I read that the same key should not be used for both certificate signing and encryption.
I wonder if this is not a problem with PKI/TLS/SSL, the reason being asymmetric encryption is used to transmit the public key (via the certificate). The public key is used to encrypt a browser generated session key. The session key is used for symmetric encryption of the actual traffic.
Is that how it works and does that mean it is okay to sign both with the same key?
How would I go about using separate keys?