8HOST+™ | โฮสติ้ง โดเมน: SGC SuperCert FAQs SGC SuperCert FAQs ================================================================================ sathit on 19/11/2011 22:55:00 SGC SuperCert FAQs WHY WOULD I NEED A SGC SUPERCERT FOR SSL? Prior to 2001, the US government placed restrictions on the export of so-called 'strong encryption' software. As a result, Netscape and Microsoft released two versions of their browsers, US/domestic, which supported 128 bit encryption, and Non-US/International, which only supported 40 bit, and later 56 bit, encryption. Using a thawte SuperCert enables the Non-US versions to step-up to 128 bit encryption. If you have installed a SGC SuperCert, all supported browsers will be forced to use a 128 bit session key when communicating with your secure server. So, if you want the strongest available security for all your customers, particularly those with Non-US browsers, you need a thawte SGC SuperCert. They work the same way as standard SSL certificates, but contain an additional 'flag' which Netscape and Microsoft browsers recognize, in order to access their (hidden) strong encryption capabilities. CAN NORMAL SSL CERTIFICATES PROVIDE 128-BIT SECURITY? Yes they can. SSL sessions are negotiated between the server and browser. If both support 128 bits, the session will use 128 bit encryption. If either the server or browser only support 40 bit, then the session will be at 40 bits. As long as your server is 128 bit capable, you will establish 128 bit sessions with any other capable browser. For example, US/domestic versions of all browsers support 128 bit security. WHAT BROWSERS WILL MY SGC SUPERCERT WORK WITH? SGC SuperCerts are recognized by Internet Explorer 4.x, and Netscape 4.06, and later. Older browsers will still create a secure SSL connection to your server at 40, 56, or 128 bits depending on the browser support. WHY IS THIS CERTIFICATE ISSUED BY A DIFFERENT CA THAN THE SSL WEB SERVER CERTIFICATE AND SSL123 CERTIFICATE? The SGC SuperCert is issued by an Intermediate CA certificate so that customers can identify the difference between an SGC “step up” Certificate and a regular SSL Web Server Certificate. Please note: In order for the SGC SuperCert to be authenticated correctly to all browsers the Intermediate Certificate (thawte SGC CA ) must be installed on the server. The SGC SuperCert is signed by the thawte SGC CA Intermediate Certificate which is in turn signed by the Verisign Class 3 Public Primary CA Root Certificate (Root Certificate > Intermediate Certificate > issued Certificate). Because the Intermediate Certificate is not shipped with any browser and is therefore untrusted, you have to install both the issued Certificate and the Intermediate Certificate on the server so that whenever an SSL session is invoked the server will present the Certificate chain (Intermediate Certificate > issued Certificate) to the browser and the browser can validate the complete chain right to the root issuer which is included in the browser and trust the Certificate. This is how the certificate path will look in your certificate: Verisign Class 3 Public Primary CA thawte SGC CA www.mydomain.com HOW DOES A SGC SUPERCERT WORK? Recent browsers from Netscape and Microsoft include "SGC" or "Step-Up" enhancements to the basic SSL protocol. These enhancements were designed to give some foreign firms access to strong crypto for web security while preserving the broad thrust of US export regulations. The browser initiates a normal (weak) SSL connection. When it sees the special flag in the SGC SuperCert, and verifies that the SGC SuperCert was issued by a recognized "licensed" Certificate Authority, it restarts the connection, but this time acting as a fully secure 128-bits-capable browser, creating a 128 bit key to protect your communications with that web server with the strongest possible encryption. CAN I REQUEST A TEST SGC SUPERCERT? The Test system can issue certificates that are compatible with Netscape and Microsoft requirements for SGC or Step-Up certificates. However, you can't request a Test SGC SuperCert as the thawte Test CA root certificate is not trusted for SGC, therefore the browser won't restart the connection in order to step-up the session to 128 Bit encryption. WHICH SERVERS ARE COMPATIBLE WITH THE SGC SUPERCERT? Please read the thawte SGC SuperCert server compatibility list in the following Knowledge Base solution: SO785 HOW DO I INSTALL AN SGC SUPERCERT? To install an SGC SuperCert on your server software platform please read the instructions in the following Knowledge Base solution: SO3047 SGC SUPERCERT TECHNOLOGY thawte has been issued a license by the US Bureau of Export Administration (BXA) which allows us to issue certificates which enable you to enforce 128-bit SSL sessions in older, export version browsers, which are usually restricted to 40/56 bit encryption. The difference between Supercerts and normal SSL Certificates is that whenever an Export version browser (IE4.x and Netscape 4.06 and later)connects to a site using a SGC Supercert the SSL session will be 'stepped-up' to 128-bits, instead of being negotiated at an encryption level the browser can handle (40/56 bits). GETTING A SGC SUPERCERT You submit to us, a certificate request file (CSR). thawte then verifies your identity, contained in the certificate, and when satisfied, signs that request file, using the trusted thawte CA root key, and issues it to you as your certificate. THAWTE SGC SUPERCERT SUPPORT thawte is a trusted certificate provider. We do not make or support any software. We are more than happy to help wherever certificates are used, however, in the case of software specific issues, we may not always be able to help. The best people to contact will always be your software vendor.