What is an RSA key used for?
RSA key is a private key based on RSA algorithm. Private Key is used for authentication and a symmetric key exchange during establishment of an SSL/TLS session.
It is a part of the public key infrastructure that is generally used in case of SSL certificates. A public key infrastructure assumes asymmetric encryption where two types of keys are used: Private Key and Public Key (it is included in an SSL certificate). Since encrypted data transmission takes too much time in case of asymmetric encryption, this kind of encryption is used for a secure symmetric key exchange that is used for actual transmitted data encryption and decryption.
Usually, an RSA Private Key is generated in pair with a CSR. Neither we, nor Certificate Authorities have access to your private key. It is generated locally on your server and is never transmitted to us. It looks like a block of code with the header:
-----BEGIN RSA PRIVATE KEY-----
During CSR/Private Key generation, as a rule, it is possible to specify the key size. Nowadays most of the Certificate Authorities consider 2048-bit as an optimal key size for a RSA Private Key, since it provides a decent level of security and does not load the server’s CPU much. If you wish, you can use a 4096-bit key size for your Private Key with our certificates as well, however every doubling of an RSA Private Key slows down an SSL/TLS handshake approximately by 6-7 times.
Please make sure that the Private Key is backed up once it is generated as it will be required to install the certificate when you receive it. We do not recommend you sharing your private key with anybody. Keep it safe and inaccessible for anyone else, because one can easily decode the whole session if a private key is compromised (unless your server uses a Diffie-Hellman key exchange).
To be more clear we have replicated an ssl/tls session using starttls during connection to our ftp, and analyzed the session’s traffic. You can find below a part of the encoded stream:
Since it has been a test, we had an appropriate private key for it, so it was easy to decode the whole session:
In case you have a suspicion that your private key has been compromised, we highly recommend you to reissue the certificate.