How It Works
SSL certificates encrypt the data passed to and from the site. SSL certificates have a private key and a public key.
A Certificate Signing Request (CSR) is a block of encoded text that is given to a Certificate Authority (CA) when applying for an SSL Certificate. A certificate authority (CA) is a trusted entity that issues digital certificates. The CSR is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is created at the same time that you create the CSR, making a key pair.
A Certificate Authority (CA) will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.
The normal method is that you generate your private/public key pair on your own machine, then send the public key to the CA as part of a certificate request. The CA uses the CSR data file to create a data structure to match your private key without compromising the key itself. The CA assembles and signs the certificate, and sends it back to you. Your private key never left your machine, and the CA never saw it.
However, in some cases, it is a good idea to let the CA generate the key pair, and send it to you. One situation where this is desirable is for asymmetric encryption keys: if you lose a private key, then you lose all the data which has been encrypted with the corresponding public key, since you can no longer decrypt it. Therefore, encryption private keys should be backed-up somewhere, and having the CA generate the private key makes it easy for the CA to enforce a comprehensive, inescapable backup system.
Once you receive the SSL certificate, you install it on your server. You also install an intermediate certificate that establishes the credibility of your SSL Certificate by tying it to your CA’s root certificate. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The intermediate certificate could be one or several certificates that go between your site (server) certificate and a root certificate. The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you.