Solved

Basic IIS + SSL Questions

Posted on 2008-06-11
1
418 Views
Last Modified: 2012-05-05
Hello experts,

I am trying to get a better understanding of how IIS + SSL work together from an implementation standpoint.  Please answer my questions (brief/basic answers preferred) and you will have my undying gratitude!  :-)

1. In regards to the CSR wizard, I am prompted for the Bit Length.  I have read conflicting reports that this is or is not directly tied to the actual certificate that is generated (for example: Verisign).  As far as I know, this is only used to for the certificate registration process, and that only the web server and the Certificate Authority (CA) is concerned about this length for sharing the registration info.  Afterward, the SSL can have any encyption bit lenght (such as 128 or 256).  Is that correct?

2. I am pretty confused by Verisign's FAQ section, as it lists that there are 3 different keys used in the SSL process.  (http://www.verisign.com/cus/srv/faq/512/index.html#128) Please tell me if I understand this correctly:
 - the first key pair is used only for the registration process between the web server and CA
 - The next key pair is used between the web server and the certificate (this point confuses me)
 - The final key pair is used for creating a session between the browser and the web server
To point 2, does this only mean that when the web browser gets its certificate from a CA, it confirms that it is valid using a key pair so some type?  Any help you can provide on that one would be appreciated.

3. If I purchase a 256bit certificate (ie from Verisign), this should not cause my customers any issues connecting because most relatively current browsers will negotiate up to the 256bit level for encyption (agreeing upon the highest level that the web server and client support), correct?  Please note, that I do not have any global customers, only US.

4. Will running the CSR wizard remove the current certificate? The reason I ask, I find it extremely inconvenient that running the certificate wizard to generate a CSR (for moving to another CA provider)effectively removes the currently installed cert. If this is true, can I generate a CSR on another IIS server for the www site and then transfer it over to the production server?  I see the wizard has a copy/move a certificate option.
0
Comment
Question by:jedifenner
1 Comment
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 21764236
Firstly I have to admit that I am not fully familiar with the CSR wizards. But I do know something about SSL.

1. The bit length is the length of the key that is used in the certificate. It is used in every session with clients connecting via SSL. Regarding options to use different length afterwards see also next point.

2. First key is the CA (certificate authority) key that the CAs use to "sign" all other certificates. It is used in the creation of your certificate (the private part of the key - used by the CAs) and in every verification of your certificate (the public part of the key - used by your clients)

Second key is basically your certificate. It is used to initiate every session of SSL connection betwen your clients and your server. With this key (certificate) you prove that it is really your server on the other side of the line and is used to exchange symetric keys used in further communication.

Third are the session symetric keys. This keys are generated for each session (for each client) and are used for the actual exchange of data between the computers. This key can be generated in different lengths - depending on capabilities of the client and the server.

3. You should only use (buy) 1024 bit certificates. As it is written in the verisign FAQ you posted - even 512 bit certificates are not secure!

4. I am not sure. But you can surely move the certificate from another server - just make sure you mark it as exportable private key.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now