Create a public/private key pair
Private and Partner applications must sign messages using the OAuth RSA-SHA1 method.
This requires that you create a public/private key-pair, and upload the public certificate during application registration. We refer to this certificate as an application certificate.
To get started with creating a public/private key-pair we recommend the use of OpenSSL
To run the commands below, go to the OpenSSL32 directory on your PC, and change to the /bin directory.
- You may need to open the command prompt with admin privileges (Run as administrator)
- If OpenSSL has just been installed, you might need to restart your computer before it can generate certs
OpenSSL comes shipped with Mac OS X version 10.6.2 onwards. You can use Terminal to run OpenSSL (search for ‘terminal’ using the search bar in the top right of your screen on your desktop) to open the terminal window and then run the commands below.
- You may need to run each OpenSSL command lines with elevated privileges – add sudo before each command lines
The basics command line steps to generate a private and public key using OpenSSL are as follows:
openssl genrsa -out privatekey.pem 1024 openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825 openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer
- Step 1: generates a private key
- Step 2: creates a X509 certificate (.cer file) containing your public key which you upload when registering your private application (or upgrading to a partner application).
- Step 3: Export your x509 certificate and private key to a pfx file. If your chosen wrapper library uses the .pem file to sign requests then this step is not required.
Note: If you are using Java libraries which require extracting the private key in PKCS8 format, please refer here.
Please make a note of the expiry date of your certificate as you will need to upload a replacement in the Xero Developer Center before the expiry date to ensure uninterrupted service.