To manage asymmetric keys the module provides 2 data types:
Valid Key formats
- Encoded Base64 key PKCS8 formatted (.pem extension). It can contain a public key, private key or both.
- Encrypted .pem files or encrypted PKCS8 private keys are not admitted.
- Files with .key extensions are not supported.
- DER certificate (.crt or .cer extension). It contains only public keys.
- PKCS12 certificate or keystore (.p12 or .pfx or .jks extension). It contains only private keys or both.
- JKS format (JavaKeyStore) is available only for Java implementation.
- For PKCS12 certificates the file password is needed for both Java and .Net implementations.
- .Net implementation does not use the PKCS12 alias; it takes the public key from the first certificate on the certificate chain and the first default private key listed on the file.
- Files with .pkcs12 extensions are not supported.
- Every certificate must implement the X509 standard.
The key pair can be generated locally with some tools, the most popular of which is OpenSSL.
Anyone can create, sign and distribute a certificate but most people will not trust it and, by default, software will not trust it either. This type of certificate is known as self-signed and is commonly used for testing.
When the key pair is generated, the encryption and signing algorithms are established along with the hash algorithm that will be used to generate and verify signatures. The signature will always be verified using the algorithms preestablished on the certificate.
For more information, read the article Cryptography Asymmetric information