# Signing Key Pair
# Overview
This article focuses on key pairs used for digital signatures. The key will be manipulated using OpenSSL.
The authentication server will perform a [digital signature] on the role attribute in the response to the following request (Yggdrasil-Server Technical Specification#Serialization of Role Information):
- [Server Verification Client](Yggdrasil-Server Technical Specification#Server Verification Client)
- [Query Role Properties](Yggdrasil-Server Technical Specification#Query Role Properties) (only required when
unsigned=false
)
The authentication server exposes the public key through [API Metadata] (Yggdrasil-Server Technical Specification #api-Metadata Acquisition) for authlib-injector to obtain.
Note: Authentication servers should avoid key changes. If multiple server instances are used for load balancing, they should all use the same key.
# Key pair generation and processing
The following calls to OpenSSL use standard input and standard output for input and output.
If you want to use a file, use the parameters -in <file>
and -out <file>
.
# Generate private key
The key algorithm is RSA, and the recommended length is 4096 bits.
openssl genrsa 4096
The generated private key will be output to standard output.
# Generate public key from private key
openssl rsa -pubout
The private key is read from standard input, and the public key is output to standard output.