Stay organized with collections Save and categorize content based on your preferences.

Create key rings and keys

To allow the issuer switch to communicate securely with the NPCI, you must create the required key rings and keys in the same Google Cloud project where you want to set up your issuer switch instance. This page describes the process to create the key rings and keys using Cloud Key Management Service.

To create the required key rings and keys using Cloud Key Management Service, open the Key Management page in the Google Cloud console.

Open the Key Management page

Create the following key rings and the associated keys.

  1. Create the CMEK key ring and key. Specify the required values:

    • Key ring name: For example, cmek-key-ring-1
    • Key name: For example, cmek-key-1
    • Protection level: Software
    • Purpose: Symmetric encrypt/decrypt
  2. Create the M-PIN credentials key ring and key. Specify the required values:

    • Key ring name: For example, creds-key-ring-1
    • Key name: For example, creds-key-1
    • Protection level: HSM
    • Purpose: Asymmetric decrypt
    • Algorithm: 2048 bit RSA - OAEP Padding - SHA256 Digest
  3. Create the XML signing key ring and key. Specify the required values:

    • Key ring name: For example, issuer-switch-signing-key-ring-1
    • Key name: For example, issuer-switch-signing-key-1
    • Protection level: Either HSM or Software
    • Purpose: Asymmetric sign
    • Algorithm: 2048 bit RSA - PKCS#1 v1.5 padding - SHA256 Digest
  4. Create the mandate XML signing key ring and key. Specify the following values:

    • Key ring name: For example, mandate-key-ring-1
    • Key name: For example, mandate-key-1
    • Protection level: Either HSM or Software
    • Purpose: Asymmetric sign
    • Algorithm: 2048 bit RSA - PKCS#1 v1.5 padding - SHA256 Digest

After you create these keys, grant the requisite service account access to all the keys. Google will communicate to you the service account to which you must grant access. This service account is an email ID similar to: issuer-switch-async-service@project-id.iam.gserviceaccount.com. See Set up your issuer switch instance.