Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Basic IIS + SSL Questions

Posted on 2008-06-11
1
Medium Priority
?
435 Views
Last Modified: 2012-05-05
Hello experts,

I am trying to get a better understanding of how IIS + SSL work together from an implementation standpoint.  Please answer my questions (brief/basic answers preferred) and you will have my undying gratitude!  :-)

1. In regards to the CSR wizard, I am prompted for the Bit Length.  I have read conflicting reports that this is or is not directly tied to the actual certificate that is generated (for example: Verisign).  As far as I know, this is only used to for the certificate registration process, and that only the web server and the Certificate Authority (CA) is concerned about this length for sharing the registration info.  Afterward, the SSL can have any encyption bit lenght (such as 128 or 256).  Is that correct?

2. I am pretty confused by Verisign's FAQ section, as it lists that there are 3 different keys used in the SSL process.  (http://www.verisign.com/cus/srv/faq/512/index.html#128) Please tell me if I understand this correctly:
 - the first key pair is used only for the registration process between the web server and CA
 - The next key pair is used between the web server and the certificate (this point confuses me)
 - The final key pair is used for creating a session between the browser and the web server
To point 2, does this only mean that when the web browser gets its certificate from a CA, it confirms that it is valid using a key pair so some type?  Any help you can provide on that one would be appreciated.

3. If I purchase a 256bit certificate (ie from Verisign), this should not cause my customers any issues connecting because most relatively current browsers will negotiate up to the 256bit level for encyption (agreeing upon the highest level that the web server and client support), correct?  Please note, that I do not have any global customers, only US.

4. Will running the CSR wizard remove the current certificate? The reason I ask, I find it extremely inconvenient that running the certificate wizard to generate a CSR (for moving to another CA provider)effectively removes the currently installed cert. If this is true, can I generate a CSR on another IIS server for the www site and then transfer it over to the production server?  I see the wizard has a copy/move a certificate option.
0
Comment
Question by:jedifenner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 16

Accepted Solution

by:
Blaz earned 2000 total points
ID: 21764236
Firstly I have to admit that I am not fully familiar with the CSR wizards. But I do know something about SSL.

1. The bit length is the length of the key that is used in the certificate. It is used in every session with clients connecting via SSL. Regarding options to use different length afterwards see also next point.

2. First key is the CA (certificate authority) key that the CAs use to "sign" all other certificates. It is used in the creation of your certificate (the private part of the key - used by the CAs) and in every verification of your certificate (the public part of the key - used by your clients)

Second key is basically your certificate. It is used to initiate every session of SSL connection betwen your clients and your server. With this key (certificate) you prove that it is really your server on the other side of the line and is used to exchange symetric keys used in further communication.

Third are the session symetric keys. This keys are generated for each session (for each client) and are used for the actual exchange of data between the computers. This key can be generated in different lengths - depending on capabilities of the client and the server.

3. You should only use (buy) 1024 bit certificates. As it is written in the verisign FAQ you posted - even 512 bit certificates are not secure!

4. I am not sure. But you can surely move the certificate from another server - just make sure you mark it as exportable private key.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question