ssl - 为什么 SSL 证书是用私钥签名的？

Question

据我所知，所有 SSL 证书都是使用非对称公钥/私钥对的公钥签名的。

但是所有(至少我检查过的)互联网上的例子都使用私钥

我找到的一种自签名方法是使用以下命令:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

我发现的其他方法是:

sudo openssl genrsa -out mykey.key 2048
sudo openssl req -new -key mykey.key -out mycsr.csr
sudo openssl x509 -req -days 365 -in mycsr.csr -signkey mykey.key -out mycert.crt

以上示例是使用公钥创建证书还是私钥。如果是私钥，它是正确的用法吗？

还有一点，

自签名与 CA 签名证书有什么区别。
证书中是否有签名机构的任何其他信息？

CA 签名究竟意味着什么？
他们使用自己的私钥进行签名还是这是怎么回事？

编辑:

上述声明据我所知来自以下网站的第 2 点。由于我对 SSL 概念还很陌生，所以我在理解它的声明时可能完全错了

http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html

如果私钥用于签署证书，并且在 apache http 服务器配置中使用相同的私钥，我仍然很困惑浏览器将在其初始 SSL 握手中从哪里获取公钥

我指的是apache httpd的以下配置

<VirtualHost 192.168.0.1:443>
  DocumentRoot /var/www/html2
  ServerName www.yourdomain.com
  SSLEngine on
  SSLCertificateFile /path/to/your_domain_name.crt
  SSLCertificateKeyFile /path/to/your_private.key
  SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

更新:

我特别指出上面链接的1.2.2 节

This someone, you have to implicitly trust: you have his/her certificate loaded in your browser (a root Certificate). A certificate, contains information about the owner of the certificate, like e-mail address, owner's name, certificate usage, duration of validity, resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information. It contains also the public key and finally a hash to ensure that the certificate has not been tampered with.

Answer 1

Why SSL certificates are signed with the private key?

因为这就是数字签名的定义方式。用公钥签名并不能证明什么。数字签名必须是只有签名者才能做的事情，就像你在支票上的签名更难伪造一样。更难。

As far as I read all the SSL certificates are signed using public key of the asymmetric pub/priv key pair.

不，你没有，你误解了你正在阅读的内容。

But all (atleast what I checked) the examples out there on internet are using private key

当然。

Are the above examples using public key to create the certificate or private key. If private key, is it a right usage?

他们都在使用。公钥嵌入证书中，私钥用于签名。

What is the difference from self-signing vs CA signing the certificate.Is there any additional information of the signing authority present in the certificate?

是的，有一个 IssuerDN 字段。

And what does CA signing actually mean? Do they use their own private keys to sign?

是的。

The above statement As far as I read is from point#2 of the following website.

不，不是。

I could be completely wrong

是的。

If private key is used for signing the certificate and also the same private key is used in apache http server configuration I'm still confused from where will the browser get the public key in its initial SSL handshake

来自证书。

I'm specially pointing to the section 1.2.2 of the above link where it states

[snip] It contains also the public key and finally a hash to ensure that the certificate has not been tampered with.

没有关于使用公钥签署证书的内容。 “包含”并不意味着“签署”。