This article explain the best practise for preparing the infrastructure for 2048-bit SSL certificates. Secure socket layer (SSL) technology continues to be essential to the growth of the web. With unabated increases in eCommerce traffic along with transmission of personal information, SSL is a necessity.
Best practices for Preparing the infrastructure for 2048-bit SSL certificates:
1. Offload SSL session set-up and bulk data encryption to an ADC that is optimized for 2048-bit SSL processing. High-performance ADCs integrate hardware-based SSL acceleration that is capable of handling far more SSL TPS than a general purpose server. Advanced ADCs can also rewrite client requests and application responses from clear text HTTP to SSL-secured HTTPS on the fly, automatically forcing the
entire application to be SSL protected even if the application was not originally designed for SSL.
2. Take inventory of each infrastructure element that is terminating SSL traffic. Make sure that it has the processing capacity to support stronger levels of encryption without adding latency or dropping packets.
3. Complete an audit of SSL certificates currently in use. Those that expire soonest will need to be renewed first, and your certificate authority will likely mandate that the certificate renewal be at 2048-bit key strength.
4. Evaluate current SSL performance requirements of your network and applications. Beyond measuring current traffic capacities, extrapolate historical growth rates for at least an additional three years. The goal is to design the infrastructure to meet both present and future requirements.
5. Do not focus solely on SSL throughput metrics. It is SSL transactions per second (TPS) that matters most for proper infrastructure sizing. Make sure that each component is optimized for 2048-bit keys.
6. Start with evaluation certificates for less mission critical applications to gain familiarity with the technology and understand the new performance demands. Free trial development SSL certificates are available from Symantec (certificate evaluation).
7. Move to 2048-bit certificates first. 4096-bit or greater SSL keys will only be required in exceptional circumstances.
8. For highly sensitive applications, re-encrypt communications between the ADC and the back-end server infrastructure. This provides end-to-end encryption which may be required in some environments. All popular ADC solutions support SSL re-encryption.
9. Measure end-user application performance before, during and after the transition to 2048-bit SSL. Pay particular attention to SSL session negotiation times at various load conditions. There are a number of commercial services that offer detailed performance measurements. However, make sure they have the capability to measure end-to-end performance of SSL-secured HTTPS applications. In addition, many ADCs also offer application performance monitoring tools that can be used to assess overall impact.