# Signing Key Pair

# Overview

This article focuses on key pairs used for digital signatures. The key will be manipulated using OpenSSL.

The authentication server will perform a [digital signature] on the role attribute in the response to the following request (Yggdrasil-Server Technical Specification#Serialization of Role Information):

[Server Verification Client](Yggdrasil-Server Technical Specification#Server Verification Client)
[Query Role Properties](Yggdrasil-Server Technical Specification#Query Role Properties) (only required when unsigned=false)

The authentication server exposes the public key through [API Metadata] (Yggdrasil-Server Technical Specification #api-Metadata Acquisition) for authlib-injector to obtain.

Note: Authentication servers should avoid key changes. If multiple server instances are used for load balancing, they should all use the same key.

# Key pair generation and processing

The following calls to OpenSSL use standard input and standard output for input and output. If you want to use a file, use the parameters -in <file> and -out <file>.

# Generate private key

The key algorithm is RSA, and the recommended length is 4096 bits.

openssl genrsa 4096

The generated private key will be output to standard output.

# Generate public key from private key

openssl rsa -pubout

The private key is read from standard input, and the public key is output to standard output.

← Server Specifications Starter Specifications →