Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to create TRUE 256-bit self-signed certificates using OpenSSL to implement on BOTH IIS & Apache

Posted on 2008-06-13
11
2,940 Views
Last Modified: 2011-10-19
Please refer to the attached screenshot PRIOR to posting.

I am looking to create self-signed 256-bit (or even higher if possible) certificates, which I can use on my IIS and Apache servers.

I was told:
a) the certificate has to be "capable" of it
b) the server needs to be configured to do it

Well, I read the OpenSSL manual, and I see various encryption methods listed, but didn't know WHICH ones would allow me to generate my OWN 256-bit ones.

Looking forward to URLs, or step-by-steps :)
ssl-types.png
0
Comment
Question by:ovprit
  • 6
  • 4
11 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 21784344
The certificate bitlenght (usually 1024 2048 or 4096) has nothing to do with the encryption key bitlenght(usually 256bits).
The certificate though can contain list of allowed/disallowed ciphers. Usually(default) they empty, so browser-server are free to negotiate one at will.

There's many examples and free software for generating certificates over the internet - have You tried any?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21785041
According to: http://www.akadia.com/services/ssh_test_certificate.html:

     openssl genrsa -des3 -out server.key 1024

Will generate a 1024 bit key.  However as ravenpl points out, certificates and encryption key lengths are two different things.
0
 
LVL 1

Author Comment

by:ovprit
ID: 21786447
fellas:

ow Thx for clarifying what I already knew... I'm looking for specific instructions on using OpenSSL to sign a 256-bit encryption based self signed certificate, which I can then use in IIS AND Apache

Thank you,
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 57

Expert Comment

by:giltjr
ID: 21786651
Do you need the instructions on how to generate the certifcate?

Or do you need the instruction on how to configure IIS and Apache to do SSL?

Do you want to use the same exact cert on IIS and Apache?

I IIS and Apache running on the same computer?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21786660
0
 
LVL 1

Author Comment

by:ovprit
ID: 21807384
@giltjr:

Indeed those sets of instructions allow you to generate 128-bit certificates...

Again, I need:

1) sets of instructions that allow me to generate a 256-bit CIPHER 4096bit LENGTH certificate
2) sets of instructions on HOW to "self sign" what was generated
3) sets of instructions on HOW to modify IIS and APACHE to USE the 256-bit CIPHER vs. the 128-bit default

TIA!

0
 
LVL 57

Expert Comment

by:giltjr
ID: 21809635
--> 1) sets of instructions that allow me to generate a 256-bit CIPHER 4096bit LENGTH certificate
--> 2) sets of instructions on HOW to "self sign" what was generated

This is ONE in the same step.:

     openssl req -x509  -nodes -days 365 -newkey rsa:4096 -keyout mycert.pem  -out mycert.pem

Which is documented as the step to generate a self signed cert in one of the above links.  All I did was replace "rsa:1024" with "rsa:4096."  The file mycert.pem will now contain the private key and the public cert.

Now you can follow the normal procedures for getting IIS/Apache to use this.

Now, what level of encryption that is used between the client and the browser is independent of the cert.  The cert just verifies who you are, it does not determine the level of encryption.

So all you need to do is setup Apache and IIS to use SSL based on their instructions.  However, based on what I have found no version of IIS supports 256-bit encryption yet.  You can go to Apache's site to see the instructions on how to get Apache setup for SSL.
0
 
LVL 1

Author Comment

by:ovprit
ID: 21813083
Hmm... so let me get this straight...

You're telling me:

a) despite what every1 else has been saying, that generic line of openssl command, will generate a cert that is CAPABLE of doing 256-bit cipher?

b) an industry STANDARD web server, IIS 6.0, is NOT capable of 256-bit cipher?

If you take offense at my reply here, I apologize, however it is a tad confusing/in-excusable for Microsoft to have not developed support for 256-bit cipher in IIS for it's past 6 MAJOR versions... don't you think?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21813288
No, I don't take offense.

a) The cert has nothing to do with what level of encryption will be use.  The cert just verifies that the server(or client if you use two way) is who it says it is as verified by a "trusted party".  The server and the client negotiate what type and level of encryption will be used.  

Can you point me to doc where it claims that the certificate determines what type of encryption is used?

b) Yep.  You can double check, but based on http://forums.iis.net/t/1147772.aspx  IIS 7.0 does not support it either,or at least it did not at that time.  MS could have added AES encryption support, which is what you need for 256-bit encryption.  However I have found other references on MS site that IIS up through and including 6.0 does NOT include AES  support.

0
 
LVL 1

Author Comment

by:ovprit
ID: 21819413
@giltjr:

http://www.trustico.co.uk/material/techpaper_encryption.pdf

states that indeed certificate does not matter, that the whole thing depends on the server and browser having the capability... some more Googling showed that as long as the certificate was generated with AES support, I should be fine.

So, before I give you the points:

a) How can we ensure, OpenSSL will generate/sign a certificate with AES support?
b) I appreciate the link you gave me for Apache on Windows... But I am looking for step-by-step instructions for installing and modifying Apache 2.0/2.2 servers in Linux environments to enable 256-bit cipher capability...

Hopefully, we can finalize this question :) Thanks for hanging in there with me!

TIA!
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 21821037
a) The cert and encryption level have nothing to do with each other.  What type and level of the encryption used is based on what the application (Apache or IIS) can support.  The cert just verifies who you are, not what you can do.

b) Follow the normal Apache+mod_ssl instructions. Unless you are building your own Linux enviroment, most of the major distributions will have documenation on how to setup Apache with mod_ssl.  At a minimum you can follow:

     http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

mod_ssl calls/uses OpenSSL so as long as you have a current OpenSSL that supports AES-256 then Apache can use it.

HOWEVER, the level of encryption that is actually used is based on what the browser supports.  If somebody is using a old browser that only support 128-bit, only 128-bit will be used, or if somebody is accessing your web site from a country that is only supposed to have 40-bit, then only 40-bit will be used.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question