Solved

Basic IIS + SSL Questions

Posted on 2008-06-11
1
431 Views
Last Modified: 2012-05-05
Hello experts,

I am trying to get a better understanding of how IIS + SSL work together from an implementation standpoint.  Please answer my questions (brief/basic answers preferred) and you will have my undying gratitude!  :-)

1. In regards to the CSR wizard, I am prompted for the Bit Length.  I have read conflicting reports that this is or is not directly tied to the actual certificate that is generated (for example: Verisign).  As far as I know, this is only used to for the certificate registration process, and that only the web server and the Certificate Authority (CA) is concerned about this length for sharing the registration info.  Afterward, the SSL can have any encyption bit lenght (such as 128 or 256).  Is that correct?

2. I am pretty confused by Verisign's FAQ section, as it lists that there are 3 different keys used in the SSL process.  (http://www.verisign.com/cus/srv/faq/512/index.html#128) Please tell me if I understand this correctly:
 - the first key pair is used only for the registration process between the web server and CA
 - The next key pair is used between the web server and the certificate (this point confuses me)
 - The final key pair is used for creating a session between the browser and the web server
To point 2, does this only mean that when the web browser gets its certificate from a CA, it confirms that it is valid using a key pair so some type?  Any help you can provide on that one would be appreciated.

3. If I purchase a 256bit certificate (ie from Verisign), this should not cause my customers any issues connecting because most relatively current browsers will negotiate up to the 256bit level for encyption (agreeing upon the highest level that the web server and client support), correct?  Please note, that I do not have any global customers, only US.

4. Will running the CSR wizard remove the current certificate? The reason I ask, I find it extremely inconvenient that running the certificate wizard to generate a CSR (for moving to another CA provider)effectively removes the currently installed cert. If this is true, can I generate a CSR on another IIS server for the www site and then transfer it over to the production server?  I see the wizard has a copy/move a certificate option.
0
Comment
Question by:jedifenner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 21764236
Firstly I have to admit that I am not fully familiar with the CSR wizards. But I do know something about SSL.

1. The bit length is the length of the key that is used in the certificate. It is used in every session with clients connecting via SSL. Regarding options to use different length afterwards see also next point.

2. First key is the CA (certificate authority) key that the CAs use to "sign" all other certificates. It is used in the creation of your certificate (the private part of the key - used by the CAs) and in every verification of your certificate (the public part of the key - used by your clients)

Second key is basically your certificate. It is used to initiate every session of SSL connection betwen your clients and your server. With this key (certificate) you prove that it is really your server on the other side of the line and is used to exchange symetric keys used in further communication.

Third are the session symetric keys. This keys are generated for each session (for each client) and are used for the actual exchange of data between the computers. This key can be generated in different lengths - depending on capabilities of the client and the server.

3. You should only use (buy) 1024 bit certificates. As it is written in the verisign FAQ you posted - even 512 bit certificates are not secure!

4. I am not sure. But you can surely move the certificate from another server - just make sure you mark it as exportable private key.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question