Skip to main content

Generate a software-based private key

TrustEdge certificate tool allows you to generate software-based private keys that can be used to create Certificate Signing Requests (CSRs) and secure communications. In this workflow, you will learn how to generate an RSA or ECC private key, specify the output format, and if needed protect the key with a password.

Step 1: Choose the algorithm and key parameters

Before generating the key, decide on the type of key (--algorithm <key_type>) and its parameters, such as key size (--size <size>) for RSA or the curve (--curve <curve>)for ECC.

  1. For RSA keys: You will need to specify the key size.

    trustedge certificate --algorithm RSA --size 2048 --output-file RSA_2048.pem
    
  2. For ECC keys: You need to specify the curve type.

    trustedge certificate --algorithm ECC --curve P256 --output-file ECC_P256.pem
    

Step 2 (optional): Generate the public key

If you also want to generate the corresponding public key, you can use the --output-pub-file option to specify the output file for the public key.

  1. For RSA keys:

    trustedge certificate --algorithm RSA --size 2048 --output-file RSA_2048.pem --output-pub-file RSA_2048_PUB.pem
    
  2. For ECC keys:

    trustedge certificate --algorithm ECC --curve P256 --output-file ECC_P256_PRIV.pem --output-pub-file ECC_P256_PUB.pem
    

Step 3 (optional): Protect the private key with a password

You can enhance the security of your private key by protecting it with a password using the --protect option. After running the command, you will be prompted to enter a password to protect the private key.

  1. For RSA keys:

    trustedge certificate --algorithm RSA --size 2048 --protect --output-file RSA_PW_2048.pem
    
  2. For ECC keys:

    trustedge certificate --algorithm ECC --curve P256 --protect --output-file ECC_P256_PW.pem
    

Step 4: Verify the key creation

After generating the key, you can verify that the file was created by listing the contents of the directory:

ls -l /etc/digicert/keystore/keys/

This command will display the files in the keystore/keys/ directory, including the newly created private key, and public key if generated.

Tip

After generating a private key, you can use it to sign a Certificate Signing Request (CSR). See Create a Signed Certificate Signing Request (CSR).