I was planning on buying an SSL certificate soon for a server (first time), but as I shop around there is one point that I am still unclear on: All the CAs advertise that they "sell certificates", and then they list all the certificates you can buy. However, in my books here at home the process is described as:

1. create the private key on your server (with openssl)
2. create a certificate request (public key) from the private key (with openssl)
3. submit the request to the CA
4. the CA signs the certificate and returns it to you

However, the advertisements never mention anything about submitting your key or signing it. So, is that how it actually works? Or do they actually create the private key for you? Or...?

Rather than regurgitate information I'll just point you here, let us know if it's still unclear.

1 members found this post helpful.

For posterity's sake, I would just add to kbp's post:

If the CA created your private key (or if you transmitted your private key to them) you'd be creating a large hole in the way TLS is supposed to work in securing communication with your service.

Treat it like any other asymmetric encryption scheme. The private key is just as valuable as the data it protects. If you give up the private key, you completely defeat the purpose of the security protocol.

1 members found this post helpful.