HTTPS.SYS怎样使用HTTPS

参考了MORMOT的官方文档：http://blog.synopse.info/post/2013/09/04/HTTPS-communication-in-mORMot

HTTPS.SYS同时支持HTTP和HTTPS。

HTTP由于不需要SSL证书，使用非常简单，这里只对使用HTTPS作说明。

你仅仅需要做的：就是将SSL证书绑定到您将要使用的HTTPS连接端口。

你不需要任何额外的SSL库被安装或部署在客户端或服务器。所有的SSL通信在操作系统底层已经做好了。

怎样将SSL证书绑定到要使用的HTTPS连接端口？

首先，必须确保您的证书已在Windows证书存储库中安装/导入。还要注意，必须将其安装到本地机器存储区，而不是当前用户。

可以使用Windows 自带的 netsh 命令行工具。

NETSH工具如何使用？

NETSH.EXE操作SSL

程序位置：c:\windows\syswow64\netsh.exe

查看当前端口配置

netsh http show sslcert

将 SSL 证书绑定至端口号

URL预订

运行 windows命令行工具(cmd.exe) 使用管理员权限并执行下面的命令:

netsh http add urlacl url=http://+:2001/tms/business/ user=%USERDOMAIN%\%USERNAME%

where %USERDOMAIN% and %USERNAME% are the domain and name of the user under which your server will run. For testing purposes, you can just give access to any user:

netsh http add urlacl url=http://+:2001/tms/business/ user=Everyone

Note that if the language of your Windows is not English, you must need to change "Everyone" by the name of the group that represents all users in Windows. Or, alternatively, provide the ssdl of the "everyone" group (or any other group you want to give permission to, for example replace "WD" by "NS" to provide access to network service.

netsh http add urlacl url=http://*:2001/tms/business/ sddl=D:(A;;GA;;;WD)

Server Certificate Configuration (binding to a port)

Run windows command line tool (cmd.exe) under administrative rights and use a command like this:

netsh http add sslcert ipport=0.0.0.0:2002 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

The above command will bind the proper certificate to port 2002. There are three parameters in the command above that you need to change for your own usage:

ipport: You must use the port number you use for HTTPS connections. In the example, it was 2002. The IP can still be 0.0.0.0 which means any IP.

certhash: You must provide the thumbprint of the certificate you want to use for your server. You can check the thumbprint by using Microsoft Management Console.

appid: This can be any arbitrary GUID. You just need to generate one and input it here. You can even use the GUID generator in Delphi code editor (while editing code, just press Shift+Ctrl+G, Delphi will generate a GUID for you). The GUID must be enclosed by brackets.

删除端口号的 SSL 证书

Netsh http delete sslcert ipport=0.0.0.0:8005

一旦您在上面的命令中注册了证书，您的服务器就被配置成使用安全连接。

如果您没有证书，还可以生成一个自签名证书以供测试之用。那你需要makecert.exe或OPENSSL.EXE工具，
可当你安装微软Visual Studio或Windows SDK。生成自签名证书超出了本文档的范围，但以下链接可能有助于完成此类任务。