Most web administrators will be familiar with the concept of certificates. Essentially, these are digital ID tags that clients and servers use to ensure the identity of communication partners, as well as the integrity of transmitted data. They are also responsible for the cryptographic exchanges which form the backbone of our secure digital communications.
Most key exchanges carried out over the internet use a public-private key pairing, and shared keys are passed between clients and servers using an encryption algorithm called RSA. I won’t go into too much detail about how these things work, as they are pretty complicated and knowledge of their underlying mechanics isn’t required for what I’m going into in this post.
You may notice when you bring up the properties of a website that you have navigated to, you’ll get some details about the strength of the cryptography that the server you’re connecting to uses. One of those properties (depending on the security method used) will be the length of the RSA key that you’re using.
I’ve gone into the differences between various key types and the benefits of longer keys in other posts, but given that 768-bit RSA keys have been compromised, website admins who offer their sites over secure connections should be looking to upgrade the bit lengths of their RSA keys to at least 2048-bit.
As you can see from the screenshot above, the example site is secured using a 1024-bit exchange, which could do with upgrading.
If you get your website certificates from a vendor, they should do this for you automatically as part of their service, however if you run your own certificate authority (CA) on an internal domain, for example, you will have to get a new certificate from the CA.
The problem you may encounter, especially if the websites are hosted in Internet Information Services (IIS) is that IIS will always request the WebServer certificate template from the CA, and will complain if that template is ever removed from the list of published templates. You will also find that superseding the WebServer template with a duplicate also lacks the desired effect.
So, how do we get a new certificate with an increased bit length which we can use to better secure our connections? Easy: just follow the steps below…
Note that mucking about with anything relating to cryptography or certificates is likely to require elevated permissions.
Firstly, log onto the CA, open the Certification Authority MMC snap-in and select Certificate Templates:
In here you’ll see all the templates that your CA is configured to issue. There are plenty of others, so seeing additional ones and, indeed, not having all the ones shown above is perfectly normal.
Right-Click on the Certificate Templates folder item in the left-hand pane and choose Manage from the context menu. This will open up the Certificate Templates Console.
This console shows all the templates that are available to your CA, including those templates that it is not configured to issue. Find the Web Server entry in the list and right-click on it, choosing Duplicate Template from the popup menu.
In the popup window, choose which compatibility level you want for your new template. More recent Server versions offer additional functionality, but keep in mind that you may need to be more backwards compatible for some older clients which could be on the network. Naturally, if all the clients are reasonably up-to-date then choosing the most recent version of Server available is the way to go.
The next screen shows you the properties of your newly created certificate template.
On the General tab, complete the Template display name, Template name, Validity period and Renewal period fields as required. On the Request Handling tab ensure that Purpose is set to Signature and encryption and that Allow private key to be exported checkbox is selected. On the Cryptography tab, select the required Algorithm name and (where required) the Minimum key size. At the bottom of this tab, select the method which will be used to hash requests in the Request hash field.
Remember when completing these details that larger bit-lengths are more secure, but there is a possibility that not all clients will be able to connect using higher grade encryption: make sure you choose values that are appropriate to your environment and needs.
Next, head over to the Security tab. This works the same as standard NTFS permissions on the filesystem. You’ll need to ensure the computers which will be using this certificate have their accounts added in here: if multiple computers are likely to be using it, it will probably be worth your while creating a group within Active Directory to hold their accounts.
The server account or group should have READ and ENROLL permissions set. After adding these, click OK on all open dialog boxes to return to the Certificate Templates Console. Your new certificate template should be listed and visible.
Return to the Certificate Authority console, and right-click the Certificate Templates folder in the left-hand menu, and choose New > Certificate Template to Issue.
Find your new template in the list and click OK. The template will now appear in the list of certificates available to issue.
Now on to the next part: getting the new certificate into IIS. To do this, you need to log onto the web server in question, and open a basic MMC console. When open, click File > Add/Remove Snap-in. From the list of available console, choose Certificates and click Add, choosing Computer account when prompted.
Click Next, then ensure that Local Computer is selected before clicking Finish. Click OK to close the add snap-in screen and return to the MMC.
Expand Certificates > Personal > Certificates to see all the personal certificates assigned to this computer’s account.
Right-click Certificates in the left-hand menu and choose All Tasks > Request New Certificate to open the request wizard. Click Next on the first screen, then select Active Directory Enrollment Policy and click Next.
After a few seconds, a list of all available certificates will be displayed, and your new template should be one of them.
If you see the message saying more information is required, as shown above, click the message to enter specific details relating to the name and organisation on the certificate. When completed, click OK. If all the required information has been entered, the message will be removed from this screen, and the Enroll button will be available after the certificate is selected.
If the process completes successfully, the following screen will be displayed, otherwise the Enrollment process will tell you what has gone wrong and you’ll have to start this part of the process again.
Click Finish to complete the process.
Next we need to add this into IIS so we can apply it to the website binding. Start the IIS console by clicking Start > Administrative Tools > Internet Information Services (IIS) Manager.
Select the server (not the website) from the left-hand menu and double-click the Server Certificates icon in the central pane.
The certificate we enrolled the web server into in the previous part of this process should be listed in this section.
If everything is OK here, expand the Sites folder and select the website whose bindings need to be changed to use the new certificate. If the new certificate isn’t present, try closing and re-opening the IIS console. If this doesn’t work, perform an IIS reset and try again.
With the website selected, choose Bindings from the right-hand action menu.
In the Site Bindings screen, select the entry for https and click Edit
This will bring up the properties specific to that particular site binding. In the SSL certificate field, your new certificate should be a selectable option from the drop-down menu.
Select it, and click OK on all open dialog boxes to return to the main IIS admin console. The next time you browse to that particular website and check the properties of the page, you’ll see that your new certificate has taken effect and that the newer, longer keys are being used to provide increased security for your visitors.
If you have any problems following this guide, or if there’s something you’d like some help or advice on, feel free to contact me and let me know what it is, or leave a comment here on this post and I’ll do my best to help.