Solved

Basic IIS + SSL Questions

Posted on 2008-06-11
1
421 Views
Last Modified: 2012-05-05
Hello experts,

I am trying to get a better understanding of how IIS + SSL work together from an implementation standpoint.  Please answer my questions (brief/basic answers preferred) and you will have my undying gratitude!  :-)

1. In regards to the CSR wizard, I am prompted for the Bit Length.  I have read conflicting reports that this is or is not directly tied to the actual certificate that is generated (for example: Verisign).  As far as I know, this is only used to for the certificate registration process, and that only the web server and the Certificate Authority (CA) is concerned about this length for sharing the registration info.  Afterward, the SSL can have any encyption bit lenght (such as 128 or 256).  Is that correct?

2. I am pretty confused by Verisign's FAQ section, as it lists that there are 3 different keys used in the SSL process.  (http://www.verisign.com/cus/srv/faq/512/index.html#128) Please tell me if I understand this correctly:
 - the first key pair is used only for the registration process between the web server and CA
 - The next key pair is used between the web server and the certificate (this point confuses me)
 - The final key pair is used for creating a session between the browser and the web server
To point 2, does this only mean that when the web browser gets its certificate from a CA, it confirms that it is valid using a key pair so some type?  Any help you can provide on that one would be appreciated.

3. If I purchase a 256bit certificate (ie from Verisign), this should not cause my customers any issues connecting because most relatively current browsers will negotiate up to the 256bit level for encyption (agreeing upon the highest level that the web server and client support), correct?  Please note, that I do not have any global customers, only US.

4. Will running the CSR wizard remove the current certificate? The reason I ask, I find it extremely inconvenient that running the certificate wizard to generate a CSR (for moving to another CA provider)effectively removes the currently installed cert. If this is true, can I generate a CSR on another IIS server for the www site and then transfer it over to the production server?  I see the wizard has a copy/move a certificate option.
0
Comment
Question by:jedifenner
1 Comment
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 21764236
Firstly I have to admit that I am not fully familiar with the CSR wizards. But I do know something about SSL.

1. The bit length is the length of the key that is used in the certificate. It is used in every session with clients connecting via SSL. Regarding options to use different length afterwards see also next point.

2. First key is the CA (certificate authority) key that the CAs use to "sign" all other certificates. It is used in the creation of your certificate (the private part of the key - used by the CAs) and in every verification of your certificate (the public part of the key - used by your clients)

Second key is basically your certificate. It is used to initiate every session of SSL connection betwen your clients and your server. With this key (certificate) you prove that it is really your server on the other side of the line and is used to exchange symetric keys used in further communication.

Third are the session symetric keys. This keys are generated for each session (for each client) and are used for the actual exchange of data between the computers. This key can be generated in different lengths - depending on capabilities of the client and the server.

3. You should only use (buy) 1024 bit certificates. As it is written in the verisign FAQ you posted - even 512 bit certificates are not secure!

4. I am not sure. But you can surely move the certificate from another server - just make sure you mark it as exportable private key.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can't get URL Redirect to work for directing http to https 10 59
IIS 7 Basic Auth keeps asking for password 5 83
Failed to create connection config 17 42
Registering DLL 5 43
Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now