Creating Public/Private Key Pairs

This page explains how to generate public/private key pairs using OpenSSL command-line tools.

Device authentication

Cloud IoT Core uses public key (or asymmetric) authentication:

  • The device uses a private key to sign a JSON Web Token (JWT). The token is passed to Cloud IoT Core as proof of the device's identity.
  • The service uses the device public key (uploaded before the JWT is sent) to verify the device's identity.

Cloud IoT Core supports the RSA and Elliptic Curve algorithms. For details on key formats, see Public key format.

Generating an RS256 key

To generate an RSA-256 private key with a 2048-bit key size, run the following commands:

openssl genrsa -out rsa_private.pem 2048
openssl rsa -in rsa_private.pem -pubout -out rsa_cert.pem

These commands create the following public/private key pair:

  • rsa_private.pem: The private key that must be securely stored on the device and used to sign the authentication JWT.
  • rsa_cert.pem: The public key that must be stored in Cloud IoT Core and used to verify the signature of the authentication JWT.

To generate an RSA-256 private key with a 2048-bit key size and the self-signed X.509 certificate, run the following command:

openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem \
    -out rsa_cert.pem -subj "/CN=unused"

You can replace the -subj argument with an actual certificate subject and use that certificate, or you can omit -subj and supply the certificate information when prompted. (Cloud IoT Core does not verify the subject.)

If you're validating keys against registry-level certificates, be sure to review the additional requirements.

Generating an ES256 key

To generate an ES256 key pair using the Eliptic Curve algorithm, run the following commands:

openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem
openssl ec -in ec_private.pem -pubout -out ec_public.pem

These commands create the following public/private key pair:

  • ec_private.pem: The private key that must be securely stored on the device and used to sign the authentication JWT.
  • ec_public.pem: The public key that must be stored in Cloud IoT Core and used to verify the signature of the authentication JWT.

To generate an ES256 key with the self-signed X.509 certificate, run the following commands:

openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem
openssl req -x509 -new -key ec_private.pem -out ec_public.pem -subj "/CN=unused"

You can replace the -subj argument with an actual certificate subject and use that certificate, or you can omit -subj and supply the certificate information when prompted. (Cloud IoT Core does not verify the subject.)

If you're validating keys against registry-level certificates, be sure to review the additional requirements.

Managing keys

Be sure to review the device security recommendations and consider implementing key rotation.

You can also use optional registry-level certificates to verify key credentials.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Google Cloud Internet of Things Core