SSL Settings

You can use AppCmd.exe to configure a site to accept only server HTTPS connections by modifying the sslFlags attribute in the Access section. For example, you can configure this setting for the "Default Web Site" in the ApplicationHost.config file (for example, commitPath:APPHOST) by using the following command:

%windir%\system32\inetsrv>AppCmd set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:Ssl

If successful, the following message is displayed:

Applied configuration changes to section "system.webServer/security/access" for "MACHINE/WEBROOT/APPHOST/Default Web Site" at configuration commit path "MACHINE/WEBROOT/APPHOST"

The following example demonstrates how to view the <access/> section settings for the Default Web Site. The sslFlags attribute has been set successfully.

%windir%\system32\inetsrv>AppCmd list config "Default Web Site" -section:access

Executing the command results in the following entry in the ApplicationHost.config file:

<system.webServer>
  <security>
    <access flags="Script, Read" sslFlags="Ssl" />
  </security>
</system.webServer>

Using WMI

You cannot request or create a certificate by using the WebAdministration WMI namespace.

Create an SSL Binding

The following script demonstrates how to create a new SSL binding and how to add the appropriate configuration for both HTTP.sys and IIS:

Set oIIS = GetObject("winmgmts:root\WebAdministration")

'''''''''''''''''''''''''''''''''''''''''''''
' CREATE SSL BINDING
'''''''''''''''''''''''''''''''''''''''''''''

oIIS.Get("SSLBinding").Create _ 
   "*", 443, "4dc67e0ca1d9ac7dd4efb3daaeb15d708c9184f8", "MY"

'''''''''''''''''''''''''''''''''''''''''''''
' ADD SSL BINDING TO SITE
'''''''''''''''''''''''''''''''''''''''''''''

Set oBinding = oIIS.Get("BindingElement").SpawnInstance_
oBinding.BindingInformation = "*:443:"
oBinding.Protocol = "https"

Set oSite = oIIS.Get("Site.Name='Default Web Site'")
arrBindings = oSite.Bindings

ReDim Preserve arrBindings(UBound(arrBindings) + 1)
Set arrBindings(UBound(arrBindings)) = oBinding

oSite.Bindings = arrBindings
Set oPath = oSite.Put_

Configure SSL Settings

The following script demonstrates how to set SSL settings by using the IIS WMI provider. You can find this value in the IIS_Schema.xml file.

CONST SSL = 8  
Set oIIS = GetObject("winmgmts:root\WebAdministration")  
Set oSection = oIIS.Get(\_  
 "AccessSection.Path='MACHINE/WEBROOT/APPHOST',Location='Default Web Site'")  
oSection.SslFlags = oSection.SslFlags OR SSL  
oSection.Put\_ <a id="IISManager"></a>

IIS Manager

Obtain a Certificate

Select the server node in the treeview and double-click the Server Certificates feature in the listview:

Click Create Self-Signed Certificate... in the Actions pane.

Enter a friendly name for the new certificate and click OK.

Now you have a self-signed certificate. The certificate is marked for "Server Authentication" use; that is, it uses as a server-side certificate for HTTP SSL encryption and for authenticating the identity of the server.

Create an SSL Binding

Select a site in the tree view and click Bindings... in the Actions pane. This brings up the bindings editor that lets you create, edit, and delete bindings for your Web site. Click Add... to add your new SSL binding to the site.

The default settings for a new binding are set to HTTP on port 80. Select https in the Type drop-down list. Select the self-signed certificate you created in the previous section from the SSL Certificate drop-down list and then click OK.

Now you have a new SSL binding on your site and all that remains is to verify that it works.

Verify the SSL Binding

In the Actions pane, under Browse Web Site, click the link associated with the binding you just created.

Internet Explorer (IE) 7 and above will display an error page because the self-signed certificate was issued by your computer, not by a trusted Certificate Authority (CA). IE 7 and above will trust the certificate if you add it to the list of Trusted Root Certification Authorities in the certificates store it on the local computer, or in Group Policy for the domain. Click Continue to this website (not recommended).

Configure SSL Settings

Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates. Click the site node in the tree view to go back to the site's home page. Double-click the SSL Settings feature in the middle pane.

Summary

In this walkthrough, we successfully used the command-line tool AppCmd.exe, the scripting provider WMI, and IIS Manager to set up SSL on IIS.

　　很多人也会像我一样认为这两个网络设备是用来上网的没什么稀奇的，至于这两个网络设备到底是是没关系，具体有什么区别，就不清楚是怎么回事了我们需要仔细的了解才行。那么现在的交换机和路由器的具体区别到底到底是怎么样的呢，本着分享精神，知识是力量的源泉，这里整理了关于交换机和路由器的区别的一些内容和大家分享一下。

