Generate software-based private key

2 minute read

TrustEdge certificate tool allows you to generate software-based private keys that can be used to create Certificate Signing Requests (CSRs) and secure communications. In this workflow, you will learn how to generate an RSA or ECC private key, specify the output format, and if needed protect the key with a password.

Before you begin

Make sure you understand the following:

TrustEdge must be installed on a supported device.

The user running TrustEdge CLI commands must be a member of the trustedge group.

Use groups "$(whoami)" to see group membership.
Use sudo adduser "$(whoami)" trustedge to add your user to the trustedge group.

You have an understanding of TrustEdge keystore directory and permissions.

Step 1: Choose the algorithm and key parameters

Before generating the key, decide on the type of key (--algorithm <key_type>) and its parameters, such as key size (--size <size>) for RSA or the curve (--curve <curve>)for ECC.

Generate an RSA key:

trustedge certificate --algorithm RSA --size 2048 --output-file RSA_2048.pem

Generate an ECC key:

trustedge certificate --algorithm ECC --curve P256 --output-file ECC_P256.pem

Generate an ML-DSA key (post-quantum cryptography)

trustedge certificate --algorithm QS --pq-alg MLDSA_65 --output-file MLDSA_65.pem

(Optional) Step 2: Generate the public key

If you also want to generate the corresponding public key, you can use the --output-pub-file option to specify the output file for the public key.

For RSA keys:

trustedge certificate --algorithm RSA --size 2048 --output-file RSA_2048.pem --output-pub-file RSA_2048_PUB.pem

For ECC keys:

trustedge certificate --algorithm ECC --curve P256 --output-file ECC_P256_PRIV.pem --output-pub-file ECC_P256_PUB.pem

Tip

To enhance the security of your private key, you can protect it with a password by including the --protect option with any of the commands above. After running the command, you will be prompted to enter a password to protect the private key.