SSL Communication, Chemistry between - {private&Public key} ----  {SSL certificate }

I know encryption decryption mechanism for a typical HTTPS based communications.

However, Failed to understand the how chemistry between below 2 blocks works  
{private&Public key} ---vs-  {SSL certificate }

Please advice
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
https://www.entrustdatacard.com/pages/ssl is one of the 46M+ URLs returned for the search - how ssl certificates work.

The above URL shows a graphic overview of how data flow + keys work.
mac_gAdmin - Middleware Servers

Author

Commented:
public key & private keys are part CA certificate  generation mechanism -- or - available locally to this server ?
F5 have a great video I think everybody should watch if they don't understand certificates, which explains public/private keys in relation to certificates during a TLS handshake in a browsing session. The concept of using the private/public key combination is otherwise the same regardless of how is implemented (e.g. HTTPS vs. file encryption, etc.).

To understand the relationship between public key, private key and the certificate itself in simple terms.

Private key: Separate from the certificate, used to decrypt data encrypted with the public key.
Certificate: Certificate file, stores a lot of information including the certificates public key. The public key is used to encrypt data that is decrypted using the private key.
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

mac_gAdmin - Middleware Servers

Author

Commented:
from where we get private and public keys ?

when I send the CSR to CA, I received only root/inter/server certificates.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You get your cert files from the issuing authority for your cert.

For example, if you use https://LetsEncrypt.org you'll never generate or see a CSR file, as all this is handled for you (as it should be).

You will never receive a root cert. Every. Only an issuer has a root cert.

Terms you're using are... odd...

All you really require is to generate a cert + use the resulting files, per your docs. This might be for Apache or Dovecot or some other code. Any code using certs will provide you with docs about which files to use.

If you use LetsEncrypt you can generate your cert once + setup a nightly CRON job to renew your cert forever.

With other cert authorities... much manual work is required for each cert renewal... Again, refer to your ISP or Registrar or cert authority, where ever you generate your certs.
from where we get private and public keys ?

When you generate a CSR the private and public keys are generated. You send off the CSR which bakes the public key into the certificate. The private key remains in your possession. If you're using Windows this will automatically be stored on the machine. When you import the issued certificate Windows will match up the private key to the public key automatically. If you're using Java or another cert store you will usually add the private key and the issued certificate to cert store, e.g. a Java Keystore.

when I send the CSR to CA, I received only root/inter/server certificates.

This is correct. If you're dealing with a public CA such as say DigiCert. The CA will typically send you a zip file which contains the root, any policy/intermediate certs, any required leaf/issuing certificates, and the server certificate itself. The CA will NEVER see your private key. If they do, they are required to immediately revoke your certificate.
Distinguished Expert 2017

Commented:
Go to any secure site, view the certificate detail, the data within is the public key that your browser uses to encrypt your message to the server and includes your public key that the server that can only decrypt the message using its private key. And get your public key and encrypt the response that only your side can decrypt.

Without a client/server certificate for mutual identification, the server side with the certificate only has the known publi/private key
While your side uses a temporary/transactional private/public set negotiated during the initial setup/negotiation of the connection.

The certificate serves two uses/purpose validate what is being contacted and provide the public key to the client connecting.

OpenSSL s_client -connect ipofwebserver:443
mac_gAdmin - Middleware Servers

Author

Commented:
Actually I am using Java based Linux servers.

when I generate CSR, usually only one certificate is being generated. is that assumed to be public key ?

Then, Is that used to bake to create CA signed certificate --- into root,inter & server certificate  ?
Then, these signed root, intermediate certs are nothing but used as public key for encryption ?

please clarify
when I generate CSR, usually only one certificate is being generated. is that assumed to be public key ?

