The SSL certificate contains information about the certificate:
- Domain Name(s)
- Public Key
- Company
- Issue Date
- Expiry Date
- Issuer
And more
Client encrypts their messages with a public key supplied by the website that ONLY the server can decrypt with their private key
NOTE: This private key needs to be stored in a safe location on the server with the correct permissions and so it is NOT accessible by anyone outside the server
To prevent a 'man-in-the-middle' attack on the certificate, this cert is cryptographically signed by someone else's private key so that the signature can be verified by anyone who has the corresponding public key.
Certificate Authorities (CA) sells their private key as a service to sign certificates for companies.
A private key from a vendor such as 'Thawte', 'Verisign' etc can be used as nobody else can gain access to this key. NO one can forge their signature.