　　交换机和路由器的区别第一条

　　路由器可以给你的局域网自动分配IP，虚拟拨号，就像一个交通警察，指挥着你的电脑该往哪走，你自己不用操心那么多了。交换机只是用来分配网络数据的。

　　交换机和路由器区别第二条

　　路由器在网络层，路由器根据IP地址寻址，路由器可以处理TCP/IP协议，交换机不可以。交换机在中继层，交换机根据MAC地址寻址。

　　交换机和路由器区别第三条

　　路由器可以把一个IP分配给很多个主机使用，这些主机对外只表现出一个IP。交换机可以把很多主机连起来，这些主机对外各有各的IP。

　　交换机和路由器区别第四条

　　路由器提供防火墙的服务，交换机不能提供该功能。集线器、交换机都是做端口扩展的，就是扩大局域网(通常都是以太网)的接入点，也就是能让局域网可以连进来更多的电脑。 路由器是用来做网间连接，也就是用来连接不同的网络。

　　交换机和路由器区别第五条

　　我们来举个例子：路由器相当于邮局，把信投递到收件人地址，它的任务就完成了。但是信邮到了你们宿舍楼，而这个地址不是你一个人专享的，所以楼管王大爷还要负责把信给到你手里，他不会关心收件人地址，只看收件人姓名，然后打个内线电话叫你来取信。如果没有邮局，你没法向世界各地的漂亮妹子们发信，也没法从楼外的漂亮妹子那里收信。但是因为楼管王大爷的存在，你仍然可以通过他与同宿舍楼的好基友书信往来。所有邮局构成的系统，就是“广域网”，而你的宿舍楼，就是“局域网”，构建局域网是不需要路由器的。

交换机和路由器的区别

　　三层的交换机和路由器的区别是怎么样的

　　虽然他们都具有路由功能。但是三层交换机的主要功能仍是数据交换，它的路由功能通常比较简单，因为它所面对的主要是简单的局域网连接，路由路径远没有路由器那么复杂，它用在局域网中的主要用途还是提供快速数据交换功能，满足局域网数据交换频繁的应用特点。

　　路由器的主要功能还是路由功能，它的路由功能更多的体现在不同类型网络之间的互联上，如局域网与广域网之间的连接、不同协议的网络之间的连接等，所以路由器主要是用于不同类型的网络之间。它最主要的功能就是路由转发，解决好各种复杂路由路径网络的连接就是它的最终目的，所以路由器的路由功能通常非常强大，不仅适用于同种协议的局域网间，更适用于不同协议的局域网与广域网间。

　　网络交换机和路由器的区别又是怎么样的

　　网络交换机，是一个扩大网络的器材，能为子网络中提供更多的连接端口，以便连接更多的计算机。随着通信业的发展以及国民经济信息化的推进，网络交换机市场呈稳步上升态势。它具有性能价格比高、高度灵活、相对简单、易于实现等特点。所以，以太网技术已成为当今最重要的一种局域网组网技术，网络交换机也就成为了最普及的交换机。

　　路由器(Router)，是连接因特网中各局域网、广域网的设备，它会根据信道的情况自动选择和设定路由，以最佳路径，按前后顺序发送信号。 路由器是互联网络的枢纽，"交通警察"。目前路由器已经广泛应用于各行各业，各种不同档次的产品已成为实现各种骨干网内部连接、骨干网间互联和骨干网与互联网互联互通业务的主力军。路由和交换机之间的主要区别就是交换机发生在OSI参考模型第二层(数据链路层)，而路由发生在第三层，即网络层。这一区别决定了路由和交换机在移动信息的过程中需使用不同的控制信息，所以说两者实现各自功能的方式是不同的。

　　以上讲述的稍显复杂，对于非计算机行业人员来说理解起来不是很容易。

　　最后我从不专业的角度简单说一下家用交换机和路由器的区别。家用交换机主要起到线路连通的功用，比如你家里有三台电脑，希望组建一个局域网，那么每台电脑拉出一根网线到交换机上，那么这三台电脑就组成了一个网，可以相互连通和共享文件。路由器呢，它也可以当普通交换机使用，具备交换机的线路连通的功能。但是路由器还有个功能交换机没有，那就是拨号上网功能。

你家里有三台电脑需要同时上网，猫就一个，怎么办，用路由器就能轻松解决，但是交换机不行。不过家用路由器一般都是4个口的，如果电脑过多，比如单位有几十台电脑，那么单靠路由是不行了，需要交换机来撑住场面，交换机一般有4口、8口、16口、24口，能接入更多的电脑。

问题：我们有一个网络设置，其中有两个相互连接的 D-Link 交换机。 192.168.0.x范围内的IP直接在PC上手动分配，未分配的从交换机获取IP。 我们最近添加了一个 WiFi 路由器，它的 IP 地址为 192.168.0.2。 它启用了 RIP 2M。 它分配 192.168.1.x 范围内的 IP 地址。 这里的问题是，我可以毫无问题地访问 192.168.0.x 上的 PC，但无法从 IP 范围为 192.168.0.x 的用户访问 192.168.1.x 上的 PC。 我应该在路由器上启用静态路由还是其他什么？

答：

您可以通过 WAN 端口将 wifi 路由器连接到交换机。 此配置将所有 wifi（以及插入 wifi 设备 LAN 端口的其他流量）置于 IP 地址转换之后并位于单独的子网上。

您想通过 LAN 端口之一将 wifi 设备插入交换机。 在此配置中将不使用 WAN 端口。 您可能还想禁用 DHCP 服务器，因为它可能与 192.168.0 网络上的现有 DHCP 服务器发生冲突。 这样所有设备将共享相同的子网。