Rate this article: (3 votes, average: 2.33)
We often receive questions from people wanting to know what an SSL certificate’s private key is, what it’s used for, and how to find it. SSL certificates make use of a public/private key pair during its handshake. This is a working example of public key infrastructure (PKI), which uses digital certificates to authenticate identity on the internet.
We’ve written a similar resource for individuals who seek to find their Comodo code signing certificate private key. However, for this article, our focus will be on covering how to find the SSL private key for a certificate that facilitates encryption of data in transit. First, we’ll briefly cover what it is and why it matters.
When a client arrives at a website, the first thing it needs to do is authenticate the web server. To do this, the server presents its SSL certificate and public key. This public key is created when the certificate signing request (CSR) is first generated, which is derived from the private key.
In asymmetric encryption, the public key encrypts and the public key decrypts. But that’s not really how they’re used in modern day TLS implementations. Historically, the RSA cryptosystem has been involved in the SSL key exchange that occurs during the handshake.
The way it worked is the client would derive and encrypt a pre-master secret with the server’s public key. The server would use its private key to decrypt it and both parties would use the pre-master secret to arrive at the master secret/session key. Session keys are symmetric and can perform both cryptographic functions: encryption and decryption.
That method has gone extinct in TLS 1.3. In fact, there is no longer any asymmetric encryption taking place in SSL/TLS now. The public/private key pair is used to verify the digital signature that was left by the corresponding private key. This is another lesser-known function of public/private key pairs. Because the public key is derived from the private key, it can be used to verify signatures left by the private key.
In modern encryption schemes, the public/private key pair is only used in the context of the digital signature, key exchange is now done using ephemeral Diffie-Hellman families.
Not sure how to find the private key of a certificate? When you generate a CSR on your server, there should be a designated location where the private key is saved. You may need to go through the early steps involved in creating a new CSR to find the correct directory. From there, it’s simply a matter of navigating to it.
Now, if you can’t find the key at all, you’re going to need to re-issue your certificate. This will involve a new CSR, too. Yeah, we know it’s a hassle. But if your private key is unaccounted for, that’s considered a compromise and puts your site and your users’ data at risk. A compromised site is way more of a hassle, and it’s too dangerous to mess around with that.
Just one final note: Be sure to write down where you’ll be saving the key this time so you’ll know where it is the next time you need it.