I recently experimented with the OpenSSL API in C, and I'm confused by some customization features, as well as some concepts in public key cryptography in general.
In general, I understand how public key cryptography works. You have a public key that is accessible to everyone, and then both the server and the client have a secret key that is needed to decrypt messages.
However, I'm a little confused when you really need a public key. Can a web browser need a public key? I would not have thought, since it seems that in most cases of use only the server (and not the client) needs a public key. If the server and client have a public key, which one is used?
Adding to my confusion, the fact is that the OpenSSL API defines a function SSL_CTX_use_PrivateKey_file(), but there is no corresponding one SSL_CTX_use_PublicKey_file(). In my experiments, I wrote a simple web client that connects to an https site and uploads a file. It works great, and no public key is required. I simply created the private key using the OpenSSL command line tools and then called SSL_CTX_use_PrivateKey_file()in my program.
But, if I wrote the server, unlike the client, I do not need a public key? And if so, why don't I see anything like it use_PublicKey_filein the OpenSSL API?
source
share