-   Linux - Newbie (
-   -   SSL Public key/Private question (

masenko703 06-03-2009 03:02 AM

SSL Public key/Private question
Hi everyone,
I have a quick/newb question:

I know that a public key is used to encrypt data and a private key is used to decrypt data but who keeps the public/private keys??

Does the Web Server hold both?
Does the Web Server have the public key and does the client have the private key?
Does the Client have both?

When I create a key using the openssl command (e.g. openssl genrsa -des3 -out server.key 4096) is that the private or public key??

Please help, thanks.

JulianTosh 06-03-2009 05:43 AM

typically, you publish your public key to anyone who wants/needs/asks for it. The private key stays, well, secure, on the web server.

The private key can either have an additional security measure to protect itself in case someone copies it (a password), or no password. Having one requires you to be there at service restarts to type in that password. No having one means service restarts happen automatically, but if someone copies the key, anyone can impersonate your web server and decrypt captured conversations.

When you submit your public key to a CA, they are signing your public key with their private one. The CA signed public key is then added to your keystore on the web server.

When a browser client connects to your web server, the public key is transfered in the initial connection. The client checks the trusted CA's signature on the public key of your web server. If the signature is good, and the hostname matches what's on the certificate, everything is grand.

masenko703 06-03-2009 05:56 AM

Thanks for the reply!!!

So correct me if I'm wrong here:

1. client's browser initiates a connection
2. the web server responds and sends its public key
3. the client receives the public key, writes encrypted data with it
4. the client sends the encrypted data back to the web server
5. then the web server decrypts data with its private key

Is this right? So public and private key both reside on the web server?

JulianTosh 06-03-2009 06:03 AM

That basically it. There's a little more too it and I'm not qualified to express at the moment... but basically, the server needs to be able to encrypt the content back to the client. Not sure if it uses a session password (symmetric) or does a browser certificate exchange so then both sides of the conversation are encrypted. I think I'll go read the wiki now... ;)

Both the server's private and public keys reside on the web server.

JulianTosh 06-03-2009 06:21 AM


* In order to generate the session keys used for the secure connection, the client encrypts a random number (RN) with the server's public key (PbK), and sends the result to the server. Only the server can decrypt it (with its private key (PvK)): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data. The client knows PbK and RN, and the server knows PvK and (after decryption of the client's message) RN. A third party may only know PbK, unless PvK has been compromised.
* From the random number, both parties generate key material for encryption and decryption.

masenko703 06-04-2009 12:01 AM

Thank again!!

One more question, so the server's certicate is the actually the public key?? is this right?

JulianTosh 06-04-2009 12:14 AM

The certificate contains the public key, but is not the key. In other words, there's more stuff in the certificate than just the key.

All times are GMT -5. The time now is 07:12 PM.