Creating Public/Private Key Pairs

This page explains how to generate public/private key pairs using OpenSSL command-line tools.

Generating an RSA Key

Use the following commands to generate an RSA key pair.

$ openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt rsa_keygen_bits:2048
$ openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem

These commands create the following public/private key pair:

• rsa_private.pem: The private key that must be securely stored on the device and used to sign the JWT.

• rsa_public.pem: The public key that must be uploaded in akenza and is used to verify the signature of the JWT.

Generating Elliptic Curve Keys

Use the following commands to generate a P-256 Elliptic Curve key pair.

$ openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem 
$ openssl ec -in ec_private.pem -pubout -out ec_public.pem

These commands create the following public/private key pair:

• ec_private.pem: The private key that must be securely stored on the device and used to sign the JWT.

• ec_public.pem: The public key that must be uploaded in akenza and is used to verify the signature of the JWT.

Self-Signed RSA X509 Certificate

Use the following commands to generate a 2048-bit RSA private key and a self-signed x.509 certificate with a SHA-256 signature.

The subject claim must be set to the device ID used during provisioning in akenza (e.g. MAC address or other hardware identifier).

By default, X.509 certificates expire 30 days after creation. To set the number of days until the certificate expires, add the -days <n> flag at creation time.

Self-Signed EC X509 Certificate

Use the following commands to generate an elliptic curve private key and a self-signed x.509 certificate.

The subject claim must be set to the device ID used during provisioning in akenza (e.g. MAC address or other hardware identifier).

By default, X.509 certificates expire 30 days after creation. To set the number of days until the certificate expires, add the -days <n> flag at creation time.