Generating Signed Key Pairs

Certificate signing

Supported key types
  1. 1.
    RSA (default)
  2. 2.
    ED25519 (recommended for performance)
Environment variable configuration
SIGNING_KEY_TYPE (possible values: RSA or ED25519)

Key pair configuration for DIVOC certificate

Environment variables
The expected values for these configurations change depending on the type of key in use:
  • Private key format: 2048 bit, PEM
  • Public key format: PEM
ED25519 -

Reference steps for key generation

RSA key generation using openssl
openssl genrsa -out privatekey.pem 2048
openssl rsa -in privatekey.pem -out publickey.pem -pubout -outform PEM
Use an external library such as ed25519-verification-key-2018 to generate a key-pair in the required format.

Key pair configuration for EU certificate

Generation of key pair for signing an EU certificate:
  • Copy the certificate generation script file gen-dsc.sh and put it in the desired location.
  • Copy the certificate configuration file cert.conf and put it in the same folder where the certificate generation script was copied to.
  • Open the cert.conf file and edit it according to your requirement.
C - Country name (2 letter code)
The two-letter country code where your company is legally located.
ST - State or province name (full name)
The state/province where your company is legally located.
L - Locality name (for example, city)
The city where your company is legally located.
O - Organisation name (for example, company)
The legally registered name of your company (for example, YourCompany, Inc.).
OU - Organisational unit name (for example, section)
The name of your department within the organisation. (You can leave this option blank; simply press *Enter*.)
CN - Common name (for example, server FQDN)
The fully-qualified domain name (FQDN) (for example, http://www.example.com).
  • Run the gen-dsc.sh file to generate the key pair for signing the EU certificate.
  • For generation of RSA key pair: ./gen-dsc.sh RSA CSR
  • For generation of ECDSA key pair: ./gen-dsc.sh ECDSA CSR
  • The script will generate the following 3 files:
  1. 1.
    private key filename - DSC01privkey.key
  2. 2.
    CSR filename - DSC01csr.pem CERTIFICATE key filename - DSC01cert.pem
  3. 3.
    Public key format: PEM

Configuring EU certificate retrieval from the certificate-API service

  1. 1.
    Generate the key pair required for signing the EU certificate and share the CSR file for signing with CA.
  2. 2.
    In the divoc-config configMap, set the following environment variables:
  • EU_CERTIFICATE_PRIVATE_KEY - Private key for signing the EU payload (in PKCS8 format).
  • EU_CERTIFICATE_PUBLIC_KEY - The certificate provided by CA after signing the CSR.
  • EU_CERTIFICATE_EXPIRY - Expiry of the certificate in months (for example, 12).
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.