certificate copy risk

We are planning to install ssl in our webserver. We got the certificate from a ca. since we are new to this we have hired someone to install this certificate for us. I have the certificate on my flash. He told me to email it to him or give him a copy of it so he can install it. The question now, is it risky if he keeps a copy of the certificate or it is useless for him? Or I should take the usb flash and stay with him until he complete ssl installation and take out the flash after he finished, making sure that he does not copy it. I know this may be weird to you but I am new to this and I do not want to take a risk!
I appreciate your help
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The SSL certificate was signed for your domain only.  Unless the person you contracted to do the install for you wants to spoof a site and pretend to be your domain, then I'd say you are relatively safe.  I'd also have to question your level of trust with a vendor if you thought they would go to such lengths to stick it to you.
I'm not above reasonable precautions, however, in my estimation, there would be significant work on the vendor's part to make your CA signed SSL cert do them any good.
Dave HoweSoftware and Hardware EngineerCommented:
As long as it *IS* just the certificate, it doesn't matter. The certificate is (by definition) sent to every client that connects to your server.

However, the certificate can only be installed to the system that generated its CSR in the first place, and then may well be re-exported as a pfx (pkcs #12) file - those have a couple of issues, primarily that any packet captures made from internet explorer (but not firefox) can be decrypted using wireshark if you have access to the pfx.  The odds of that being in any way practical are low however.
alex-2010Author Commented:
It is really good to know that certificate can only be installed to the system that generated its CSR in the first place. the csr was generated by one of our iis servers. this guy we hired is trying to install the ssl in an appliance firewall , and he told me to that he is having some problems installing it! do you thing he will be able to? or i should tell him to get the csr from the appliance and get a new certificate from the ca, because we should terminate the ssl on the firewall.

Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

I would have to ask exactly what your purpose is for the SSL cert?  There are particular reasons to have it on an IIS server, and there are other reasons to have it in a Firewall appliance.
It's possible he is trying to set up SSL bridging through the firewall, but then the firewall vendor should have explicit instructions on how to accomplish this.
alex-2010Author Commented:
we were planning to have the ssl on the iis before, but the firewall vendor recommended to terminate the ssl on the firewall for performance issue. now he is trying to install the cert on the firewall but he did not succeeded  yet
alex-2010Author Commented:
do you think he will be able to do the ssl termination on the firewall with csr generated from iis?
As DaveHowe mentioned "the certificate can only be installed to the system that generated its CSR."  So if the IIS server created the CSR, then that is where it needs to be installed, otherwise, you will have to generate another CSR from the firewall and go from there.
Dave HoweSoftware and Hardware EngineerCommented:
Ok, I will take this from the top.

SSL uses a system of encryption called "public key"  - effectively the key comes in two halves, the public half which is given to the client, and the private half, which is kept secure and never leaves the server.

Normally, you will generate the private key and a certificate signing request at the same time. the private key remains on the server, and the CSR is sent to the CA to sign and return as a certificate. The certificate is then imported into the server that generated the CSR, where it is matched to its original private key to form a full keypair - only a full keypair can be used for SSL.

In operation, the certificate (with its public key and signature) is sent to the client (usually a browser) which verifies the signature, verifies the hostname in the certificate, and then uses the public key to encrypt the data it sends to the server. The server can then use the private key to decrypt the data it received, and continues with its conversation.

once the keypair is formed, it can usually be exported again as a keypair - this is a pfx (pkcs12) file, rather than a certificate. pfx files are usually exported as soon as the certificate is imported, for backup/recovery purposes. usually a pfx will have a password set so that it is not usable by a third party without knowing the password.

IF you generated the CSR on a different system, AND that system has the correct name (usually the CSR will generate with the server's name, and hence the resulting cert is only valid for a server with that name) You can usually import that cert to the generating system, re-export as a pfx, and import that to the target system.

you can also generate the CSR, key, pfx etc separately - the easiest tool for this is free from http://sourceforge.net/projects/xca (with instructions at http://xca.sourceforge.net/ )
alex-2010Author Commented:
Thank you all for your help
Dear DaveHowe
I understand your reply until the third paragraph! , the rest is over my head.
Let me put the question in another way
If there is a secure communication between a client and a web server using ssl, and someone has a copy the certificate for that server. If he could sniff the traffic between the client and the server, will he be able to decrypt  the traffic using that certificate?
I appreciate your reply
Dave HoweSoftware and Hardware EngineerCommented:

Everyone who ever visits a server will have the certificate - in fact, if you go to any https website, and look for a padlock icon in your brower (on the toobar in firefox, and to the right of the url in ie) it will show you, in full, the certificate for that site.

The certificate has three parts, all important in different ways.
It has the public key for the encryption (more on that in a moment)
it has the certificate information (which includes the name of the site and the dates for which the certificate is valid)
it has a signature from a CA.

first, the signature is verified - this ensures that the certificate has not been tampered with (substituting a different site name or public key, for example)

Then, the CA is asked if the certificate has been revoked (just in case it was cancelled due to being stolen)

next, the data in the cert is matched against site name, current date, etc etc to ensure that it is the correct cert for the site the browser thinks it is talking to.

finally, the public key is extracted and used to encrypt the data to the server.

the best way to imagine the difference between the private key and the public key is to imagine that the public key is, in fact, a lock, and the private key the key that fits that lock

using the public key, the transmission from the browser is *locked* and sent to the server, where the private key is used to unlock it.

anyone can have the public key - it is given away by the server every time you talk to it - but it can only be used to lock messages, not unlock them. for that you need the private key, and that is never taken away from the server - it must be protected, so that the server can unlock messages but nobody else can.

In practice, the "message" sent by the browser is something called a premaster secret, but that doesn't matter - the important thing is that it gets to the server securely by using the public key from the certificate, which need not be (and in fact, isn't) kept secret.
alex-2010Author Commented:
Dear DaveHowe
thanks a lot this information is helpful for me, the bottom line now is the private key, what do u mean whey u said that the private key is never taken a way? you mean it  can not be copied or used outside the server?
Dave HoweSoftware and Hardware EngineerCommented:
Ideally it should never leave the server - it is never needed outside the server, and exporting it creates a security risk. However, it often *can* be exported, for backup purposes, and usually in a password protected pfx file with the certificate it matches.
alex-2010Author Commented:
Another confusing thing about the private key, someone told me that you can create csr fire in my labtop, send it to the ca, then when I get the certificate from the ca I can make export and import from the labtop to the webserver! So where is the private key now? Is it in my labtop or in the webserver?
Dave HoweSoftware and Hardware EngineerCommented:
you can generate a CSR on a laptop, send it to the CA, and import (to the laptop) the CER file you get back. That will let you export (from the laptop) a pfx, which is a password protected single file containing both the cert and the private key.

once you import that to the webserver, the private key will be in all three places - the laptop, the pfx file, and the webserver.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.