posted 17 years ago
I'm sure there would be a way to put a private key into the ".cer" file, but I'm equally certain this would be silly. The point of the certificate is to distribute the public key. If you distribute the private key, the public key is worthless. Likewise, I am pretty certain that your friend did _not_ get a ".cer" from VeriSign with a private key in it.
The general approach to getting certificates is to create the public/private key pair (these are _not_ the same value, each one is unique - but related). Then using the "public" key (it doesn't matter which one of the two you declare as "public", but one will be put into the certificate, and the other will be protected from anyone getting access - hence one is "public" and the other is "private"), you will generate a "Certificate Signing Request" (CSR - following "PKCS#10" specification from RSA). The CSR will contain identifying information about the certificate requestor, and the public key. This is sent to the Certification Authority (CA - e.g. VeriSign), who will (hopefully) verify the identity of the requestor, and issue the certificate (the ".CER" file). The issued certificate will contain all of the identifying information supplied to the CA, the public key from the requestor, _AND_ the CA's digital signature (a digest/hash of the data in the certificate, encrypted with the CA's private key). In order to verify the certificate, you simply use the CA's public key (which you get from their certificate), and decrypt the digest/hash value, and then run your own hash/digest of the certificate you were given - if the one in the signature matches the digest you generated - the certificate is the one issued by the CA.
If your private key is given out, then both the public and private keys are essentially useless. Sure, they can encrypt/decrypt for each other - but _anyone_ could perform either side of the equation, which means that you could never be sure who was doing what.