SSL is a transport level protocol over TCP that is designed to provide communication security in two major ways:
- Encrypt data;
- Authenticate peers.
The first thing does not require any additional explanations and configurations.
The second one is based on cryptographic certificates. Each certificate consists from a public and a private parts. Private Key is a secret part of the certificate. Public key (often referred as Certificate itself) can be shared with anybody.
A certificate can basically be issued by anyone, so to solve a verification problem a trusted third party is required.
This party is called CA (Center Authority). One or both users send their certificates to CA. CA has its own certificate, just like everyone else. CA signs the certificate with its private key and takes responsibilities for all signed certificates.
Public CA key is openly available. Now, user A can download and verify user B’s certificate (if he trusts CA, that is).
Every server that works with SSL should have a certificate.
For client it’s mostly optional. In separate cases a certificate might be required to check user’s identity.