Generating a Public and Private Key Pair

You can use a self-signed public-private key pair or a key pair signed by a certificate authority.

To generate a public and private key pair:

  1. Generate the self-signed key pair.
  2. Export the public key for verifying the JWT signature.
  3. Convert the keystore to P12 format.
  4. Export the private key from the P12 keystore.

Generating the Self-Signed Key Pair

Create the initial public and private key using Java’s keytool utility.

The variables in this example must be replaced with the following information:

  • <your_alias>: The unique alias you want to use for the key pair.
  • <keystore_file>: The name you want to give your keystore file.
  • <password>: The password you want to use for the keystore.

Here is an example for how to generate the key pair:

keytool -genkey -keyalg RSA -alias <your_alias> -keystore <keystore_file> -storepass <password> -validity 365 -keysize 2048
 
##example
keytool -genkey -keyalg RSA -alias assert -keystore sampleKeystore.jks -storepass samplePasswd -validity 365 -keysize 2048

Exporting the Public Key for Signing the JWT Assertion

Export the public key from the keystore. You can then upload the public key into the confidential application to verify JWT signatures signed by the private key.

The variables in this example must be replaced with the following information:

  • <your_alias>: The alias you set when you generated the key pair.
  • <filename>: The name you want to give the file that contains the exported certificate. The file name should have a .cer or .crt extension.
  • <keystore_file>: The name you gave the keystore file when you generated the key pair.
  • <password>: The password you set when you generated the key pair.

Here is an example for how to export the public key:

keytool -exportcert -alias <your_alias> -file <filename> -keystore <keystore_file> -storepass <password>
 
##example
keytool -exportcert -alias assert -file assert.cer -keystore sampleKeystore.jks -storepass samplePasswd
## This should show a success message e.g. Certificate stored in file <assert.cer>

Converting the Keystore to P12 Format

A P12 format file securely stores the public and private keys. Most runtime environments that require the private key for signing a JWT are compatible with P12 format.

The variables in this example must be replaced with the following information:

  • <keystore_file>: The name you gave the keystore file when you generated the key pair.
  • <source store password>: The password for the source keystore file.
  • <source key password>: The password for the private key inside the source keystore.
  • <destination store password>: The password for the destination keystore file.
  • <destination key password>: The password for the private key inside the destination keystore.
  • <your_alias>: The alias you set when you generated the key pair.
  • <destFileName>: The name you want to give for the P12 file.

Here is an example for how to convert the keystore to P12 format:

keytool -importkeystore -srckeystore <keystore_file> -srcstorepass <source store password> -srckeypass <source key password> -srcalias <your_alias> -destalias <your_alias> -destkeystore <destFileName> -deststoretype PKCS12 -deststorepass <destination source password> -destkeypass <destination key password>
 
##example
keytool -importkeystore -srckeystore sampleKeystore.jks -srcstorepass samplePasswd -srckeypass samplePasswd -srcalias assert -destalias assert -destkeystore assert.p12 -deststoretype PKCS12 -deststorepass samplePasswd -destkeypass samplePasswd
## This should show a success message e.g. Importing keystore sampleKeystore.jks to assert.p12...

Exporting the Private Key From the P12 Keystore

Extract the private key from the P12 keystore format. This step is only needed if the runtime environment used for creating and signing the JWT requires the key to be in PEM format.

The variables in this example must be replaced with the following information:

  • <destFileName>: The name of your P12 file.
  • <pem_file>: The name you want to give the exported private key file.

Here is an example for how to export a private key from a P12 file:

kopenssl pkcs12 -in <destFileName> -nodes -nocerts -out <pem_file>
 
##example
openssl pkcs12 -in assert.p12 -nodes -nocerts -out private_key.pem
## This should show a success message: MAC verified OK