How HTTPS Works (Actual Meaning of .key .csr and .crt)
Chain of Trust
Root Certificate Authorities(Root CAs)
Theses certificates are shipped with browsers.
Intermediate Certificate Authorities(Intermediate CAs)
These are organizations which can issue certificates whose certificate themselves are signed by a Root CA.
What is Certificate Sign Request?
When Organization needs to sign a SSL certificate, they sends Certificate Signing Request(CSR) to Intermediate Certificate Authority.As the response Intermediate Certificate Authority sends
- SSL certificate signed by the Intermediate CA.
- Certificate of Intermediate CA signed by Root CA.
Following command will generate private key(.key)for the organization and also the certificate sign request(.csr)
openssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
Certificate Sign Request outputs two files.One is [organization_domain_name].crt and the other one is intermediate.crt (If your Intermediate CA is GoDaddy is called gd-bundle-g2-.crt)
- Computer can trust the certificate of Intermediate CA because it is signed by Root CA which is initially embedded into Web Browsers at manufacturing level.
- So the SSL certificate of the organization can be now trusted because Intermediate CA certificate is a trusted one.
Above trust hierarchy is called Chain of Trust.
How HTTPS works?
Step 1
When browser sends a HTTPS request to the site it will send back both [organization_domain_name].crt and intermediate.crt to browser.Now intermediate.crt can be trusted by root CA listed in the browser and [organization_domain_name].crt can be trusted by the intermediate.crt. Ultimately the public key of organization is extracted by the browser.
Step 2:
Browser generates a symmetric key and sends to the site by encrypting it with the public key of organization.
Step 3:
Organization Server gets the symmetric key by decrypting it with its private key.Here after both parties use above symmetric key to encrypt data that they send each other.
