How is the digital signature of a self signed certificate verified?

1
votes

I am getting my hands dirty with https, ssl, PKI stuff. And there is one thing that I dont quite understand with self signed certificates. Say I want to create a self-signed certificate and send it over to my friend whenever we want to establish a secure connection.

So the steps are:

  1. create a private key.
  2. create a public key.
  3. sign the certificate with my public key.

So when my friend gets my certificate he has to verify that the certificate he gets is mine, he needs to decrypt digital signature. But in order to decrypt it and verify he has to have my private key. So, I am a bit confused here.

1
digital-signaturedigital-certificatepkiself-signed
Wikipedia: Suppose Alice wishes to send a signed message to Bob. She can use her own private key to do so. She produces a hash value of the message, raises it to the power of d (modulo n) (as she does when decrypting a message), and attaches it as a "signature" to the message. When Bob receives the signed message, he uses the same hash algorithm in conjunction with Alice's public key.Daniel W.

1 Answers

2
votes

You've got things reversed. You sign with your private key that only you have.

You include your public key with the signature so the recipient can "verify" that the signature was calculated correctly.

But a self-signed certificate gives no assurance of the sender's identity since there is no way to independently verify that the signed data/document came from the supposed signer.