Skip to main content

Creating public/private key pairs

This page explains how to generate public/private key pairs using OpenSSL command-line tools.

Device authentication

Omnicore uses public key (or asymmetric) authentication:

The device uses a private key to sign a JSON Web Token (JWT). The token is passed to Omnicore as proof of the device's identity. The service uses the device public key (uploaded before the JWT is sent) to verify the device's identity.

Omnicore supports the RSA and Elliptic Curve algorithms. For details on key formats, see Public key format.

Generating Keys

AlgorithmLink
RSARSA
ECEC

Converting keys to PKCS8 for Java

In Java, you need to convert private keys to the PKCS8 format. To convert RSA and Elliptic Curve keys from PEM format to PKCS8 format, run the following commands:

RSA

""
openssl req -x509 -new -key ec_private.pem -out ec_cert.pem -subj "/CN=unused"

Elliptic Curve

""
openssl pkcs8 -topk8 -inform PEM -outform DER -in ec_private.pem \
-nocrypt > ec_private_pkcs8

Managing keys

Be sure to review the device security recommendations and consider implementing key rotation.

You can also use optional registry-level certificates to verify key credentials.