Published on

How private key is used in digital certificate?

🔐 1. The certificate–key pair

A certificate (usually .crt, .pem, or .cer) contains:

  • Your public key
  • Identifying info (domain name, org, etc.)
  • A signature from a Certificate Authority (CA) verifying that info

The corresponding private key (e.g. server.key) is generated first and never leaves your control.

Together:

Private key  <->  Public key (inside certificate)

🧭 2. How the private key is used

(a) During SSL/TLS handshake

When a client (e.g., browser) connects:

  1. The server sends its certificate (public key).
  2. The client verifies the certificate (trust chain → CA).
  3. To prove it owns the certificate, the server must sign a random challenge using its private key.
  4. The client checks the signature using the public key in the cert.

✅ This proves:

  • The server is the rightful owner of the certificate.
  • The connection isn’t being intercepted.

(b) For decryption

In some handshake modes (like RSA key exchange), the server’s private key decrypts the “premaster secret” sent by the client. Modern TLS (with ECDHE) usually doesn’t use the private key for decryption directly — only for signing — which improves security (forward secrecy).

(c) For signing other certificates

If the certificate is for a Certificate Authority (CA), its private key is used to sign other certificates:

CA private key → signs → server certificates

This creates a trust chain (Root CA → Intermediate CA → Server).

⚙️ 3. Where it lives

  • On web servers: /etc/ssl/private/server.key (permissions 600, owned by root)
  • On client apps: inside secure key stores (macOS Keychain, Windows cert store)
  • For cloud-managed certs: the cloud provider handles the private key (e.g., Google-managed certificates)

🧾 4. Practical example

When using NGINX:

server {
    listen 443 ssl;
    ssl_certificate     /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/private/server.key;
}

Here:

  • server.crt = certificate (public key + CA signature)
  • server.key = private key used for TLS handshakes

🚨 5. Security rule of thumb

  • Never share the private key — not with clients, not with CAs.
  • Never commit it to Git or cloud storage.
  • If compromised → regenerate key + reissue certificate immediately.