Topic Keywords: SSL/TLS
In the last 6 months, many SSL Certificate Authorities (CAs) have made a switch to requiring web servers to use 2048-bit private keys.
It is believed that increased computing power will make the commonly used 1024-bit keys possible to break by 2011. There is a side effect in switching to the larger keys that some old web browsers don’t support > 1024 bit keys. I can’t find a good reference that tells me which versions of which browsers, but this is something to keep in mind.
We’ve rebuilt the NowSMS SSL library to generate 2048 bit keys when generating a new certificate signing request (CSR). An update can be downloaded at http://www.nowsms.com/download/smsssl.zip.
To install the update, stop the NowSMS services and exit NowSMS.
Replace the existing SMSSSL.DLL in the Program Files\NowSMS directory with this version.
If you have not previously requested a signed certificate from a certificate authority, simply go to the SSL/TLS page of the NowSMS configuration, and select “Generate Server Certificate”.
Unfortunately, the change to 2048 bit key requirements will cause problems for renewals for customers that already have an SSL certificate signed by a certificate authority (CA).
When your renewal time comes up, many CAs will not renew your certificate until you switch to a 2048 bit key.
However, if you generate a new server certificate request with NowSMS, this forces the existing certificate to be immediately invalidated, which may cause problems for existing clients during the certificate renewal process. (This problem is not specific to NowSMS … many web server administrators are facing similar problems.)
If you face this renewal issue with NowSMS, follow this procedure:
- Locate and backup the following NowSMS files (in either Program Files\NowSMS for Windows XP/2003 or ProgramData\NowSMS for Windows Vista/7/2008):
- On the “SSL/TLS” page of NowSMS, select the option to “Generate Server Certificate”.
- You will be warned that doing this will invalidate your existing certificate. If you have backed up the files that I mentioned above, select “Yes” to continue.
- After the new certificate signing request has been generated, copy the new versions of SSL.CRT, SSL.CSR, SSL.INI and SSL.KEY to a different location for backup. (Note: There will not be an SSL.CA file as this file will not exist until you get your signed certificate back from the CA.)
- Put the old backup copies of these files, including SSL.CA, back in the appropriate NowSMS directory.
- Use the new SSL.CSR to request a signed certificate from your CA. When you get the signed certificate back from the CA, save it as SSL.CA.
- Copy the new version of these files, including SSL.CA to the appropriate NowSMS directory and restart the NowSMS services.