Generate a Public and Private Key Pair 🔑

You can generate keys and certificates in different ways depending on your environment. Below are three standard approaches: RSA, EC (Elliptic Curve), and Java keytool (for Java-specific setups). Each requires you to replace parameters with your own values.

[!NOTE|style:flat] Cactus Custody strongly recommends that all public and private keys be generated on the server side and securely assigned to users, in order to ensure the highest level of security.

RSA Standard

# Generate RSA private key + self-signed certificate (4096-bit, 365 days)
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
  -keyout <PRIVATE_KEY_FILENAME>.key \
  -out <CERT_FILENAME>.crt \
  -subj "/C=<COUNTRY>/ST=<STATE>/L=<CITY>/O=<ORG>/OU=<DEPT>/CN=<DOMAIN>"

# Export into PKCS#12 keystore
openssl pkcs12 -export \
  -inkey <PRIVATE_KEY_FILENAME>.key \
  -in <CERT_FILENAME>.crt \
  -out <KEYSTORE_FILENAME>.p12 \
  -name <ALIAS>

# Extract the public key into PEM Format
openssl x509 -in <CERT_FILENAME>.crt -pubkey -noout > <CERT_FILENAME>.pub.pem

Params to change:

  • <PRIVATE_KEY_FILENAME> → e.g. server
  • <CERT_FILENAME> → e.g. server
  • <KEYSTORE_FILENAME> → e.g. keystore
  • <ALIAS> → keystore alias, e.g. mykey_rsa
  • /C=SG/ST=Singapore/L=Singapore/O=Example Inc/OU=IT/CN=example.com → example of input values for org/domain details. Tip: The country code in /C=… must be 2 letters, not 1 and not more than 2.

EC (Elliptic Curve) Standard

# Generate EC private key
openssl ecparam -name prime256v1 -genkey -noout -out <PRIVATE_KEY_FILENAME>.key

# Generate CSR
openssl req -new -key <PRIVATE_KEY_FILENAME>.key -out <CSR_FILENAME>.csr \
  -subj "/C=<COUNTRY>/ST=<STATE>/L=<CITY>/O=<ORG>/OU=<DEPT>/CN=<DOMAIN>"

# Generate self-signed certificate (365 days)
openssl x509 -req -in <CSR_FILENAME>.csr -signkey <PRIVATE_KEY_FILENAME>.key \
  -out <CERT_FILENAME>.crt -days 365

# Export into PKCS#12 keystore
openssl pkcs12 -export \
  -inkey <PRIVATE_KEY_FILENAME>.key \
  -in <CERT_FILENAME>.crt \
  -out <KEYSTORE_FILENAME>.p12 \
  -name <ALIAS>

# Extract the public key into PEM Format
openssl x509 -in <CERT_FILENAME>.crt -pubkey -noout > <CERT_FILENAME>.pub.pem

Params to change:

  • <PRIVATE_KEY_FILENAME> → e.g. server_ec
  • <CSR_FILENAME> → e.g. server_ec
  • <CERT_FILENAME> → e.g. server_ec
  • <KEYSTORE_FILENAME> → e.g. keystore_ec
  • <ALIAS> → keystore alias. e.g. mykey_ec.
  • /C=SG/ST=Singapore/L=Singapore/O=Example Inc/OU=IT/CN=example.com → example of input values for org/domain details. Tip: The country code in /C=… must be 2 letters, not 1 and not more than 2.

Java Keytool Standard (Java Environment Only)

# Generate keystore with private key
keytool -genkey -v \
  -alias <YOUR_ALIAS> \
  -keyalg EC \
  -sigalg SHA256withECDSA \
  -deststoretype pkcs12 \
  -keystore <FILE_NAME>.jks \
  -dname "C=<COUNTRY>,ST=<STATE>,L=<CITY>,O=<ORG>,OU=<DEPT>,CN=<DOMAIN>" \
  -validity 365 \
  -storepass <STOREPASS_PASSWORD> \
  -keypass <KEYPASS_PASSWORD>

# Export the certificate
keytool -export -alias <YOUR_ALIAS> -keystore <FILE_NAME>.jks \
  -storepass <STOREPASS_PASSWORD> -rfc -file <FILE_NAME>.cer

# Extract the public key
openssl x509 -in <FILE_NAME>.cer -pubkey -noout > <FILE_NAME>.pub.pem

Params to change:

  • <YOUR_ALIAS> → keystore alias. e.g. myapikey.
  • <FILE_NAME> → base filename (without extension)
  • <STOREPASS_PASSWORD> → password to protect the entire keystore file. (ASCII characters only)
  • <KEYPASS_PASSWORD> → password for accessing an individual private key inside the keystore. (ASCII characters only)
  • C=SG,ST=Singapore,L=Singapore,O=Example Inc,OU=IT,CN=example.com → example of input values for org/domain details. Tip: The country code in C=… must be 2 letters, not 1 and not more than 2.
Copyright © 2025 Cactus Custody all right reserved,powered by GitbookUpdated: 01-Oct-2025 03:41:45

results matching ""

    No results matching ""

    results matching ""

      No results matching ""