Reputation: 1536
Today I installed free ssl certificate on my website, that was easy but I have some questions about it. FreeSSL returned three files: "private.key", "certificate.crt", "ca_bundle.crt". So there are my questions:
1) Who this private key belonges to? Is this my(server's) private key? I don't think so because if that's true, it turns out that free SSL knows my private key.
2) "certificate.crt" actually is my server's certificate, right?
3) "ca_bundle.crt". is this only intermediate certificate, what about root certificate? don't I need CA's root certificate?
Upvotes: 1
Views: 220
Reputation: 13974
Who this private key belonges to? Is this my(server's) private key? I don't think so because if that's true, it turns out that free SSL knows my private key.
if you got them from SSL vendor, then yes, they blong to your web site and SSL vendor has knowledge of your private keys, thus they are no longer private. It is very bad practice from CA vendor.
"certificate.crt" actually is my server's certificate, right?
yes, it is public part of the certificate. Private part is the key.
"ca_bundle.crt". is this only intermediate certificate, what about root certificate? don't I need CA's root certificate?
root CA certificates are not required in bundles, because they must be installed in client browsers in advance (normally, browser vendors ship a list of globally trusted root CAs), so if your SSL vendor is globally trusted, clients already have it in their browsers. If SSL vendor is not globally trusted (not included in browsers by default), then root certificate in the bundle won't have, because it is not trusted (even if it is presented during SSL/TLS handshake) and requires manual steps to install it in the browser (not recommended for publically accessed web sites).
Upvotes: 2