Question

2048 bits root key for ssl certificate

Asked by: mel200

Hi, all,

My SSL certificate is about to expire, and another company jumped on us trying to sell us theirs. They say that we need to have a 2048 bit Root Key, which they say will be industry standard by 2010. Is this a valid argument, or is it just a sales pitch? (Probably somewhere in between).

Can you explain it to me in very simple language? Thanks!

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-03-05 at 06:36:41ID24201593
Topics

Secure Socket Layer (SSL) & HTTPS

,

Miscellaneous Security

,

Encryption for Network Security

Participating Experts
2
Points
500
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. SSL Certificate
    I am trying to buy a SSL Certificate, can any one recommand companies for me. Thanks
  2. SSL certificate
    Where is the best place to get an SSL certificate for my Exchange 2003 server? Thanks!
  3. SSL Certificates
    I am not clear on the SSL certificates...if I have a website, with different forms where visitors enter confidential information, and I buy a SSL certificate, is that for the whole domain, I mean, can I use it on different forms as long as they are on the same domain or I nee...
  4. SSL Certificates
    I am looking to purchase some SSL certificates. I have a single domain name mydomain.com I host a web site, email, vpn etc so I have subdomains like www.mydomain.com, mail.mydomain.com, vpn.mydomain.com Each of these sub domains are on different physical servers. I want to ...
  5. SSL Certificates
    Where can i get the SSL certificates for my website. Who is the best in providing the SSL Certificates. What are SSL Certificates and how it can be integarted. Early responses are appreciated.

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ParanormasticPosted on 2009-03-05 at 07:03:07ID: 23806155

A little bit of both.  Most of the 1024 bit commercial roots have been out there long enough that they should be getting retired soon.   2048 is one of the two main standards for roots - newer ones are likely to be either 4096 or using one of the eliptic curve cryptography (ECC) standards.  That being said - 1024 is still valid.

One reason to do so would be that in order to get a 2048 SSL cert for your server you would need all the CA's in the issuing chain to be of at least the same strength, or higher.  Since most places only offer 3 year, a few up to 5 years, for validity 1024 is still considered acceptable for that time period.

The greater concern from the last few months would be in response to an announcement of a specific way to take advantage of an old MD5 vulnerability.  The general concept has been known for about 4-5 years now, so most commercial CA's no longer use MD5 in their issuance process.  Where the vulnerability is comes from places that use automated certificate issuance (instead of using a web page to submit info for a person to review - which is why it normally takes a few minutes/few hours to get a cert from most places).  in addition, they would need to use sequential serial numbers, which is not normally standard practice but can be configured in most products to save database size (nCipher recommended doing this to us once, which would explain why some places might do this - not sure if they still recommend it now).

Anyways, what that all boils down to is if the root and issuing CA are using MD5 for the signing algorithm (e.g. MD5withRSA), use sequential serial numbers, and they use automated processing then their PKI is at risk for being attacked.  If all 3 are not true then they are all fine if they are webtrust certified.

Honestly - most places are using 2048 or better these days - even if your existing cert was issued under a 1024 root 2 or 3 years ago, you might check up with them to see if they may have a newer root they are using now.

My recommendations are:
cheapest: godaddy
most compatible/most expensive: verisign
best price for general compatibility: comodo

If you ahve a sales person contacting you directly I'm curious as to how many certs you buy in a year - I would not expect random calls looking for a cert or two...  If you issue a couple dozen certs or more per year, I would suggest contacting actual sales people fromvarious companies and see if they offer bulk discounts and if so how much based on your issuing needs.  We get a great price from Comodo this way, but we issue a very large number of certs through them - I'm not sure what they would offer a medium/large company as we would be in the 'very large' category..

 

by: mel200Posted on 2009-03-05 at 07:11:13ID: 23806248

Wow, thanks for all that! This is only one site, somehow the sales guy knew when our certificate was going to expire.

We were planning on going with godaddy, I asked them about this, and their response was:
All of our SSL certificates support both industry-standard 128-bit and high-grade 256-bit encryption.

The actual encryption strength on a secure connection using a digital certificate is determined by the level of encryption supported by the user's browser and the server that the Web site resides on. For example, the combination of a Firefox browser and an Apache Web server normally enables up to 256-bit AES encryption with our SSL certificates. This means that depending on the Web browser and Web server that combine to establish the secure connection through one of our SSL certificates, the encryption strength of the secure connection may be 40, 56, 128, or 256 bit.


