ovprit
asked on
How to create TRUE 256-bit self-signed certificates using OpenSSL to implement on BOTH IIS & Apache
Please refer to the attached screenshot PRIOR to posting.
I am looking to create self-signed 256-bit (or even higher if possible) certificates, which I can use on my IIS and Apache servers.
I was told:
a) the certificate has to be "capable" of it
b) the server needs to be configured to do it
Well, I read the OpenSSL manual, and I see various encryption methods listed, but didn't know WHICH ones would allow me to generate my OWN 256-bit ones.
Looking forward to URLs, or step-by-steps :)
ssl-types.png
I am looking to create self-signed 256-bit (or even higher if possible) certificates, which I can use on my IIS and Apache servers.
I was told:
a) the certificate has to be "capable" of it
b) the server needs to be configured to do it
Well, I read the OpenSSL manual, and I see various encryption methods listed, but didn't know WHICH ones would allow me to generate my OWN 256-bit ones.
Looking forward to URLs, or step-by-steps :)
ssl-types.png
According to: http://www.akadia.com/services/ssh_test_certificate.html:
openssl genrsa -des3 -out server.key 1024
Will generate a 1024 bit key. However as ravenpl points out, certificates and encryption key lengths are two different things.
openssl genrsa -des3 -out server.key 1024
Will generate a 1024 bit key. However as ravenpl points out, certificates and encryption key lengths are two different things.
ASKER
fellas:
ow Thx for clarifying what I already knew... I'm looking for specific instructions on using OpenSSL to sign a 256-bit encryption based self signed certificate, which I can then use in IIS AND Apache
Thank you,
ow Thx for clarifying what I already knew... I'm looking for specific instructions on using OpenSSL to sign a 256-bit encryption based self signed certificate, which I can then use in IIS AND Apache
Thank you,
Do you need the instructions on how to generate the certifcate?
Or do you need the instruction on how to configure IIS and Apache to do SSL?
Do you want to use the same exact cert on IIS and Apache?
I IIS and Apache running on the same computer?
Or do you need the instruction on how to configure IIS and Apache to do SSL?
Do you want to use the same exact cert on IIS and Apache?
I IIS and Apache running on the same computer?
OpenSSL and IIS:
http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html
OpenSSL and Apache under Windows:
http://tud.at/programm/apache-ssl-win32-howto.php3
http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html
OpenSSL and Apache under Windows:
http://tud.at/programm/apache-ssl-win32-howto.php3
ASKER
@giltjr:
Indeed those sets of instructions allow you to generate 128-bit certificates...
Again, I need:
1) sets of instructions that allow me to generate a 256-bit CIPHER 4096bit LENGTH certificate
2) sets of instructions on HOW to "self sign" what was generated
3) sets of instructions on HOW to modify IIS and APACHE to USE the 256-bit CIPHER vs. the 128-bit default
TIA!
Indeed those sets of instructions allow you to generate 128-bit certificates...
Again, I need:
1) sets of instructions that allow me to generate a 256-bit CIPHER 4096bit LENGTH certificate
2) sets of instructions on HOW to "self sign" what was generated
3) sets of instructions on HOW to modify IIS and APACHE to USE the 256-bit CIPHER vs. the 128-bit default
TIA!
--> 1) sets of instructions that allow me to generate a 256-bit CIPHER 4096bit LENGTH certificate
--> 2) sets of instructions on HOW to "self sign" what was generated
This is ONE in the same step.:
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout mycert.pem -out mycert.pem
Which is documented as the step to generate a self signed cert in one of the above links. All I did was replace "rsa:1024" with "rsa:4096." The file mycert.pem will now contain the private key and the public cert.
Now you can follow the normal procedures for getting IIS/Apache to use this.
Now, what level of encryption that is used between the client and the browser is independent of the cert. The cert just verifies who you are, it does not determine the level of encryption.
So all you need to do is setup Apache and IIS to use SSL based on their instructions. However, based on what I have found no version of IIS supports 256-bit encryption yet. You can go to Apache's site to see the instructions on how to get Apache setup for SSL.
