The key is shared between all parties.
Encryption and decryption is very fast.
I am not going into the math on this one.
So, how does it work?
Secure HTTPS request made
Sends Certificate
Client autnenticates certificate against trusted certificates
Acknowledge Certificate, provide encrypted shared key
Data continues being sent, using the symmetric key for encryptions
Certificate | Used for encryption and identity verification |
Private Key | Used to decrypt values encrypted using the matching public certificate. Generated by the requesting entity. |
Certificate Signing Request (CSR) | Used to request a signed certificate from a Certificate Authority (CA) |
Certificate Authority | A trusted vendor that issues digital certificates. |
Self-signed Certificate | A certificate not signed by a Certificate Authority. Used mostly for development. |
-----BEGIN CERTIFICATE-----
MIIFOzCCBCOgAwIBAgIHTqhITt5W5TANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMu
...
85sKysdk4OjNmeXGIauzQ60f0vUHNrTDToz3lOrybHcgOKPiguCJV4IVpKAr7vCq
5QyvPlRodJUCajhZISW3RmoFcBOQQInFv2qFXDpRIGmQUFIHiRBC0r2f5UP5a48=
-----END CERTIFICATE-----
Binary formatted data
Encoding for public certificates. Can be either DER or PEM format. Most commonly seen in *nix systems.
Practically synonymous with CER. Most commonly seen in Windows systems.
Typically used for private keys (PKCS#8). Can be either DER or PEM.
Convert from DER to PEM
openssl x509 -in <file> -inform DER -out <target> -outform PEM
Import a certificate to a keystore
keytool -importcert -keystore <filename> -file <public cert filename> \
[-alias <alias>]
Import a public/private key pair to a keystore
openssl pkcs12 -in <certificate> -inkey <key> -export -out <keystore.p12>
keytool -importkeystore -srckeystore <keystore.p12> -srcstoretype pkcs12 \
-destkeystore <keystore.jks> -srcalias <p12 alias> \
-destalias <jks alias>
Generate a self-signed certificate
keytool -keysize 2048 -genkey -alias <alias> -keyalg RSA -keystore <keystore.jks>
Generate a self-signed certificate with v3 extensions
openssl -genrsa -des3 -out <keyfile> 2048
openssl req -new -key <keyfile> -out <csrfile>
openssl x509 -req -days 3650 -in <csrfile> -inkey <keyfile> -out bg.crt \
[-extfile <extensions]
Extensions file (valid values described at https://www.openssl.org/docs/apps/x509v3_config.html):
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyCertSign
extendedKeyUsage=serverAuth,clientAuth
authorityKeyIdentifier=keyid,issuer
subjectAltName=URI:bridgegatetest.com,URI:*.bridgegatetest.com