SSL certificates follow the PPK model (Public/Private key). To establish a connection, a public and private certificate is used to verify and encrypt a session. To verify these certificates, a Certificate Authority (CA) is used to sign them. A CA is a known and trusted third party that signs certificates and allows the hosts participating in the communications to be confident that they are both authorised by a separate entity (the CA).
There are a few CAs on the Internet, the most popular being Verisign (www.verisign.com). The get a CA key, you must apply to a CA and in most cases you must also pay the CA for their service. You are able to become your own CA, which means you can sign newly created certificates yourself. This is acceptable if an organisation is offering services to employees as both parties trust the CA (the organisation). For public SSL sites it is advisable that you apply for a CA certificate from a known authority so that a client can present the server certificate as authentic to the end user. In the following pages, we will create self signed certificates based on a self created CA.