Does my SSL cert have anything to do with or say about the symmetric session key?

Question

The answer found on this server fault thread is my jumping off point for this general topic: https://serverfault.com/a/313558

... and this question can be thought of as a follow-up to that answer.

Does my SSL cert have anything to do with or say about the symmetric session key? (I know that the browser and web server both have a role there, but what about the cert itself?)

If YES: Where is it specified in the cert?

If NO: Why do CAs all boast about "128-bit to 256-bit encryption" which is implicitly referring to the session key?

score 1 · Answer 1 · answered Jun 22 '17 at 13:18

No. The strength and type of the symmetric encryption used is negotiated by your browser and webserver (and thus based on their configuration). The certificate simply allows the key agreement to happen in a secure (authenticated) fashion.

Concerning your follow-up question: It's mostly a marketing gag. The certificate they sell enables you to use 256-bit encryption during the session. Which is, of course, also true for absolutely any standard compliant X.509 certificate.

Does my SSL cert have anything to do with or say about the symmetric session key?

1 Answers1