Join us at Xero Developer Roadshow, June 2018 at a city near you. Register Free

Create a public/private key pair


Private and Partner applications must sign messages using the OAuth RSA-SHA1 method.

This requires that you create a public/private key-pair, and upload the public certificate during application registration. We refer to this certificate as an application certificate.

To get started with creating a public/private key-pair we recommend the use of OpenSSL

Windows users

Download OpenSSL for Windows

To run the commands below, go to the OpenSSL32 directory on your PC, and change to the /bin directory.

  • You may need to open the command prompt with admin privileges (Run as administrator)
  • If OpenSSL has just been installed, you might need to restart your computer before it can generate certs

Mac users

OpenSSL comes shipped with Mac OS X version 10.6.2 onwards. You can use Terminal to run OpenSSL (search for 'terminal' using the search bar in the top right of your screen on your desktop) to open the terminal window and then run the commands below.

  • You may need to run each OpenSSL command lines with elevated privileges - add sudo before each command lines

Using OpenSSL

The basics command line steps to generate a private and public key using OpenSSL are as follows:

openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer
  • Step 1: generates a private key
  • Step 2: creates a X509 certificate (.cer file) containing your public key which you upload when registering your private application (or upgrading to a partner application).
  • Step 3: Export your x509 certificate and private key to a pfx file. If your chosen wrapper library uses the .pem file to sign requests then this step is not required.
Note: If you are using Java libraries which require extracting the private key in PKCS8 format, please refer here.

Please make a note of the expiry date of your certificate as you will need to upload a replacement in the Xero Developer Center before the expiry date to ensure uninterrupted service.