Post by o***@gmail.comWhen I tried to get certificate from "certificate agent" or "CA" or
"trusted third party", to be able to use smime, the certificate
produced kind of magically. I could not understand which part of it is
produced by which party?
Your browser creates public and private key.
Your browser then constructs a document, called a certificate request,
which contains your public key. The document is signed using your
private key.
This certificate request is now uploaded to the CA site. The CA
checks the signature, and they can do that using only the public
key enclosed in the request. Assuming that it verifies, and that
they approve what other requirements they have, then then construct
and sign a certificate, based on your certificate request (but
perhaps with restrictions on use, such as "this certificate for
email only"). They then send that to you, or make it available for
you to download.
Yes, the CA sees only your public key, not your private key.
Post by o***@gmail.comI hope that the private and public keys are produced by my web browser
(at least I got it that way), ONLY public key is handed to CA, and
they issue a certification on this... If that is true, there is no
problem...
Yes, that's a good summary of how it works.
Post by o***@gmail.comBut if both private and public keys are produced by CA, then this is
too much trust on them, no one must have my private key.
I agree, that would be too much trust. Fortunately, it doesn't work
that way.