SSL is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (domain) and a browser. It enables sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. To establish this secure connection, the browser and the server need an SSL Certificate.
SSL certificates have a key pair: a public and a private key. These keys, which are simply large numbers, work together to establish an encrypted connection. The certificate also contains the identity of the certificate/website owner.
To get a certificate, you must create a Certificate Signing Request (CSR) for your domain. This process creates a private key and public key. The CSR file that you send to the SSL Certificate issuer (called a Certificate Authority or CA) contains the public key. The CA uses the CSR data file to create a data structure to match your private key without compromising the key itself. The CA never sees the private key.
The certificate created with a particular CSR only works with the private key that was generated with it.
After you receive the SSL certificate, you install it on your server. You also install an intermediate certificate that establishes the credibility of your SSL Certificate by tying it to your CA’s root certificate. When the SSL certificate is installed and active on your domain, your domain is secure.
When a user tries to access your website:
The user’s browser connects to your secure domain using HTTPS.
Your domain responds with its SSL certificate, which contains its public key.
The browser verifies the certificate by checking the signature of the CA. For this to work, the CA needs to be in the browser’s trusted store, which is a list of CA certificates that you trust. All web browsers come with a list of trusted CAs.
The browser creates a session key, which is a temporary key, valid only for the period the browser and domain interact on this occasion. If the browser navigates away from your website and then tries to access it again, a new session key is created.
The browser encrypts the session key using the public key, and sends it back to the secure domain server.
The server uses the private key to decrypt the session key.
The browser and server now encrypt and decrypt all transmitted data with the session key. This is a secure channel because only the browser and the server know the symmetric session key, and the session key is only used for that session.