I am trying to get a better understanding of how IIS + SSL work together from an implementation standpoint. Please answer my questions (brief/basic answers preferred) and you will have my undying gratitude! :-)
1. In regards to the CSR wizard, I am prompted for the Bit Length. I have read conflicting reports that this is or is not directly tied to the actual certificate that is generated (for example: Verisign). As far as I know, this is only used to for the certificate registration process, and that only the web server and the Certificate Authority (CA) is concerned about this length for sharing the registration info. Afterward, the SSL can have any encyption bit lenght (such as 128 or 256). Is that correct?
2. I am pretty confused by Verisign's FAQ section, as it lists that there are 3 different keys used in the SSL process. (http://www.verisign.com/cus/srv/faq/512/index.html#128
) Please tell me if I understand this correctly:
- the first key pair is used only for the registration process between the web server and CA
- The next key pair is used between the web server and the certificate (this point confuses me)
- The final key pair is used for creating a session between the browser and the web server
To point 2, does this only mean that when the web browser gets its certificate from a CA, it confirms that it is valid using a key pair so some type? Any help you can provide on that one would be appreciated.
3. If I purchase a 256bit certificate (ie from Verisign), this should not cause my customers any issues connecting because most relatively current browsers will negotiate up to the 256bit level for encyption (agreeing upon the highest level that the web server and client support), correct? Please note, that I do not have any global customers, only US.
4. Will running the CSR wizard remove the current certificate? The reason I ask, I find it extremely inconvenient that running the certificate wizard to generate a CSR (for moving to another CA provider)effectively removes the currently installed cert. If this is true, can I generate a CSR on another IIS server for the www site and then transfer it over to the production server? I see the wizard has a copy/move a certificate option.