Using java 'keytool' command we generate a private key and public key and also we can export the public key to a .cer file. Now my question is can a .cer file contain a private key. My impression is .cer is a public key certificate that can contain only public key but not private key.
Someone told me that they procured a certificate from VeriSign and they have received a .cer file from VeriSign that contains both private key and public key. Can this be true that .cer file can contain a private key? Please clarify?
I'm sure there would be a way to put a private key into the ".cer" file, but I'm equally certain this would be silly. The point of the certificate is to distribute the public key. If you distribute the private key, the public key is worthless. Likewise, I am pretty certain that your friend did _not_ get a ".cer" from VeriSign with a private key in it.
The general approach to getting certificates is to create the public/private key pair (these are _not_ the same value, each one is unique - but related). Then using the "public" key (it doesn't matter which one of the two you declare as "public", but one will be put into the certificate, and the other will be protected from anyone getting access - hence one is "public" and the other is "private"), you will generate a "Certificate Signing Request" (CSR - following "PKCS#10" specification from RSA). The CSR will contain identifying information about the certificate requestor, and the public key. This is sent to the Certification Authority (CA - e.g. VeriSign), who will (hopefully) verify the identity of the requestor, and issue the certificate (the ".CER" file). The issued certificate will contain all of the identifying information supplied to the CA, the public key from the requestor, _AND_ the CA's digital signature (a digest/hash of the data in the certificate, encrypted with the CA's private key). In order to verify the certificate, you simply use the CA's public key (which you get from their certificate), and decrypt the digest/hash value, and then run your own hash/digest of the certificate you were given - if the one in the signature matches the digest you generated - the certificate is the one issued by the CA.
If your private key is given out, then both the public and private keys are essentially useless. Sure, they can encrypt/decrypt for each other - but _anyone_ could perform either side of the equation, which means that you could never be sure who was doing what.