You need to generate a private/public key pair, which is used to create a client_assertion later in the process, for each application you created in Step 2 to access testing or production environments. It must be a 4096-bit RSA key pair.
Note that if you generate your own JWKS file, you must use the RS512 algorithm to do this.
Decide on your Key Identifier (KID) - a unique name to identify the key pair in use. The KID will be used to refer to the key pair when constructing and posting the JWT.
We recommend:
- test-1 for testing
- prod-1 for production use
If you create multiple applications to test across multiple test environments, you need a different KID and key pair for each environment.
If you create subsequent key pairs for key rotation, number them sequentially, for example test-2, test-3 and so on.
Do not re-use a KID.
For development and integration test environments only, you might find it easiest to use an external key generator to create a private-public key pair, and a JWKS file. Do not use this for a production environment.
For production environments (or test environments), generating your own public-private key locally is much more trustworthy.
Generate a private/public key pair using an external key generator - for test environments only
There are several external key generators available on the internet, and while we cannot endorse any one in particular, we know people have had success with https://mkjwk.org/.
To use it, enter:
Key Size: |
4096 |
Key Use: |
Signature |
Algorithm: |
RS512 |
Key ID: |
YOUR_KID |
Show X.509: |
Yes |
This produces:
- "Public Key" - your JWKS file for uploading
- "Private Key (X.509 PEM Format)" - your private key in PEM format
- "Public Key (X.509 PEM Format)" - your public key in PEM format
Important - always keep your private key private. Do not send it to us!
Go to Step 4.
Generate your own private/public key pair - for production or test environments
On Windows, the easiest way to get the BASH shell tools to do this is to install Git For Windows.
On Linux and Mac OS, the BASH shell comes as standard.
Open a BASH shell command prompt and define your KID:
KID=YOUR_KID
Then run both of the following commands:
- openssl genrsa -out $KID.pem 4096
- openssl rsa -in $KID.pem -pubout -outform PEM -out $KID.pem.pub
These commands create the following files:
Important - always keep your private key private. Do not send it to us!
If this is a key pair for a production application, and you want us to host your public key, go to Step 4.
If this is a key pair for development or integration testing environments, or a production environment key you want to host yourself, you also need to create a JWKS file to upload.
To do this, first get the "modulus" of your private key, by entering the following BASH shell commands: