On Tue, 2021-06-01 at 15:25 -0600, Grant Taylor wrote: > > The proper way configure certificates is: > > 1) Create a key on the local server. > 2) Create a Certificate Signing Request (a.k.a. CSR) which references, > but does not include, the key. > 3) As a CA to sign the CSR. > 4) Use the certificate from the CA. > > The important thing is that the key, which is integral to the encryption > *NEVER* *LEAVES* *YOUR* *CONTROL*! >
*Any* CA can just generate a new key and sign the corresponding certificate. All browsers will treat their fake certificate corresponding to the fake key on their fake web server as completely legitimate. The "real" original key that you generated has no special technical properties that distinguish it.
