Generating Public/Private Keys with a Certificate

Digital certificates and cryptographic keys are used to establish secure, authenticated communication between AI Agent Studio and OTM applications via OAuth 2.0 JSON Web Token (JWT) assertions. You need a private key, public key, and certificate.

You can use the OpenSSL command utility to generate the keys and the certificate as shown in the example below; however, you can use the tool that is supported within your organization.

1. In OpenSSL, generate the private key with a certificate by running the following command:

   openssl req -newkey rsa:4096 -subj "/CN=spectra-service" -x509 -sha256 -days 365 -nodes -out "./jwt-signing.crt" -keyout "./jwt-signing.key"

   Remember: In the Prerequisites, write down the certificate. You will need it later.
2. In OpenSSL, generate the public key by running the following command:

   openssl pkey -in jwt-signing.key -pubout -out jwt-signing.pub

   Remember: In the Prerequisites, write down the public key. You will need it later.

The same key, jwt-signing.key, and certificate, jwt-signing.crt, can be used in multiple locations during this guide as listed below:

• Identity Cloud Service (IDCS) of OTM confidential app
• IDCS of Fusion confidential app
• AI Agent Studio data source
• OTM Agentic Trust page

However, you should follow your company’s standards.

The key is used by both confidential apps to sign JWT assertions and used in the private key field of the AI Agent Studio data source application.

The certificate is uploaded to Fusion’s Identity Cloud Service (IDCS) and used in the public key field of the AI Agent Studio data source application.