0

I understand I need to upload my digital certificate that I obtained from CA and also my private key. But what happens in the server after I uploaded? Does the server actually read my certificate and sign a message taken from the cert and then try to match the signature with the existing signature in the cert?

warnerque
  • 13
  • 3

2 Answers2

2

The server loads the certificate and the key and also any intermediate certificates given (certificate chain).

During the TLS handshake (i.e. when a client connects) the server sends its leaf certificate and the intermediate certificates to the client - which can then check if the certificate is valid, see SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?.

The server also proves to the client that it has access to the private key (which means it owns the certificate) by signing some data with the private key - the client can verify the signature with the servers public key contained in the servers certificate. The data which gets signed are unique for the current TLS handshake, i.e. the signature could not be replayed in another handshake but must be newly generated to prove ownership of the private key.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
2

Since you asked specifically what happens directly after the certificate upload: nothing happens. It's just a file. Even when you update the configuration of your web server to include the path of the new certificate, this has no effect until the next HTTP request. Only when a client and the server actually try to establish a connection will the certificate be used within the TLS handshake, as explained by Steffen Ullrich.

I'm not sure what you mean by “sign a message taken from the cert and then try to match the signature with the existing signature in the cert”, but this might be a misunderstanding. Outside of TLS handshakes, the web server doesn't touch the certificate at all.

Ja1024
  • 5,769
  • 14
  • 21