Generating Signed Key Pairs
Supported key types
- 1.RSA (default)
- 2.ED25519 (recommended for performance)
Environment variable configuration
SIGNING_KEY_TYPE (possible values: RSA or ED25519)
Environment variables
CERTIFICATE_SIGNER_PRIVATE_KEY, CERTIFICATE_SIGNER_PUBLIC_KEY
The expected values for these configurations change depending on the type of key in use:
RSA -
- Private key format: 2048 bit, PEM
- Public key format: PEM
ED25519 -
Key | Format | Type | Encoding |
---|---|---|---|
Private | DER | PKCS#8 | Base58 |
Public | DER | SPKI | Base58 |
RSA key generation using openssl
openssl genrsa -out privatekey.pem 2048
openssl rsa -in privatekey.pem -out publickey.pem -pubout -outform PEM
ED25519
Use an external library such as ed25519-verification-key-2018 to generate a key-pair in the required format.
Generation of key pair for signing an EU certificate:
- Copy the certificate configuration file cert.conf and put it in the same folder where the certificate generation script was copied to.
- Open the cert.conf file and edit it according to your requirement.
C - Country name (2 letter code) | The two-letter country code where your company is legally located. |
ST - State or province name (full name) | The state/province where your company is legally located. |
L - Locality name (for example, city) | The city where your company is legally located. |
O - Organisation name (for example, company) | The legally registered name of your company (for example, YourCompany, Inc.). |
OU - Organisational unit name (for example, section) | The name of your department within the organisation. (You can leave this option blank; simply press *Enter*.) |
CN - Common name (for example, server FQDN) |
- For generation of RSA key pair:
./gen-dsc.sh RSA CSR
- For generation of ECDSA key pair:
./gen-dsc.sh ECDSA CSR
- The script will generate the following 3 files:
- 1.private key filename - DSC01privkey.key
- 2.CSR filename - DSC01csr.pem CERTIFICATE key filename - DSC01cert.pem
- 3.Public key format: PEM
- 1.Generate the key pair required for signing the EU certificate and share the CSR file for signing with CA.
- 2.In the
divoc-config
configMap, set the following environment variables:
EU_CERTIFICATE_PRIVATE_KEY
- Private key for signing the EU payload (in PKCS8 format).EU_CERTIFICATE_PUBLIC_KEY
- The certificate provided by CA after signing the CSR.EU_CERTIFICATE_EXPIRY
- Expiry of the certificate in months (for example, 12).
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
