- Generates an RSA public/private key pair.
- Uploads the public key to the CA.
- The CA issues a validity certificate.
- Appends any intermediate certificate to it as necessary.
- Installs the CA and public key on the server.
Sometimes a well-known client or vendor lists of CA may not suffice to verify your certificate. In this case it is likely that the CA that has issued your certificate is using its own intermediate certificate. This can be solved easily by simply appending all the intermediate certificates used to sign it along with the certificate itself.
- Connects to a secure server.
- A key exchange process takes place whereby the client is given the server's public key and certificate.
- Client verifies this certificates against a known CA already provided in advance (via the OS/well-known vendor lists). (*)
- Client generates a new symmetric key for communication with the server. This key should be valid only for the lifetime of the connection.
- Client encrypts this symmetric key using the server's public key and sends it to the server. Thus only the server can decrypt the message
- Change the connection encryption mode to use this new symmetric key.
- Proceed normally with the intended protocol (i.e. HTTP).
* The certificate may include any intermediate certificates used for verification, these should be verified before/or in addition to the certificate itself.