We already know that a certificate that contains a public key (PUB-K1) is sent in STEP 2 from the LinkedIn server to the client.
Today we will open the Blackbox that how this certificate is generated for the LinkedIn server.
<h1 id="heading-how-a-certificate-is-signed">How a Certificate is Signed?</h1>
Start from the very initial state. Let's say the LinkedIn server does not have a certificate and it wants to secure its website with HTTPS.
To generate a certificate from a trusted CA, LinkedIn has to generate a key pair first, public (PUB-K1) and private key (PRV-K1).
This key pair can be generated using different Asymmetric key/Public key cryptography algorithms, e.g. RSA, Diffie-Hellman, DSA, etc.
<img src="https://miro.medium.com/v2/resize:fit:700/1*alhKCJaypv3tnm6qGp0YLg.png" alt class="image--center mx-auto" />
Fig: The server has a key pair
On the other hand, CA also should have a key pair — public key (say PUB-K2), and private key (say, PRV-K2).
<img src="https://miro.medium.com/v2/resize:fit:700/1*9IjGQLgSFYN-OzIAewG-3A.png" alt class="image--center mx-auto" />
Fig: The CA also has a key pair
Now with identification information and PUB-K1, the server will generate a Certificate Signing Request (CSR).
The server will send the CSR to a trusted CA to generate a certificate for that server.
After verifying all the information, the CA will generate a signed certificate for that server using its private key (PRV-K2) from the CSR.
<img src="https://miro.medium.com/v2/resize:fit:700/1*DDuUoCV_BvOrZgO6cPHWVw.png" alt class="image--center mx-auto" />
Fig: CA sign a certificate for the server
Now CA will send it to the server.

We already know that a certificate that contains a public key (**PUB-K1**) is sent in **STEP 2** from the LinkedIn server to the client.

Today we will open the Blackbox that how this certificate is generated for the LinkedIn server.

# **How a Certificate is Signed?**

Start from the very initial state. Let's say the LinkedIn server does not have a certificate and it wants to secure its website with HTTPS.

To generate a certificate from a trusted CA, LinkedIn has to generate a key pair first, **public (PUB-K1)** and **private** key (**PRV-K1**).

This key pair can be generated using different Asymmetric key/Public key cryptography algorithms, e.g. RSA, Diffie-Hellman, DSA, etc.

![](https://miro.medium.com/v2/resize:fit:700/1*alhKCJaypv3tnm6qGp0YLg.png align="center")

**Fig: The server has a key pair**

On the other hand, CA also should have a key pair — public key (say **PUB-K2**), and private key (say, **PRV-K2**).

![](https://miro.medium.com/v2/resize:fit:700/1*9IjGQLgSFYN-OzIAewG-3A.png align="center")

**Fig: The CA also has a key pair**

Now with identification information and **PUB-K1,** the server will generate a **Certificate Signing Request (CSR)**.

T**he server** will send the **CSR** to a trusted CA to generate a certificate for that server.

After verifying all the information, the CA will generate a signed certificate for that server using its private key (**PRV-K2**) from the **CSR**.

![](https://miro.medium.com/v2/resize:fit:700/1*DDuUoCV_BvOrZgO6cPHWVw.png align="center")

Fig: CA sign a certificate for the server

Now CA will send it to the server.

HTTPS [EP 02] — How to Generate a Certificate?

How a Certificate is Signed?