• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3067
  • Last Modified:

How to create TRUE 256-bit self-signed certificates using OpenSSL to implement on BOTH IIS & Apache

Please refer to the attached screenshot PRIOR to posting.

I am looking to create self-signed 256-bit (or even higher if possible) certificates, which I can use on my IIS and Apache servers.

I was told:
a) the certificate has to be "capable" of it
b) the server needs to be configured to do it

Well, I read the OpenSSL manual, and I see various encryption methods listed, but didn't know WHICH ones would allow me to generate my OWN 256-bit ones.

Looking forward to URLs, or step-by-steps :)
ssl-types.png
0
ovprit
Asked:
ovprit
  • 6
  • 4
1 Solution
 
ravenplCommented:
The certificate bitlenght (usually 1024 2048 or 4096) has nothing to do with the encryption key bitlenght(usually 256bits).
The certificate though can contain list of allowed/disallowed ciphers. Usually(default) they empty, so browser-server are free to negotiate one at will.

There's many examples and free software for generating certificates over the internet - have You tried any?
0
 
giltjrCommented:
According to: http://www.akadia.com/services/ssh_test_certificate.html:

     openssl genrsa -des3 -out server.key 1024

Will generate a 1024 bit key.  However as ravenpl points out, certificates and encryption key lengths are two different things.
0
 
ovpritAuthor Commented:
fellas:

ow Thx for clarifying what I already knew... I'm looking for specific instructions on using OpenSSL to sign a 256-bit encryption based self signed certificate, which I can then use in IIS AND Apache

Thank you,
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
giltjrCommented:
Do you need the instructions on how to generate the certifcate?

Or do you need the instruction on how to configure IIS and Apache to do SSL?

Do you want to use the same exact cert on IIS and Apache?

I IIS and Apache running on the same computer?
0
 
giltjrCommented:
0
 
ovpritAuthor Commented:
@giltjr:

Indeed those sets of instructions allow you to generate 128-bit certificates...

Again, I need:

1) sets of instructions that allow me to generate a 256-bit CIPHER 4096bit LENGTH certificate
2) sets of instructions on HOW to "self sign" what was generated
3) sets of instructions on HOW to modify IIS and APACHE to USE the 256-bit CIPHER vs. the 128-bit default

TIA!

0
 
giltjrCommented:
--> 1) sets of instructions that allow me to generate a 256-bit CIPHER 4096bit LENGTH certificate
--> 2) sets of instructions on HOW to "self sign" what was generated

This is ONE in the same step.:

     openssl req -x509  -nodes -days 365 -newkey rsa:4096 -keyout mycert.pem  -out mycert.pem

Which is documented as the step to generate a self signed cert in one of the above links.  All I did was replace "rsa:1024" with "rsa:4096."  The file mycert.pem will now contain the private key and the public cert.

Now you can follow the normal procedures for getting IIS/Apache to use this.

Now, what level of encryption that is used between the client and the browser is independent of the cert.  The cert just verifies who you are, it does not determine the level of encryption.

So all you need to do is setup Apache and IIS to use SSL based on their instructions.  However, based on what I have found no version of IIS supports 256-bit encryption yet.  You can go to Apache's site to see the instructions on how to get Apache setup for SSL.
0
 
ovpritAuthor Commented:
Hmm... so let me get this straight...

You're telling me:

a) despite what every1 else has been saying, that generic line of openssl command, will generate a cert that is CAPABLE of doing 256-bit cipher?

b) an industry STANDARD web server, IIS 6.0, is NOT capable of 256-bit cipher?

If you take offense at my reply here, I apologize, however it is a tad confusing/in-excusable for Microsoft to have not developed support for 256-bit cipher in IIS for it's past 6 MAJOR versions... don't you think?
0
 
giltjrCommented:
No, I don't take offense.

a) The cert has nothing to do with what level of encryption will be use.  The cert just verifies that the server(or client if you use two way) is who it says it is as verified by a "trusted party".  The server and the client negotiate what type and level of encryption will be used.  

Can you point me to doc where it claims that the certificate determines what type of encryption is used?

b) Yep.  You can double check, but based on http://forums.iis.net/t/1147772.aspx  IIS 7.0 does not support it either,or at least it did not at that time.  MS could have added AES encryption support, which is what you need for 256-bit encryption.  However I have found other references on MS site that IIS up through and including 6.0 does NOT include AES  support.

0
 
ovpritAuthor Commented:
@giltjr:

http://www.trustico.co.uk/material/techpaper_encryption.pdf

states that indeed certificate does not matter, that the whole thing depends on the server and browser having the capability... some more Googling showed that as long as the certificate was generated with AES support, I should be fine.

So, before I give you the points:

a) How can we ensure, OpenSSL will generate/sign a certificate with AES support?
b) I appreciate the link you gave me for Apache on Windows... But I am looking for step-by-step instructions for installing and modifying Apache 2.0/2.2 servers in Linux environments to enable 256-bit cipher capability...

Hopefully, we can finalize this question :) Thanks for hanging in there with me!

TIA!
0
 
giltjrCommented:
a) The cert and encryption level have nothing to do with each other.  What type and level of the encryption used is based on what the application (Apache or IIS) can support.  The cert just verifies who you are, not what you can do.

b) Follow the normal Apache+mod_ssl instructions. Unless you are building your own Linux enviroment, most of the major distributions will have documenation on how to setup Apache with mod_ssl.  At a minimum you can follow:

     http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

mod_ssl calls/uses OpenSSL so as long as you have a current OpenSSL that supports AES-256 then Apache can use it.

HOWEVER, the level of encryption that is actually used is based on what the browser supports.  If somebody is using a old browser that only support 128-bit, only 128-bit will be used, or if somebody is accessing your web site from a country that is only supposed to have 40-bit, then only 40-bit will be used.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now