To verify whether the website is authenticated/certified or not. Uncertified websites can do evil things. An authenticated website has a unique personal certificate purchased from one of the CA’s.
They are global trusted company like GoDaddy, VeriSign, GeoTrust... who provide digital certificates to websites.
Please see reference
- First website owner generate pair of public/private key. He keeps the private key secret. He gives a Certificate Signing Request (CSR) and his public key to CA.
- CA creates personal certificate based on CSR include domain name, owner name, expiration date etc and also add CA's digital signature to certificate. Then CA uses website owner's public key to encrypt the certificate and send back to website owner.
- Website owner receives the encrypted certificate and uses his private key to decrypt certificate. Finally he installs that certificate on his website.
-
- User enters URL facebook.com to browser, FB server gives browser the certificate of the website (which was signed by GeoTrust for example) and FB's public key.
-
- Now browser has to verify if the certificate of website was signed bt GeoTrust or not. As browsers come with a list of public keys of major CAs, it will pick GeoTrust's public key to verify the certificate FB gave.
-
- If the verification succeeds the browser proceeds next step else it stops.
-
- As mentioned above, when user enters facebook.com to browser, FB server sends its public key to browser.
-
- After validating the certificate of website, browser will generate a secret key (symmetric key) (let call it session key) and makes 2 copies of it.
-
- Browser will use facebook's public key to encrypt the session key and sends it to facebook.
-
- Facebook will use its private key to decrypt the message of browser from step iii and get the session key
-
- Now both sides (FB and browser) have the session key. From now they will use session key to encrypt data before sending and decrypt data after receiving.