问题
What's the technical reason that SSLCertificateKeyFile is needed (the private key)? Where is that used and for what?
回答1:
The SSL certificate file contains the X.509 certificate (which, in turn, contains a public key used for encryption). The SSL Certificate Key File contains the private key corresponding to the public key in the certificate. In order for the webserver to encrypt and decrypt traffic, it must have both the public key (certificate) and corresponding private key. Apache, unlike a lot of other server products, stores the key and certificate in separate files. Java-based products, for example, typically use Java KeyStore files, which are an encrypted database containing both the certificate and private key.
回答2:
Usually there are three directives included:
SSLCertificateFile /opt/csw/apache2/certs/icompany/publicCert.pem
SSLCertificateChainFile /opt/csw/apache2/certs/icompany/chain.pem
SSLCertificateKeyFile /opt/csw/apache2/certs/icompany/PrivateKeyCert.pem
SSLCertificateFile should contain only the public portion of your certificate, which you want to deliver from the website to the client.
If SSLCertificateChainFile is specified, the webserver will attach the associated certificates (to build up a whole chain to a Root CA) to the webserver certificate.
You could also put the private portion of your certificate into the file as specified in SSLCertificateFile but this is NOT recommended for security reasons (for example the webserver has a bug, buffer oferflow occurs and prints out the private key to the attacker).
Instead put only the private key in a separate file and declare it in SSLCertificateKeyFile
回答3:
For an overview of public key cryptography, including the use of private keys:
http://en.wikipedia.org/wiki/Public-key_cryptography#How_it_works
And a detailed breakdown of all the steps used in TLS, the protocol your server uses for https traffic, which shows exactly where the private key gets used:
http://en.wikipedia.org/wiki/Transport_Layer_Security
来源:https://stackoverflow.com/questions/4814851/why-is-sslcertificatekeyfile-needed-for-apache