I have a couple of questions about SSL connection process between client and server.
1) During connection process server sends his certificate to the client. Certificate contains his public key and digital signature. How is this digital signature formed? Is it static or generated independently for each connection?
2) When client receives this digital signature he has to decrypt it. Which public key is used for it? Public key of the server or public key of the CA?
1) During connection process server sends his certificate to the client. Certificate contains his public key and digital signature. How is this digital signature formed? Is it static or generated independly for each connection?
The digital signature contained in the certificate sent by the server is generated by a Root CA which the client trust (your browser). This means that a Certificate Authority that you trust has signed the certificate that you are validating. In real world, a Root CA has sign an intermediate CA certificate that has sign the server certificate. The digital signature is a Hash of the server certificate signed with the CA private key.
2) When client receives this digital signature he has to decrypt it. Which public key is used for it? Public key of the server or public key of the CA?
This process is called Certificate Chain Verification. You verificate the digital signature of the server certificate using the public key of the CA that has sign the server certificate. If it's correct, then now you must verificate the digital signature of that CA with the public key of the next CA, until you hit the Root CA that you must trust in order to validate successfully the certificate (along with other checks that are performed).
