# Creating Public/Private Key Pairs

This page explains how to generate public/private key pairs using [OpenSSL](https://www.openssl.org/) command-line tools.

### **Generating an RSA Key**

Use the following commands to generate an RSA key pair**.**

```bash
$ openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt rsa_keygen_bits:2048
$ openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem
```

These commands create the following public/private key pair:

* `rsa_private.pem`: The private key that must be securely stored on the device and used to sign the JWT.
* `rsa_public.pem`: The public key that must be uploaded in akenza and is used to verify the signature of the JWT.

### **Generating Elliptic Curve Keys**

Use the following commands to generate a P-256 Elliptic Curve key pair**.**

```bash
$ openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem 
$ openssl ec -in ec_private.pem -pubout -out ec_public.pem
```

These commands create the following public/private key pair:

* `ec_private.pem`: The private key that must be securely stored on the device and used to sign the JWT.
* `ec_public.pem`: The public key that must be uploaded in akenza and is used to verify the signature of the JWT.

### **Self-Signed RSA X509 Certificate**

Use the following commands to generate a 2048-bit RSA private key and a self-signed x.509 certificate with a SHA-256 signature**.**

```bash
$ openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem -out rsa_cert.pem -subj "/CN=<deviceID>"
```

The subject claim must be set to the device ID used during provisioning in akenza (e.g. MAC address or other hardware identifier).

By default, X.509 certificates expire 30 days after creation. To set the number of days until the certificate expires, add the `-days <n>` flag at creation time.

### **Self-Signed EC X509 Certificate**

Use the following commands to generate an elliptic curve private key and a self-signed x.509 certificate.

```bash
$ openssl req -x509 -new -key ec_private.pem -out ec_cert.pem
```

The subject claim must be set to the device ID used during provisioning in akenza (e.g. MAC address or other hardware identifier).

By default, X.509 certificates expire 30 days after creation. To set the number of days until the certificate expires, add the `-days <n>` flag at creation time.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.akenza.io/akenza.io/get-started/your-data-flow/device-connector/device-security/using-device-credentials/creating-public-private-key-pairs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.