Yes and mostly no. A CSR contains all of the information required for the certificate, including the public key. These are request attributes. You can extract the public key from a CSR using OpenSSL, for example:

openssl req -in request.csr -noout -pubkey

Open in new window


This would export a public key similar to:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxe8hnHitOmuhRc5t6Uy6
/7R3UpGR60oPzow9RiQDfv6vjmDeg3PXkQUBM1XZnuGedmB3LOpN9B7CEPIKMBqL
6gdr3YNs1/u4yrt+J3CJEGLMNKh2zZJ8GLhboAmh74h/cXpCkjqK1/1K5v4k3Ka4
FVzVQ8f8NPwk3QToA/TfNCkRIpEyfBrImHFJrzeLn9vUcPXvS+Moyyq8WPgKexjF
pROaQBxdM5fsWrMcu2MRoBkuF5tiJQijemvVCGM3Qt8kb9j9J64rqqbIWshNaHr3
X5VI9F+hbnXAK0Rvl2S2d7vMz5Tc9rKK8QUk2/gaR+0wAdSHOKxKc9rQrBd7bExV
0QIDAQAB
-----END PUBLIC KEY-----

Open in new window


So yes, a CSR contains the pending certificates public key, but no you would not assume a CSR to be the public key. In scenarios where you want to store the public key separate from the certificate just export it from the certificate or CSR using OpenSSL.

Then, Is that used to bake to create CA signed certificate --- into root,inter & server certificate?

It is used to create the server certificate you have requested. The root, intermediate and issuing CA certificates will have their own public keys created their own issuance. But otherwise yes, the CSR is used to hard code or bake the details provided into the issued certificate.
mac_gAdmin - Middleware Servers

Author

Commented:
that means -- ( root + inter) certificates are mostly respective to certification authority,
server certificate would be generated after our CSR which includes our public key, baked by  certification authority.
that means -- ( root + inter) certificates are mostly respective to certification authority

Correct, their purpose is to sign certificates below them and provide a chain of trust back to the root CA. When using a Java Keystore you will want to install the full chain of certificates.
mac_gAdmin - Middleware Servers

Author

Commented:
I am clear with root+inter, ..thanks for that !
the server certificate signed by CA used as public key ?
Distinguished Expert 2017

Commented:
Each CSR pre-signature is generated by the use of your system's Private key, the public key is part of the data within the CSR.
The CA merely signs the CSR affirming based on the CA's reputation that verifies the inherent trustworthiness of the certificate when it is presented.

i.e. the CA is like a state DMV in not too distant past when one had an option to bring their own photo with the state issued the driver license with the provided photo.
the photo is like the CSR. once the state laminated/included their stamp, the document is seen as trusted versus one doing the lamination themselves.
mac_gAdmin - Middleware Servers

Author

Commented:
I got answer to some part of my question  from above "Each CSR pre-signature is generated by the use of your system's Private key, the public key is part of the data within the CSR"
 
my last query is .. when CA generated  3 certificate root, intermediate & server-certificate, after submitting CSR.
what exactly -"server-certificate" contains ? -- private key /public key  ?

Hopefully this is my last clarification
No, the root certificates were not generated when your CSR was generated. The root chain was in place long before your CSR came along. For big CA's they will issue millions of certificates off of the same root chain. The key usage between CA certs and server certs is the key usage.

A server certificate's key usage will be around identification. I am who I say I am. Digital signing.
A CA certificate's key usage will around signing of certificate. Certificate signing, CRL signing.

You can view these details in your browser and look at the difference between a CA cert, be that root/inter/issuing, and a server certificate such as experts-exchange.com.

How certificate chains work.
Distinguished Expert 2017

Commented:
dealing solely with the certificate related info.

The server generates a certificate signing  request (csr)
The CSR is submitted to a known Certificate Authority (CA) for signature (think of it a document needing a notary public stamp, some known legal authorities signature. Before it will be trusted by others)
The CA firm gas a designated system for signing CSR resulting in issuance of a certificate.
Now the signing system has to be valid/trusted  the CA chain are the set of hierarchical validating the system that signs your srrver's certificate.
In reverse order of trust:


Your server certificate , is signed by a CA certificate issuing system.
The CA's issuing system's certificate is signed/issued by a CA's intermediate issuing CA.
The CA's intermediate issuing system certificate is signed by the CA's root certificate system.
The CA root certificate is  a self-signed certificate which is trusted, inherently... (Consider it recognized though inherent, .....same reason people view government issued IiD)

The reason for ..
Root CA'is certificate is commonly valid for 20 years (if compromised, all certificates it signed and all down the line lose their trust/validity) so it is highly guarded, thus the limited use. Certificate trust is revoked.....
Intermediate CA  certificate the same as above but often value for less than ....
Issuing CA certificate, is valid for a shorter time than the intermediate......
Your server's CA is valid for a time ..... Constrained by the prior.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial