A public key and a private key constitute a key pair, which is generated by using an encryption algorithm. A key pair is used for asymmetric encryption. A public key is used to encrypt sessions and verify digital signatures, and its paired private key is used to decrypt the session data. This ensures the security of data transmission. A public key is disclosed to the public, and its paired private key is private to the user that creates the key pair.

A key pair that is generated by using an encryption algorithm is unique around the world. If you use a key in a key pair to encrypt a piece of data, the data can be decrypted only by using the other key in the key pair. For example, data that is encrypted by using a public key can be decrypted only by using its paired private key. Data that is encrypted by using a private key can be decrypted only by using its paired public key.

How an SSL certificate works

SSL certificates adopt public key cryptography, which uses a key pair to encrypt and decrypt data. Each user creates a private key that is not disclosed to anyone for decryption and signature. The user also creates a public key and discloses the key to a group of users for encryption and signature verification.

Only the key owner can use the private key to encrypt a document, which generates a digital signature.

An SSL certificate is a document that is digitally signed by a certificate authority (CA). The document contains information about a public key and the owner of the public key. A certificate must contain a public key, a certificate name, and a digital signature that is provided by a CA. A digital certificate is valid for only a specific period of time.

For more information about private keys, see How does Certificate Management Service protect private keys?

Create a private key

Certificate Management Service has the following requirements for the length of a private key and the encryption algorithm that you use to create a private key:

  • The Rivest-Shamir-Adleman (RSA) algorithm must be used.
  • The private key must be at least 2,048 bits in length.

You can use one of the following methods to create a private key:

  • Use OpenSSL to generate a private key
    1. Download the latest installation package for OpenSSL from the OpenSSL official website at OpenSSL.
      Note The version of OpenSSL must be 1.0.1g or later.
    2. After OpenSSL is installed, run the openssl genrsa -out myprivate.pem 2048 command on the command line to generate a private key file. The private key file is named myprivate.pem. The private key is 2,048 bits in length.
  • Use Keytool to generate and export a private key

    Keytool is a key management tool that comes with JDK. Keytool allows you to create keystore files in the JKS format for certificates. To obtain Keytool, you can download JDK from the Java official website at Java Downloads.

    By default, the public keys and private keys that are created by using Keytool cannot be exported. You can export a private key only from a .keystore file that is created. For more information about how to export a private key from a .keystore file, see How do I convert the format of a certificate?

    In the exported file, the private key is enclosed by the following lines of code:
    -----END RSA PRIVATE KEY-----
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----
    Note We recommend that you keep your private key confidential. If the private key is lost or becomes corrupt, you can no longer use its paired public key or the digital certificate.