SSL Public key/Private question
Hi everyone,
I have a quick/newb question: I know that a public key is used to encrypt data and a private key is used to decrypt data but who keeps the public/private keys?? Does the Web Server hold both? Does the Web Server have the public key and does the client have the private key? Does the Client have both? When I create a key using the openssl command (e.g. openssl genrsa -des3 -out server.key 4096) is that the private or public key?? Please help, thanks. |
typically, you publish your public key to anyone who wants/needs/asks for it. The private key stays, well, secure, on the web server.
The private key can either have an additional security measure to protect itself in case someone copies it (a password), or no password. Having one requires you to be there at service restarts to type in that password. No having one means service restarts happen automatically, but if someone copies the key, anyone can impersonate your web server and decrypt captured conversations. When you submit your public key to a CA, they are signing your public key with their private one. The CA signed public key is then added to your keystore on the web server. When a browser client connects to your web server, the public key is transfered in the initial connection. The client checks the trusted CA's signature on the public key of your web server. If the signature is good, and the hostname matches what's on the certificate, everything is grand. |
Thanks for the reply!!!
So correct me if I'm wrong here: 1. client's browser initiates a connection 2. the web server responds and sends its public key 3. the client receives the public key, writes encrypted data with it 4. the client sends the encrypted data back to the web server 5. then the web server decrypts data with its private key Is this right? So public and private key both reside on the web server? |
That basically it. There's a little more too it and I'm not qualified to express at the moment... but basically, the server needs to be able to encrypt the content back to the client. Not sure if it uses a session password (symmetric) or does a browser certificate exchange so then both sides of the conversation are encrypted. I think I'll go read the wiki now... ;)
Both the server's private and public keys reside on the web server. |
http://en.wikipedia.org/wiki/Secure_...r#How_it_works
MMmmm Quote:
|
Thank again!!
One more question, so the server's certicate is the actually the public key?? is this right? |
The certificate contains the public key, but is not the key. In other words, there's more stuff in the certificate than just the key.
|
All times are GMT -5. The time now is 01:02 PM. |