> What's the private key?
This is a clip from the modssl FAQ that can be found at
http://www.modssl.org/docs/2.8/ssl_faq.html. There is also a detailed
intro to SSL that can be found here:
http://www.modssl.org/docs/2.8/ssl_intro.html. A lot of this is centered on
modssl, but the basics are really applicable to any SSL implementation.
Q: What are RSA Private Keys, CSRs and Certificates?
A: The RSA private key file is a digital file that you can use to decrypt
messages sent to you. It has a public component which you distribute (via
your Certificate file) which allows people to encrypt those messages to you.
A Certificate Signing Request (CSR) is a digital file which contains your
public key and your name. You send the CSR to a Certifying Authority (CA) to
be converted into a real Certificate. A Certificate contains your RSA public
key, your name, the name of the CA, and is digitally signed by your CA.
Browsers that know the CA can verify the signature on that Certificate,
thereby obtaining your RSA public key. That enables them to send messages
which only you can decrypt.
>It was my
> understanding that with the code I received on that page, anybody could
> install a certificate on their server and pretend to be me.
This is incorrect (see below).
> Of course
> this would only work without an error message if the DNS was
> controlled. For example, what if my ISP (not my web host) intercepted
> the link, went to the page and retrieved my certificate code. They then
> changed their DNS so that all requests for my domain name went to their
> server with my secure certificate.
> Is there a reason that this wouldn't work?
Yes, there is. This would not work unless they had your certificate (aka
public key) AND your private key (which does not appear on that site). When
a client connects to your SSL server, your server sends your
certificate/public key to the client. The client verifies the Certificate
Authority (Entrust in this case) that signed your cert/public_key to make
sure that it is valid. It then proceeds to use the certificate to encrypt
all of the data it sends to your server. The only way that data can be
unencrypted is by using your private key which is (hopefully) hidden on your
server where no one can get it.
Hope this helps!
-matt
