Creating public/private key pairs
This page explains how to generate public/private key pairs using OpenSSL command-line tools.
Device authentication
Omnicore uses public key (or asymmetric) authentication:
The device uses a private key to sign a JSON Web Token (JWT). The token is passed to Omnicore as proof of the device's identity. The service uses the device public key (uploaded before the JWT is sent) to verify the device's identity.
Omnicore supports the RSA and Elliptic Curve algorithms. For details on key formats, see Public key format.
Generating Keys
Algorithm | Link |
---|---|
RSA | RSA |
EC | EC |
Converting keys to PKCS8 for Java
In Java, you need to convert private keys to the PKCS8 format. To convert RSA and Elliptic Curve keys from PEM format to PKCS8 format, run the following commands:
RSA
openssl req -x509 -new -key ec_private.pem -out ec_cert.pem -subj "/CN=unused"
Elliptic Curve
openssl pkcs8 -topk8 -inform PEM -outform DER -in ec_private.pem \
-nocrypt > ec_private_pkcs8
Managing keys
Be sure to review the device security recommendations and consider implementing key rotation.
You can also use optional registry-level certificates to verify key credentials.