Public Keys, Private Keys, and Certificates
When performing authentication, SSL uses a technique called public-key cryptography.
Public-key cryptography is based on the concept of a key pair, which consists of a public key and a private key. Data that has been encrypted with a public key can be decrypted only with the corresponding private key. Conversely, data that has been encrypted with a private key can be decrypted only with the corresponding public key.
The owner of the key pair makes the public key available to anyone, but keeps the private key secret.
A certificate verifies that an entity is the owner of a particular public key.
Certificates that follow the X.509 standard contain a data section and a signature section. The data section includes such information as:
- The Distinguished Name of the entity that owns the public key
- The Distinguished Name of the entity that issued the certificate
- The period of time during which the certificate is valid
- The public key itself
You can obtain a certificate from a Certificate Authority (CA) such as VeriSign. Alternately, you can create a self-signed certificate, in which the owner and the issuer are the same.
An organization that issues certificates can establish a hierarchy of CAs. The root CA has a self-signed certificate. Each subordinate CA has a certificate that is signed by the next highest CA in the hierarchy. A certificate chain is the certificate of a particular CA, plus the certificates of any higher CAs up through the root CA.