Requesting and installing elliptic curve DSA certificates in Windows and IIS

Note: This guide is based on my experiences requesting an ECDSA certificate from a single CA. Not all CAs offer ECDSA certificates yet, so you may need to shop around to find one that does.

As computing power and prime number factoring speed increases, keys based on RSA become more vulnerable to cracking. To combat this, RSA key lengths have been growing over time. Currently, the minimum accepted size of an RSA key for web site use is 2048 bits. As key length increases, so does the computational workload on the server to support each incoming TLS connection.

In contrast, as of the time of this writing, no cryptographic weaknesses have been found in ECC (Elliptic Curve Cryptography) implementations, which means an ECDSA key of just 256 bits is considered as strong as a 3072 bit RSA key, and a 384 bit ECDSA key is equivalent to 7680 bit RSA. So using an ECDSA certificate means higher security with less server CPU overhead and lower power consumption per connection, and thus more total concurrent client connections supported.

In order to issue you a trusted public key certificate, your chosen Certificate Authority (CA) will need a signed certificate request, generated on the server where the certificate will be installed. Most CAs will guide Windows website customers to generate their CSR using the IIS GUI. But in IIS 8.5 and below, the Create Certificate Request wizard does not allow specifying the parameters required for an ECDSA CSR, only RSA and DH. Hopefully the ability to request an ECDSA CSR will be added in the future (perhaps with Windows 10 Server next year).

In the meantime, in order to request an ECDSA certificate under Windows you'll need to dust off your command prompt skills and use certreq.exe tool.

Step 1: Build the certreq input file (e.g. certreq_input.txt).

Here is an anonymized version of the parameters I used. For a complete list of the available parameters for certreq.exe, consult the Microsoft certreq documentation page.

[NewRequest]
Subject="CN=www.mysite.com,OU=my_org_unit,O=my_org,L=my_city,S=my_state,C=US"
Exportable=TRUE
HashAlgorithm="SHA256"
ProviderName="Microsoft Software Key Storage Provider"
KeyAlgorithm="ECDSA_P384"
KeyLength=384
KeyUsage=0xf0
MachineKeySet=TRUE

Step 2: Run the input file through certreq.exe to generate a CSR output file. Open an administrator-level command prompt, and run a command like the following:

certreq.exe -new certreq_input.txt my_csr.txt

Step 3: Submit your CSR to the CA. Typically you’ll end up pasting the contents of the my_csr.txt file into a box on the CA’s web site.

Step 4: Download the generated certificate. For Windows, the easiest format to work with would be a P7B file containing the certificate and all intermediates. For example purposes, we’ll save it as mysite_ECDSA_P384.cer

Step 5: Load the certificate on the server. At an administrator-level command prompt, run a command like the following:

certreq –accept mysite_ECDSA_P384.cer

Step 6: In IIS, bind the new certificate to https on port 443.

To test the security and compatibility of your site, I recommend using the Qualys SSL Labs SSL Server Test.

 

Posted by Jamie Eubanks Tuesday, March 3, 2015 2:18:00 PM Categories: CMS Security

Comments

You must sign in to this site to post comments.
Already Registered?
Sign In
Not Yet Registered?
Register