The CR Vs typVc0lly 0 1024 bit m>dulus that is generated by the server that is requesting a Secure Certificate. It must be 1024 bit length or higher, as our system will not accept anything less - the maximum bit length is 2048.

What does that mean, can you say? :)

 

by: ParanormasticPosted on 2009-03-05 at 07:30:32ID: 23806478

Most of the commercial CA's have 128 bit and "256 bit" support in a product called SGC.  I put 256 bit in quotes as SGC (Server Gated Cryptography) does support 256 but the thing about it that is special is kinda quirky in some situations, which basically means that if true support of the advertised strength from the server is supported on the client, then use that - if not, then use a 'step up' technology to emulate that strength for the client (FF3/IE8).  This same thing was used at the beginning of the century when 128 bit was being adopted from 40 or 56 bit browsers - some of which were not able to be upgraded legally due to export restrictions on crypto at the time.

Keep in mind that normally the strength of the session is dictated by the server during a handshake process to determine the best strength available to both server and client to use.  SGC is a workaround when clients do not support what you need to use to get them close enough.  If 256 is supported natively on both ends, an SGC cert is not necessary - and if you dont' have a specific requirement for 256 bit SSL then 128 bit is still just fine.  If you have PCI DSS requirements for credit cards or something like that - go with an SGC cert, otherwise if it is just for protecting passwords during logging onto your site or something like that - a normal SSL cert is just fine.

 

by: ParanormasticPosted on 2009-03-05 at 07:43:33ID: 23806636

The last bit that got mixed up in pasting means that most web hosting products (IIS, etc.) will create a 1024 keyset by default.  You need to do something to make it something else like 2048.  Having the root and issuing CA at 2048 is nice and good, but it doesn't increase your security much if you are using a 1024 bit cert still.  So with IIS6 for 2003 a new request (from a temp site, so it doesn't mess with your production cert - good practice for renewing certs) would look similar (paraphrased) to:

Open IIS
Create temp site
Open properties of temp site
Directory security tab
Server Certificate button
Create a new cert
Prepare now, send later
***Use dropdown to select 2048, enter friendly name as desired (doesn't really matter) , normally leave CSP checkbox off
Enter Org and OU info as applicable
Enter CN for your site - this would be the DNS alias as entered by the end user into their address bar
Follow rest of wizard, update as desired.

Now your CSR will be created and the new issued cert will be protected by a 2048 keypair instead of 1024.

 

by: mel200Posted on 2009-03-05 at 08:02:45ID: 23806887

OK, now we have to go back to baby talk for me, sorry... So the new company who is trying to sell us an SSL certificate says, "If you are still using a 1024-bit certificate, you may
soon be vulnerable to a brute-force attack. An
exponential trend in computer processing power has
resulted in the ability for criminals to compromise 1024-
bit key strength certificates. Leading cryptography
organizations, including NIST, have issued
recommendations for entities to upgrade to longer key
lengths.
Based on these recommendations, entities wishing to
keep secure for the next several years need to start
using 2048-bit certificates. This is extremely important
for those who purchase multi-year SSL certificates.

I guess my bottom line question is, I would still be safe enough if I go with Godaddy, right? Thanks so much for all your help!!

 

by: ParanormasticPosted on 2009-03-05 at 10:14:46ID: 23808490

GoDaddy uses a 2048 bit root signed with SHA1RSA.  Its fine, yes.

The main caveat with godaddy doesn't come up as much now that the latest service packs have been rolled out in most areas so their root is included - otherwise a simple windows update looking for optional/recommended updates is the main troubleshooting - for other non-MS products recommend downloading the latest version of whatever software if they get a warning.  The percentage of folks getting that is pretty small now vs. this past summer.

 

by: mel200Posted on 2009-03-05 at 10:49:43ID: 31554340

Thanks very much once again!

 

by: PChirchirilloPosted on 2009-10-28 at 08:08:46ID: 25684083

Thanks so much Paranormastic. I was trying to renew a cert at go daddy that was originally created with a 1024 CSR. When I generate the renewal request, it doesn't ask, it just uses what is there. Go Daddy wouldn't accept it. After looking at this post, I followed your instructions and used the "junk" site to generate a request for a new cert, used that CSR on the renewal, exported it and imported it into the production sight. Worked like a CHARM, you da man! If I could give you some points I would!!!

Learn something new every day, didn't know you could use a different site to do SSL work.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...