Solved

How to create TRUE 256-bit self-signed certificates using OpenSSL to implement on BOTH IIS & Apache

Posted on 2008-06-13
11
2,895 Views
Last Modified: 2011-10-19
Please refer to the attached screenshot PRIOR to posting.

I am looking to create self-signed 256-bit (or even higher if possible) certificates, which I can use on my IIS and Apache servers.

I was told:
a) the certificate has to be "capable" of it
b) the server needs to be configured to do it

Well, I read the OpenSSL manual, and I see various encryption methods listed, but didn't know WHICH ones would allow me to generate my OWN 256-bit ones.

Looking forward to URLs, or step-by-steps :)
ssl-types.png
0
Comment
Question by:ovprit
  • 6
  • 4
11 Comments
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
The certificate bitlenght (usually 1024 2048 or 4096) has nothing to do with the encryption key bitlenght(usually 256bits).
The certificate though can contain list of allowed/disallowed ciphers. Usually(default) they empty, so browser-server are free to negotiate one at will.

There's many examples and free software for generating certificates over the internet - have You tried any?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
According to: http://www.akadia.com/services/ssh_test_certificate.html:

     openssl genrsa -des3 -out server.key 1024

Will generate a 1024 bit key.  However as ravenpl points out, certificates and encryption key lengths are two different things.
0
 
LVL 1

Author Comment

by:ovprit
Comment Utility
fellas:

ow Thx for clarifying what I already knew... I'm looking for specific instructions on using OpenSSL to sign a 256-bit encryption based self signed certificate, which I can then use in IIS AND Apache

Thank you,
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Do you need the instructions on how to generate the certifcate?

Or do you need the instruction on how to configure IIS and Apache to do SSL?

Do you want to use the same exact cert on IIS and Apache?

I IIS and Apache running on the same computer?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 1

Author Comment

by:ovprit
Comment Utility
@giltjr:

Indeed those sets of instructions allow you to generate 128-bit certificates...

Again, I need:

1) sets of instructions that allow me to generate a 256-bit CIPHER 4096bit LENGTH certificate
2) sets of instructions on HOW to "self sign" what was generated
3) sets of instructions on HOW to modify IIS and APACHE to USE the 256-bit CIPHER vs. the 128-bit default

TIA!

0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
--> 1) sets of instructions that allow me to generate a 256-bit CIPHER 4096bit LENGTH certificate
--> 2) sets of instructions on HOW to "self sign" what was generated

This is ONE in the same step.:

     openssl req -x509  -nodes -days 365 -newkey rsa:4096 -keyout mycert.pem  -out mycert.pem

Which is documented as the step to generate a self signed cert in one of the above links.  All I did was replace "rsa:1024" with "rsa:4096."  The file mycert.pem will now contain the private key and the public cert.

Now you can follow the normal procedures for getting IIS/Apache to use this.

Now, what level of encryption that is used between the client and the browser is independent of the cert.  The cert just verifies who you are, it does not determine the level of encryption.

So all you need to do is setup Apache and IIS to use SSL based on their instructions.  However, based on what I have found no version of IIS supports 256-bit encryption yet.  You can go to Apache's site to see the instructions on how to get Apache setup for SSL.
0
 
LVL 1

Author Comment

by:ovprit
Comment Utility
Hmm... so let me get this straight...

You're telling me:

a) despite what every1 else has been saying, that generic line of openssl command, will generate a cert that is CAPABLE of doing 256-bit cipher?

b) an industry STANDARD web server, IIS 6.0, is NOT capable of 256-bit cipher?

If you take offense at my reply here, I apologize, however it is a tad confusing/in-excusable for Microsoft to have not developed support for 256-bit cipher in IIS for it's past 6 MAJOR versions... don't you think?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
No, I don't take offense.

a) The cert has nothing to do with what level of encryption will be use.  The cert just verifies that the server(or client if you use two way) is who it says it is as verified by a "trusted party".  The server and the client negotiate what type and level of encryption will be used.  

Can you point me to doc where it claims that the certificate determines what type of encryption is used?

b) Yep.  You can double check, but based on http://forums.iis.net/t/1147772.aspx  IIS 7.0 does not support it either,or at least it did not at that time.  MS could have added AES encryption support, which is what you need for 256-bit encryption.  However I have found other references on MS site that IIS up through and including 6.0 does NOT include AES  support.

0
 
LVL 1

Author Comment

by:ovprit
Comment Utility
@giltjr:

http://www.trustico.co.uk/material/techpaper_encryption.pdf

states that indeed certificate does not matter, that the whole thing depends on the server and browser having the capability... some more Googling showed that as long as the certificate was generated with AES support, I should be fine.

So, before I give you the points:

a) How can we ensure, OpenSSL will generate/sign a certificate with AES support?
b) I appreciate the link you gave me for Apache on Windows... But I am looking for step-by-step instructions for installing and modifying Apache 2.0/2.2 servers in Linux environments to enable 256-bit cipher capability...

Hopefully, we can finalize this question :) Thanks for hanging in there with me!

TIA!
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
Comment Utility
a) The cert and encryption level have nothing to do with each other.  What type and level of the encryption used is based on what the application (Apache or IIS) can support.  The cert just verifies who you are, not what you can do.

b) Follow the normal Apache+mod_ssl instructions. Unless you are building your own Linux enviroment, most of the major distributions will have documenation on how to setup Apache with mod_ssl.  At a minimum you can follow:

     http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

mod_ssl calls/uses OpenSSL so as long as you have a current OpenSSL that supports AES-256 then Apache can use it.

HOWEVER, the level of encryption that is actually used is based on what the browser supports.  If somebody is using a old browser that only support 128-bit, only 128-bit will be used, or if somebody is accessing your web site from a country that is only supposed to have 40-bit, then only 40-bit will be used.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now