0

I'm trying to understand the logical flow of SSL certificate.

Suppose I have a website running on a machine. I generate a CSR file that contains information (e.g. common name, organization, country, ...) and my public key, so I sign those with my Private key and it generates a CSR file.

When I send that CSR file to the CA, Then What will CA respond to me?

Possibly a .cer file! In case that's true, Then What's in it and what's the use of that .cer file?

Mostafa
  • 103
  • 3

2 Answers2

2

Possibly a .cer file!

that's correct. CA produces an X.509 certificate which often has .cer or .crt file extension.

Then What's in it and what's the use of that .cer file?

certificate contains public key copied from CSR and other information about the requester entity, certificate usage and helper information that helps certificate consumers to validate the certificate. See RFC 5280 §4 for more information that can be included in the certificate.

The certificate along with the associated private key pair can be bound to web-enabled service to provide support for SSL/TLS connections. Depending on key usages, the certificate can be used to perform data encryption (not related to TLS) and data integrity (signing).

Crypt32
  • 5,750
  • 12
  • 24
  • In addition to the newly-issued-for-you cert, the CA will nearly always provide, or at least make available for example by linking to, at least one intermediate or 'chain' cert that needs to be configured and used along with your cert and privatekey in order for your cert to be accepted by peers. There are several formats used for this, but the filename and/or URL will often include 'chain' or 'bundle'. – dave_thompson_085 Jun 23 '22 at 01:42
2

The main purpose of a CA is to confirm the identity of the owner of the certificate.

In case of a website, certificate confirms that the public key really belongs to this website. Otherwise any website could claim it is google.com or microsoft.com. When you establish a TLS connection to a website my-bank.com, you can be sure it is really my-bank.com and not some fishing website. Otherwise your browser would warn you that the certificate presented by this website does not belong to it site and would refuse to establish a connection.

In case of personal digital signature, certificate confirms that the owner is really the person described in the certificate fields. Otherwise everyone could claim to be Elon Musk or Jeff Bezos.

Validation depends on certificate type. For an email (an S/MIME certificate) and for basic domain validated certificate (a DV certificate) verification is usually simple and that's why relatively cheap. Validation of organization involves checking corporate registries and is more expensive.

mentallurg
  • 8,536
  • 4
  • 26
  • 41