Generating Signed Key Pairs

Certificate signing

Supported key types

  1. RSA (default)

  2. ED25519 (recommended for performance)

Environment variable configuration

SIGNING_KEY_TYPE (possible values: RSA or ED25519)

Key pair configuration for DIVOC certificate

Environment variables

CERTIFICATE_SIGNER_PRIVATE_KEY, CERTIFICATE_SIGNER_PUBLIC_KEY

The expected values for these configurations change depending on the type of key in use:

RSA -

  • Private key format: 2048 bit, PEM

  • Public key format: PEM

ED25519 -

Key
Format
Type
Encoding

Private

DER

PKCS#8

Base58

Public

DER

SPKI

Base58

Reference steps for key generation

RSA key generation using openssl

openssl genrsa -out privatekey.pem 2048

openssl rsa -in privatekey.pem -out publickey.pem -pubout -outform PEM

ED25519

Use an external library such as ed25519-verification-key-2018 to generate a key-pair in the required format.

Key pair configuration for EU certificate

Generation of key pair for signing an EU certificate:

  • Copy the certificate generation script file gen-dsc.sh and put it in the desired location.

  • Copy the certificate configuration file cert.conf and put it in the same folder where the certificate generation script was copied to.

  • Open the cert.conf file and edit it according to your requirement.

C - Country name (2 letter code)

The two-letter country code where your company is legally located.

ST - State or province name (full name)

The state/province where your company is legally located.

L - Locality name (for example, city)

The city where your company is legally located.

O - Organisation name (for example, company)

The legally registered name of your company (for example, YourCompany, Inc.).

OU - Organisational unit name (for example, section)

The name of your department within the organisation. (You can leave this option blank; simply press *Enter*.)

CN - Common name (for example, server FQDN)

The fully-qualified domain name (FQDN) (for example, http://www.example.com).

  • Run the gen-dsc.sh file to generate the key pair for signing the EU certificate.

  • For generation of RSA key pair: ./gen-dsc.sh RSA CSR

  • For generation of ECDSA key pair: ./gen-dsc.sh ECDSA CSR

  • The script will generate the following 3 files:

  1. private key filename - DSC01privkey.key

  2. CSR filename - DSC01csr.pem CERTIFICATE key filename - DSC01cert.pem

  3. Public key format: PEM

Configuring EU certificate retrieval from the certificate-API service

  1. Generate the key pair required for signing the EU certificate and share the CSR file for signing with CA.

  2. In the divoc-config configMap, set the following environment variables:

  • EU_CERTIFICATE_PRIVATE_KEY - Private key for signing the EU payload (in PKCS8 format).

  • EU_CERTIFICATE_PUBLIC_KEY - The certificate provided by CA after signing the CSR.

  • EU_CERTIFICATE_EXPIRY - Expiry of the certificate in months (for example, 12).

Last updated