SSL client authentication using certificates -- it's a complex topic, and I think I've learned just enough to make it even more complex.
Here is my basic understanding: A public and private key are generated by a certificate authority. This information can be saved within a "certificate" and then used by the client to authenticate.
Why is it possible to have a certificate without a private key? I know that, if exporting a cert from the windows cert store, you can export it without a private key. How is a cert without a private key used? I always thought you needed both if you were going to transfer that to another pc/device to use.
Can a private key be requested at any time if a public key and CA is already known?
You may opt to allow the certificate authority generate the private key for you, but you do not have to. You can generate the private key on your own system and then submit a certificate signing request to the certificate authority. The certificate authority does not ever need to know your private key. If you are really paranoid about security, you shouldn't let them generate the private key for you.
For a service to authenticate that your key is valid they either need to trust the Root key for the certificate authority that has generated your certificate, or they need they a copy of you certificate with the public portion of the key. A service which authenticates you does not need your private key.
Some services may not want to trust every key that is issued by a CA. So they may want to save the public version of your key so they know you are you. Of course if they trust the CA to put valid information into the Subject, then
It should never be possible to retrieve the private key if you have only the public key.
If you allow your CA to generate your private key for you, and they save the private key on their system and have a weak security I guess the CA could be attacked and the private key retrieved. The public portion of the key will contain information about the CA. These seems pretty unlikely though.