[tinus_hn]

If you use ephemeral keys, as you should, the contents of past encryption is still secure if the private key gets leaked. The encryption keys are newly generated each time, the certified private/public key pair is only used to validate these encryption keys belong to server that has the certified keys.

This is called Forward Secrecy.

[mvkg]

With TLS, the symmetric encryption keys are always newly generated regardless of the cipher suite chosen; the difference with the ephemeral cipher suites is how the keys are communicated.

Without forward secrecy, the client chooses the premaster secret, encrypts it with the server's public key, and sends it in the ClientKeyExchange message. With forward secrecy, the client receives signed ServerDHParams in the ServerKeyExchange and responds with ClientDiffeHellmanPublic in the ClientKeyExchange.