Creating Public/Private Key Pairs

This page explains how to generate public/private key pairs using OpenSSL command-line tools.

Device authentication

Cloud IoT Core uses public key (or asymmetric) authentication:

  • The device uses a private key to sign a JSON Web Token (JWT). The token is passed to Cloud IoT Core as proof of the device's identity.
  • The service uses the device public key (uploaded before the JWT is sent) to verify the device's identity.

Cloud IoT Core supports the RSA and Elliptic Curve algorithms. For details on key formats, see Public key format.

Generating an RS256 key

To generate an RSA-256 private key with a 2048-bit key size, run the following commands:

openssl genrsa -out rsa_private.pem 2048
openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem

These commands create the following public/private key pair:

  • rsa_private.pem: The private key that must be securely stored on the device and used to sign the authentication JWT.
  • rsa_public.pem: The public key that must be stored in Cloud IoT Core and used to verify the signature of the authentication JWT.

Generating an RS256 key with a self-signed X.509 certificate

If you're validating keys against registry-level certificates, the certificate must meet certain requirements. One of these requirements is that the certificate use the X.509 standard.

To generate an RSA-256 private key with a 2048-bit key size and a self-signed X.509 certificate that expires far in the future, run the following command:

openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem \
    -days 1000000 -out rsa_cert.pem -subj "/CN=unused"

You can replace the -subj argument with an actual certificate subject and use that certificate, or you can omit -subj and supply the certificate information when prompted. (Cloud IoT Core does not verify the subject.)

By default, X.509 certificates expire 30 days after creation. To set the number of days until the certificate expires, add the -days <n> flag at creation time. If you try to create or update a device with an expired certificate, or try to connect a device to a registry and the registry's certificate has expired, Cloud IoT Core returns an error.

Generating an ES256 key

To generate an ES256 key pair using the Eliptic Curve algorithm, run the following commands:

openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem
openssl ec -in ec_private.pem -pubout -out ec_public.pem

These commands create the following public/private key pair:

  • ec_private.pem: The private key that must be securely stored on the device and used to sign the authentication JWT.
  • ec_public.pem: The public key that must be stored in Cloud IoT Core and used to verify the signature of the authentication JWT.

Generating an ES256 key with a self-signed X.509 certificate

If you're validating keys against registry-level certificates, the certificate must meet certain additional requirements not covered in this page. One of these requirements is that the certificate use the X.509 standard.

To generate an ES256 key with a self-signed X.509 certificate that expires far in the future, run the following commands:

openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem
openssl req -x509 -new -key ec_private.pem -days 1000000 -out ec_public.pem -subj "/CN=unused"

You can replace the -subj argument with an actual certificate subject and use that certificate, or you can omit -subj and supply the certificate information when prompted. (Cloud IoT Core does not verify the subject.)

By default, X.509 certificates expire 30 days after creation. To set the number of days until the certificate expires, add the -days <n> flag at creation time. If you try to create or update a device with an expired certificate, or try to connect a device to a registry and the registry's certificate has expired, Cloud IoT Core returns an error.

Converting keys to PKCS8 for Java

In Java, you need to convert private keys to the PKCS8 format. To convert RS256 and ES256 keys from PEM format to PKCS8 format, run the following commands:

RS256

openssl pkcs8 -topk8 -inform PEM -outform DER -in rsa_private.pem \
    -nocrypt > rsa_private_pkcs8

ES256

openssl pkcs8 -topk8 -inform PEM -outform DER -in ec_private.pem \
    -nocrypt > ec_private_pkcs8

Managing keys

Be sure to review the device security recommendations and consider implementing key rotation.

You can also use optional registry-level certificates to verify key credentials.

Hai trovato utile questa pagina? Facci sapere cosa ne pensi:

Invia feedback per...

Google Cloud Internet of Things Core