0

Apologies if this has already been asked but i couldn't find a clear cut answer. Please keep in my mind i'm not very technical but am learning.

So let's take scenario where i have a subdomain "sub.example.com" and have issued a certificate for it. Now what would be the inherent risk if let's say an IP address x.y.x.y that was not associated with me is utilizing my certificate without my approval or knowledge.

Would this scenario even be possible if the other party does not have my private key? or do private keys not matter when installing a certificate? or, Does this not matter at all since a warning will be displayed showing that the certificate/website is misconfigured and is using the wrong certificate?

Yasmeen Ali
  • 1
  • In short: you need the private key. The certificate is not enough. That's why the private key is considered private and should be properly protected, while the certificate is public and can be easily retrieved (it gets sent inside a TLS handshake). – Steffen Ullrich Jan 03 '23 at 08:23
  • so from what i've understood it doesn't matter who is using your certificate, as long as they don't have the private key they will not be able to append their domain onto the certificate and the browser will always display an untrusted warning right? – Yasmeen Ali Jan 03 '23 at 10:47
  • *" the browser will always display an untrusted warning"* - not even this. It simply cannot establish a TLS connection without having a private key matching the certificate. Browser will show something like a handshake error (which cannot be skipped) and not just a warning (which might be skipped). – Steffen Ullrich Jan 03 '23 at 10:55
  • thank you so much for clarifying this steffen, i'll keep this in my going forward. – Yasmeen Ali Jan 03 '23 at 14:34

0 Answers0