Secure session capability using public-key cryptography without access to the private key

What is claimed is: 1. A method in a first server for establishing a secure session with a client device, the method comprising: receiving, from the client device, a Client Hello message that includes a first random value; in response to the received Client Hello message, transmitting a Server Hello message to the client device that includes a second random value; transmitting, to the client device, a Server Certificate message that includes one or more digital certificates; transmitting, to the client device, a Server Hello Done message; receiving, from the client device, a Client Key Exchange message that includes an encrypted premaster secret, wherein the first server does not have access to a private key that can decrypt the encrypted premaster secret; transmitting the first random value, the second random value, and the encrypted premaster secret to a seperate second server that has access to the private key to decrypt the encrypted premaster secret; receiving, from the second server, a master secret that was generated using a function that takes as input at least in part the decrypted premaster secret, the first random value, and the second random value; receiving, from the client device, a first Change Cipher Spec message; receiving, from the client device, a first Finished message; generating, using the received master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server; transmitting to the client device, a second Change Cipher Spec message; and transmitting, to the client device, a second Finished message. 2. The method of claim 1 , wherein the first server and the second server are owned or operated by different entities. 3. The method of claim 1 , wherein the master secret is received over a secure session between the first server and the second server. 4. The method of claim 3 , further comprising: as part of establishing the secure session between the first server and the second server, transmitting, to the second server, a client Certificate message that includes a digital certificate of the first server. 5. The method of claim 1 , further comprising: after transmitting the second Finished message to the client device, receiving from the client device a request for a resource over the secure session, wherein the request is encrypted; decrypting, using the set of session keys, the request for the resource; transmitting the request for the resource to a third server; receiving the resource from the third server in response to the request; generating an encrypted response that includes the received resource, wherein the encrypted response is encrypted with the set of session keys; and transmitting the encrypted response to the client device. 6. The method of claim 5 , wherein the second server and the third server are the same server. 7. The method of claim 1 , further comprising: transmitting, to the second server, an indication of a domain for which the client device is attempting to establish the secure session that is to be used by the second server to identify the private key. 8. A method in a first server for establishing a secure session with a client device, the method comprising: receiving a message from the client device that initiates a handshake procedure to establish a secure session between the client device and the first server; negotiating a set of cryptographic parameters between the client device and the first server for the secure session, wherein negotiating the set of cryptographic parameters includes the first server receiving an encrypted premaster secret from the client device, wherein the first server does not have access to a private key to decrypt the encrypted premaster secret; transmitting at least some of the negotiated set of cryptographic parameters to a separate second server, wherein the transmitted at least some of the negotiated set of cryptographic parameters includes the encrypted premaster secret and a plurality of random values exchanged between the client device and the first server; receiving, from the second server, a master secret that has been generated using at least the plurality of random values exhanged between the client device and the first server and the encrypted premaster secret; generating, using at least the master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server; and completing the handshake procedure with the client device such that the set of session keys will be used for during the secure session for encrypting and decrypting communication between the client device and the first server. 9. The method of claim 8 , wherein the plurality of random values exchanged between the client device and the first server includes a first random value selected by the client device and a second random value selected by the first server. 10. The method of claim 8 , wherein the first server and the second server are owned or operated by different entities. 11. The method of claim 8 , wherein the master secret is received over a secure session between the first server and the second server. 12. The method of claim 11 , further comprising: as part of establishing the secure session between the first server and the second server, transmitting, to the second server, a client Certificate message that includes a digital certificate of the first server. 13. The method of claim 8 , further comprising: after completing the handshake procedure, receiving from the client device over the secure session a request for a resource, wherein the request is encrypted; decrypting, using the set of session keys, the request for the resource; transmitting the request for the resource to a third server; receiving the resource from the third server in response to the request; generating an encrypted response that includes the received resource, wherein the encrypted response is encrypted with the set of session keys; and transmitting the encrypted response to the client device. 14. The method of claim 13 , wherein the second server and the third server are the same server. 15. The method of claim 8 , further comprising: transmitting, to the second server, an indication of a domain for which the client device is attempting to establish the secure session that is to be used by the second server to identify the private key. 16. An apparatus comprising: a first server including a set of one or more hardware processors and a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of hardware processors, cause the set of hardware processors to perform the following operations: receive, from the client device, a Client Hello message that includes a first random value; in response to the received Client Hello message, transmit a Server Hello message to the client device that includes a second random value; transmit, to the client device, a Server Certificate message that includes one or more digital certificates; transmit, to the client device, a Server Hello Done message; receive, from the client device, a Client Key Exchange message that includes an encrypted premaster secret, wherein the first server does not have access to a private key that can decrypt the encrypted premaster secret; transmit the first random value, the second random value, and the encrypted premaster secret to a separate second server that has access to the p