Key pair generation

KeyMaster authentication depends on the user credentials token being signed using public key cryptography; the KeyMaster token generator signs the token using a private key and the Liberator uses the corresponding public key to verify the signature and thus verify the authenticity of the token. Before KeyMaster can be used, a suitable public/private key pair must be generated..

The file containing the private key can be in various formats, for example PEM format or XML format. You can implement the Caplin.KeyMaster.Configuration.IKeyMasterConfiguration interface to support loading the private key from a file in the format of your choice. The API includes implementations of this interface that load the private key from a PEM file (Caplin.KeyMaster.Configuration.PEMKeyMasterConfiguration), or from an XML file (Caplin.KeyMaster.Configuration.XMLKeyMasterConfiguration).

The corresponding public key must be in DER format.

You can easily generate a private key in PEM format, with the corresponding public key in DER format, using the following OpenSSL commands. OpenSSL is open source software and is provided with KeyMaster.NET. Documentation detailing how to use the OpenSSL command line tool is available on the OpenSSL web site at http://www.openssl.org/docs.

openssl genrsa -out privatekey.pem

This command generates a 2048 RSA private key in PEM format.

openssl rsa -in privatekey.pem -pubout -outform DER -out publickey.der

This command generates a public key in DER format from the private key. The publickey.der file is used by the Liberator to verify the signature.

openssl rsa -in privatekey.pem -out private.pem

This command removes password protection from the key. Since KeyMaster.NET will usually be run as part of a service, it is not appropriate to ask for the password whenever access to the private key is required. The Caplin.KeyMaster.Configuration.PEMKeyMasterConfiguration class can only read PEM format private keys that are not password protected.