How does private/public keys, CSRs, CAs, CERTs and signing relate to each other?
My understanding is that if Alice wants Bob to have reasons to believe that some message came from her, she can create a signature of that data using her private key and let Bob verify the signature+message with the related public key. However, Bob must be confident that the public key actually belongs to Alice and that is where I think a certificate authority comes in handy.
How does this really work? I don't really understand how/if/when the keys and certificates are created and shared between Alice, Bob and the CA.
- Can Alice (the program or the one who installed the program) create a public/private-key?
Yep. Creating asymmetric keypairs is (relatively) easy and (relatively) cheap on modern computers.
- If 1, can Alice (or the installer) create a CSR (Certificate signing request) from that public key?
Yessy-noey. The main body of a CSR uses the public key, but it is supposed to be signed with the private key for a proof-of-possession. (Maybe there are CAs which don't check the signature, though).
- If 2, can Alice (or the installer) send this CSR to a CA (Certificate Authority)?
Yep. Anyone can send a CSR to a CA. The CA then does their thing (frequently involving credit cards) and issues a cert. Or doesn't.
- Is there a certificate now? Has it been created in 1, 2 or 3?
Let's say it was created in step 3(b) (the CA acting on the CSR).
- How can Alice make Bob trust signatures by Alice now?
That's a deeply metaphysical question.
- (again) How can Alice make Bob trust signatures by Alice now? Should Alice send him a) her public key or b) her certificate so that Bob can "install" it somehow and thereby trust her, because he also trust the CA?
Alice should send the certificate, which gives an association of { her as a subject entity, the public key } as well as any constraints or endorsements that the CA felt like providing. Then if Bob trusts the CA (or the CA's CA, etc) he will now have reason to believe that this public key does, indeed, signify that Alice is the one doing things.
- Wouldn't 5b somehow expose Alice's Private Key to Bob?
No, certificates only contain public keys (which are public), metadata (which is public) and signatures (which are public). The private key of Alice was needed for creating the CSR, and the private key of the CA was needed to produce the certificate.
With a big enough budget someone can derive a private key from a public key, but it's "infeasible" for an RSA-2048 key, or an ECC-256 key, in 2018. So... yessy-noey.
- Is it now possible for Alice to sign a message, and for Bob to verify her signature+message because Bob is confident that the public key is really Alice's public key?
If Alice sends a) a message, b) a signature, and c) the certificate; then yes. If somehow the certificate and some Aliceness (Aliciosity?) were already associated then the message and signature along with the "I'm probably Alice" context would let the key be looked up.
- (Unasked) Are there other schemes which would work, without the certificate?
Sure. If Bob can prove Alice is Alice and Alice hands him a public key, there's no need for the middle man. Then Bob can use "I'm probably Alice" and the public key he already knows belongs to Alice, then you're back to just needing a message and a signature. But then there's a question of how does she report compromise, et cetera.