CA

Motivation We wanted to set up a lightweight HTTPS server on an internal company network without purchasing a certificate from a public CA. The solution: build our own private Certificate Authority (CA) and issue a self-signed certificate. TLS Handshake Overview The browser connects to https://demowebsite.com. The server returns its certificate (containing the server’s public key). The browser verifies the certificate against a trusted CA. The browser generates a random symmetric key K and encrypts it with the server’s public key. The server decrypts K using its private key — both sides now share K. All subsequent traffic is encrypted with K. Setting Up a Root CA Best practice: the root CA never signs end-entity certificates directly. Instead it signs an intermediate CA, whose key is used for day-to-day issuance. The root key can then be kept offline. ...