Does my SSL cert have anything to do with or say about the symmetric session key?

Question

The answer found on this server fault thread is my jumping off point for this general topic: https://serverfault.com/a/313558

... and this question can be thought of as a follow-up to that answer.

Does my SSL cert have anything to do with or say about the symmetric session key? (I know that the browser and web server both have a role there, but what about the cert itself?)

If YES: Where is it specified in the cert?

If NO: Why do CAs all boast about "128-bit to 256-bit encryption" which is implicitly referring to the session key?

The answers are NO, and because all marketing people should be shot, respectively. — Michael Hampton, Jun 08 '15 at 20:44
Maybe the marketing guys talk about the symmetric session key while submitting the CSR, from the client's browser to their own servers... — sebix, Jun 09 '15 at 07:26

score 1 · Answer 1 · answered Jun 22 '17 at 13:18

No. The strength and type of the symmetric encryption used is negotiated by your browser and webserver (and thus based on their configuration). The certificate simply allows the key agreement to happen in a secure (authenticated) fashion.

Concerning your follow-up question: It's mostly a marketing gag. The certificate they sell enables you to use 256-bit encryption during the session. Which is, of course, also true for absolutely any standard compliant X.509 certificate.

Does my SSL cert have anything to do with or say about the symmetric session key?

1 Answers1