Why SSL certificates are signed with private key?

2.5k views Asked by At

As far as I read all the SSL certificates are signed using public key of the asymmetric pub/priv key pair.

But all (atleast what I checked) the examples out there on internet are using private key

One way I found for self-signing is using below command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

Other way I found is:

sudo openssl genrsa -out mykey.key 2048
sudo openssl req -new -key mykey.key -out mycsr.csr
sudo openssl x509 -req -days 365 -in mycsr.csr -signkey mykey.key -out mycert.crt

Are the above examples using public key to create the certificate or private key. If private key, is it a right usage?

One more thing,

What is the difference from self-signing vs CA signing the certificate.
Is there any additional information of the signing authority present in the certificate?

And what does CA signing actually mean?
Do they use their own private keys to sign or what is it all about?

EDIT:

The above statement As far as I read is from point#2 of the following website. I could be completely wrong in understanding its statement since I'm very new to SSL concepts

http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html

If private key is used for signing the certificate and also the same private key is used in apache http server configuration I'm still confused from where will the browser get the public key in its initial SSL handshake

I'm referring to the following configuration of apache httpd

<VirtualHost 192.168.0.1:443>
  DocumentRoot /var/www/html2
  ServerName www.yourdomain.com
  SSLEngine on
  SSLCertificateFile /path/to/your_domain_name.crt
  SSLCertificateKeyFile /path/to/your_private.key
  SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

UPDATE:

I'm specially pointing to the section 1.2.2 of the above link where it states

This someone, you have to implicitly trust: you have his/her certificate loaded in your browser (a root Certificate). A certificate, contains information about the owner of the certificate, like e-mail address, owner's name, certificate usage, duration of validity, resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information. It contains also the public key and finally a hash to ensure that the certificate has not been tampered with.

1

There are 1 answers

2
user207421 On BEST ANSWER

Why SSL certificates are signed with the private key?

Because that's how digital signatures are defined. Signing it with the public key wouldn't prove anything. A digital signature has to be something that only the signer can do, just like your signature on a cheque only harder to forge. Much harder.

As far as I read all the SSL certificates are signed using public key of the asymmetric pub/priv key pair.

No you didn't, you misunderstood what you were reading.

But all (atleast what I checked) the examples out there on internet are using private key

Of course.

Are the above examples using public key to create the certificate or private key. If private key, is it a right usage?

They are using both. The public key is embedded in the certificate and the private key is used to sign it.

What is the difference from self-signing vs CA signing the certificate. Is there any additional information of the signing authority present in the certificate?

Yes, there is an IssuerDN field.

And what does CA signing actually mean? Do they use their own private keys to sign?

Yes.

The above statement As far as I read is from point#2 of the following website.

No it isn't.

I could be completely wrong

Yep.

If private key is used for signing the certificate and also the same private key is used in apache http server configuration I'm still confused from where will the browser get the public key in its initial SSL handshake

From the certificate.

I'm specially pointing to the section 1.2.2 of the above link where it states

[snip] It contains also the public key and finally a hash to ensure that the certificate has not been tampered with.

There is nothing there about signing the certificate with the public key. 'Contains' does not mean 'signed with'.