Sorry, that it isn't exactly programming question, but it is also interest. So my question is: where from user private key comes? Whether it comes in key-pair together with public key in certificate that is generated in CA, or it is generated in client OS, when only thumb-print, public key and so on comes from CA?
Thank you for ahead.
Private and public keys are mathematically linked. The generation process gets you both, always; one is called private (you keep it safe), one is called public (you can give it to anyone) The link is hard to find, so knowing one of them does not help in finding the other one.
When you sign something, you need your private key. When people want to check the signature, they need your public key.
When you encrypt something, you need the public key of the recipient. Only he will able to decrypt because this requires the private key.
So, at the beginning, you have both in a file and you can extract the public key for distribution (or put it in a certificate if you want other people to trust it).
Edit: I started a comment but it was too long, so here it is:
Each security libray has its own tools that implement the necessary math to build the correct public/private pair. OpenSSL comes with a command line tool, with which you can create your own CA, create certificate requests and certificates. Windows Server has Certificate Services with analogous features. .NET has the sn (sn = strong name) tool that creates files (with snk extension) with public/private keys (used to sign a DLL). Visual Studio has a GUI front-end for creating snk files. There are of course tools in the Java world (one is called keystore if I am not mistaken) and on Mac OS X. When you create certificates yourself, they are called 'self-signed' and are not trusted by the rest of the world.