What is the public key in a web server certificate for?

Since a certificate needs to be checked by the OS certificates or in case of Firefox against a browser certificate, I have trouble understanding why a web server certificate consists also of a public key.

Is the public key not in the OS certificates as well?

It sounds to me like saying:

“Hi, I am David and hereby I confirm, that I am David.”

What am I understanding wrong here?


Solution 1:

Public key cryptography relies on what is known as asymmetric ciphers. What that means is that something encrypted with one key, for example the public key, cannot be decrypted with that same key.

What that means is that you end up with a key that has two parts, a public key that you hand out to everyone, and a secret key that you keep for yourself.

By handing out a public key you can be assured that only the person holding the correct secret key can decrypt the data.

You can check the public key owner using the certificate signing chain, effectively a corporation or list of people who assure you that the person who can decrypt your data is who you want to be able to decrypt it.

You then send that person a key (or passcode etc.) of your own, encrypted using their public key, and they decrypt it using their secret key. Because you used their public key and they are able to decrypt it you have essentially validated that the website is who they claim to be and you can "trust" the connection to them. If they could not decrypt it using the public key then they are not the site you are asking for.

There is an element of the site, as you say, stating "Hi, i am David and hereby i confirm, that i am David." because that's what you need and want when you are about to send that site some very personal details such as your login username and password. You need to know that only the place you are sending the data to can decrypt the data you send.