Thawte SGC (Server Gated Cryptography SSL) SuperCert FAQs

General Information ID:    INFO1116
Version:    5.0
Published:    05/11/2009
Updated:    02/23/2012

Description

 

 

Why would I need a Thawte SGC (Server Gated Cryptography SSL) SuperCert for SSL?

 

Prior to 2001, the US government placed restrictions on the export of so-called 'strong encryption' software. As a result, Netscape and Microsoft released two versions of their browsers, US/domestic, which supported 128 bit encryption, and Non-US/International, which only supported 40 bit, and later 56 bit, encryption. 

Using a Thawte SuperCert enables the Non-US versions to step-up to 128 bit encryption. If you have installed a Thawte SGC (Server Gated Cryptography SSL) SuperCert, all supported browsers will be forced to use a 128 bit session key when communicating with your secure server. So, if you want the strongest available security for all your customers, particularly those with Non-US browsers, you need a Thawte SGC (Server Gated Cryptography SSL) SuperCert. They work the same way as standard SSL certificates, but contain an additional 'flag' which Netscape and Microsoft browsers recognize, in order to access their (hidden) strong encryption capabilities.

Can normal SSL certificates provide 128-bit security?

Yes they can. SSL sessions are negotiated between the server and browser. If both support 128 bits, the session will use 128 bit encryption. If either the server or browser only support 40 bit, then the session will be at 40 bits. As long as your server is 128 bit capable, you will establish 128 bit sessions with any other capable browser. For example, US/domestic versions of all browsers support 128 bit security.

What browsers will my Thawte SGC (Server Gated Cryptography SSL) SuperCert work with?

Thawte SGC (Server Gated Cryptography SSL) SuperCerts are recognized by Internet Explorer 4.x, and Netscape 4.06, and later. Older browsers will still create a secure SSL connection to your server at 40, 56, or 128 bits depending on the browser support.

Why is this certificate issued by a different CA than the SSL Web Server Certificate and SSL123 Certificate?

The Thawte SGC (Server Gated Cryptography SSL) SuperCert is issued by an Intermediate CA certificate so that customers can identify the difference between an Thawte SGC (Server Gated Cryptography SSL) “step up” Certificate and a regular SSL Web Server Certificate. 

Please note: 

In order for the Thawte SGC (Server Gated Cryptography SSL) SuperCert to be authenticated correctly to all browsers the Intermediate Certificate (Thawte SGC (Server Gated Cryptography SSL) CA ) must be installed on the server. 

The Thawte SGC (Server Gated Cryptography SSL) SuperCert is signed by the Thawte SGC (Server Gated Cryptography SSL) CA Intermediate Certificate which is in turn signed by the Verisign Class 3 Public Primary CA Root Certificate (Root Certificate > Intermediate Certificate > issued Certificate). Because the Intermediate Certificate is not shipped with any browser and is therefore untrusted, you have to install both the issued Certificate and the Intermediate Certificate on the server so that whenever an SSL session is invoked the server will present the Certificate chain (Intermediate Certificate > issued Certificate) to the browser and the browser can validate the complete chain right to the root issuer which is included in the browser and trust the Certificate. 

This is how the certificate path will look in your certificate: 

Verisign Class 3 Public Primary CA  
   Thawte SGC (Server Gated Cryptography SSL) CA  
     www.mydomain.com

How does a Thawte SGC (Server Gated Cryptography SSL) SuperCert Work?

Recent browsers from Netscape and Microsoft include "SGC" or "Step-Up" enhancements to the basic SSL protocol. These enhancements were designed to give some foreign firms access to strong crypto for web security while preserving the broad thrust of US export regulations. The browser initiates a normal (weak) SSL connection. When it sees the special flag in the Thawte SGC (Server Gated Cryptography SSL) SuperCert, and verifies that the Thawte SGC (Server Gated Cryptography SSL) SuperCert was issued by a recognized "licensed" Certificate Authority, it restarts the connection, but this time acting as a fully secure 128-bits-capable browser, creating a 128 bit key to protect your communications with that web server with the strongest possible encryption.

Can I request a Test Thawte SGC (Server Gated Cryptography SSL) SuperCert?

The Test system can issue certificates that are compatible with Netscape and Microsoft requirements for Thawte SGC (Server Gated Cryptography SSL) or Step-Up certificates. However, you can't request a Test Thawte SGC (Server Gated Cryptography SSL) SuperCert as the Thawte Test CA root certificate is not trusted for Thawte SGC (Server Gated Cryptography SSL), therefore the browser won't restart the connection in order to step-up the session to 128 Bit encryption.

Which servers are compatible with the Thawte SGC (Server Gated Cryptography SSL) SuperCert?

Please read the Thawte SGC (Server Gated Cryptography SSL) SuperCert server compatibility list in the following Knowledge Base solution: SO785

How do I install an Thawte SGC (Server Gated Cryptography SSL) SuperCert?

To install an Thawte SGC (Server Gated Cryptography SSL) SuperCert on your server software platform please read the instructions in the following Knowledge Base solution: SO3047

SGC SuperCert technology

Thawte has been issued a license by the US Bureau of Export Administration (BXA) which allows us to issue certificates which enable you to enforce 128-bit SSL sessions in older, export version browsers, which are usually restricted to 40/56 bit encryption. The difference between Supercerts and normal SSL Certificates is that whenever an Export version browser (IE4.x and Netscape 4.06 and later)connects to a site using a Thawte SGC (Server Gated Cryptography SSL) Supercert the SSL session will be 'stepped-up' to 128-bits, instead of being negotiated at an encryption level the browser can handle (40/56 bits).

Getting a Thawte SGC (Server Gated Cryptography SSL) SuperCert

You submit to us, a certificate request file (CSR). Thawte then verifies your identity, contained in the certificate, and when satisfied, signs that request file, using the trusted Thawte CA root key, and issues it to you as your certificate.

Thawte SGC (Server Gated Cryptography SSL) SuperCert support

Thawte is a trusted certificate provider. We do not make or support any software. We are more than happy to help wherever certificates are used, however, in the case of software specific issues, we may not always be able to help. The best people to contact will always be your software vendor.

Knowledge Center


Search Tips