--> 2) sets of instructions on HOW to "self sign" what was generated
This is ONE in the same step.:
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout mycert.pem -out mycert.pem
Which is documented as the step to generate a self signed cert in one of the above links. All I did was replace "rsa:1024" with "rsa:4096." The file mycert.pem will now contain the private key and the public cert.
Now you can follow the normal procedures for getting IIS/Apache to use this.
Now, what level of encryption that is used between the client and the browser is independent of the cert. The cert just verifies who you are, it does not determine the level of encryption.
So all you need to do is setup Apache and IIS to use SSL based on their instructions. However, based on what I have found no version of IIS supports 256-bit encryption yet. You can go to Apache's site to see the instructions on how to get Apache setup for SSL.
ASKER
Hmm... so let me get this straight...
You're telling me:
a) despite what every1 else has been saying, that generic line of openssl command, will generate a cert that is CAPABLE of doing 256-bit cipher?
b) an industry STANDARD web server, IIS 6.0, is NOT capable of 256-bit cipher?
If you take offense at my reply here, I apologize, however it is a tad confusing/in-excusable for Microsoft to have not developed support for 256-bit cipher in IIS for it's past 6 MAJOR versions... don't you think?
You're telling me:
a) despite what every1 else has been saying, that generic line of openssl command, will generate a cert that is CAPABLE of doing 256-bit cipher?
b) an industry STANDARD web server, IIS 6.0, is NOT capable of 256-bit cipher?
If you take offense at my reply here, I apologize, however it is a tad confusing/in-excusable for Microsoft to have not developed support for 256-bit cipher in IIS for it's past 6 MAJOR versions... don't you think?
No, I don't take offense.
a) The cert has nothing to do with what level of encryption will be use. The cert just verifies that the server(or client if you use two way) is who it says it is as verified by a "trusted party". The server and the client negotiate what type and level of encryption will be used.
Can you point me to doc where it claims that the certificate determines what type of encryption is used?
b) Yep. You can double check, but based on http://forums.iis.net/t/1147772.aspx IIS 7.0 does not support it either,or at least it did not at that time. MS could have added AES encryption support, which is what you need for 256-bit encryption. However I have found other references on MS site that IIS up through and including 6.0 does NOT include AES support.
a) The cert has nothing to do with what level of encryption will be use. The cert just verifies that the server(or client if you use two way) is who it says it is as verified by a "trusted party". The server and the client negotiate what type and level of encryption will be used.
Can you point me to doc where it claims that the certificate determines what type of encryption is used?
b) Yep. You can double check, but based on http://forums.iis.net/t/1147772.aspx IIS 7.0 does not support it either,or at least it did not at that time. MS could have added AES encryption support, which is what you need for 256-bit encryption. However I have found other references on MS site that IIS up through and including 6.0 does NOT include AES support.
ASKER
@giltjr:
http://www.trustico.co.uk/material/techpaper_encryption.pdf
states that indeed certificate does not matter, that the whole thing depends on the server and browser having the capability... some more Googling showed that as long as the certificate was generated with AES support, I should be fine.
So, before I give you the points:
a) How can we ensure, OpenSSL will generate/sign a certificate with AES support?
b) I appreciate the link you gave me for Apache on Windows... But I am looking for step-by-step instructions for installing and modifying Apache 2.0/2.2 servers in Linux environments to enable 256-bit cipher capability...
Hopefully, we can finalize this question :) Thanks for hanging in there with me!
TIA!
http://www.trustico.co.uk/material/techpaper_encryption.pdf
states that indeed certificate does not matter, that the whole thing depends on the server and browser having the capability... some more Googling showed that as long as the certificate was generated with AES support, I should be fine.
So, before I give you the points:
a) How can we ensure, OpenSSL will generate/sign a certificate with AES support?
b) I appreciate the link you gave me for Apache on Windows... But I am looking for step-by-step instructions for installing and modifying Apache 2.0/2.2 servers in Linux environments to enable 256-bit cipher capability...
Hopefully, we can finalize this question :) Thanks for hanging in there with me!
TIA!
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
The certificate though can contain list of allowed/disallowed ciphers. Usually(default) they empty, so browser-server are free to negotiate one at will.
There's many examples and free software for generating certificates over the internet - have You tried any?