As far as I read all the SSL certificates are signed using public key of the asymmetric pub/priv key pair.
But all (atleast what I checked) the examples out there on internet are using private key
One way I found for self-signing is using below command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Other way I found is:
sudo openssl genrsa -out mykey.key 2048
sudo openssl req -new -key mykey.key -out mycsr.csr
sudo openssl x509 -req -days 365 -in mycsr.csr -signkey mykey.key -out mycert.crt
Are the above examples using public key to create the certificate or private key. If private key, is it a right usage?
One more thing,
What is the difference from self-signing vs CA signing the certificate.
Is there any additional information of the signing authority present in the certificate?
And what does CA signing actually mean?
Do they use their own private keys to sign or what is it all about?
EDIT:
The above statement As far as I read
is from point#2 of the following website.
I could be completely wrong in understanding its statement since I'm very new to SSL concepts
http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
If private key is used for signing the certificate and also the same private key is used in apache http server configuration I'm still confused from where will the browser get the public key in its initial SSL handshake
I'm referring to the following configuration of apache httpd
<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>
UPDATE:
I'm specially pointing to the section 1.2.2
of the above link where it states
This someone, you have to implicitly trust: you have his/her certificate loaded in your browser (a root Certificate). A certificate, contains information about the owner of the certificate, like e-mail address, owner's name, certificate usage, duration of validity, resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information. It contains also the public key and finally a hash to ensure that the certificate has not been tampered with.
Because that's how digital signatures are defined. Signing it with the public key wouldn't prove anything. A digital signature has to be something that only the signer can do, just like your signature on a cheque only harder to forge. Much harder.
No you didn't, you misunderstood what you were reading.
Of course.
They are using both. The public key is embedded in the certificate and the private key is used to sign it.
Yes, there is an IssuerDN field.
Yes.
No it isn't.
Yep.
From the certificate.
There is nothing there about signing the certificate with the public key. 'Contains' does not mean 'signed with'.