A public key and a private key are a key pair that is obtained by using an encryption algorithm. The public key and private key are used for asymmetric encryption. The public key is used to encrypt sessions and verify digital signatures, whereas the corresponding private key is used to decrypt the session data to ensure secure data transmission. The public key is the public part of a key pair, whereas the private key is the private part managed by users.

A key pair that is generated by using an encryption algorithm is unique worldwide. If you use a key in a key pair to encrypt a piece of data, the data can be decrypted only by using the other key in this key pair. For example, data encrypted with a public key must be decrypted with the matching private key. Data encrypted with a private key must be decrypted with the matching public key.

## How does SSL Certificates Service work?

SSL Certificates Service uses a public-key encryption system that uses a matching key pair to encrypt and decrypt data. Each user creates a private key that is highly secured and not disclosed to anyone for decryption and signature. Meanwhile, the user creates a public key and discloses this key to a group of users for encryption and signature verification.

Only the key owner can use the matching key to encrypt a document, and therefore generate a digital signature.

An SSL certificate is a document digitally signed by a certification authority (CA). This document contains information about a public key and the owner of the public key. The simplest certificate contains a public key, a certificate name, and a digital signature of the corresponding CA. Digital certificates are valid for only a specific period of time.

## How can I create a private key?

SSL Certificates Service has the following requirements for the private key length and the encryption algorithm that is used to generate a private key:

- The RSA algorithm is used.
- The private key length must be at least 2,048 bits.

**Note**We recommend that you use a 2,048-bit key based on the SHA-256 digest algorithm.

You can use one of the following methods to create your private key:

**Use OpenSSL to generate a private key**- You can download the latest OpenSSL installation package from http://www.openssl.org/source/.
**Note**OpenSSL version 1.0.1g or later is required. - After OpenSSL is installed, run
`openssl genrsa -out myprivate.pem 2048`

in command line mode to generate your private key file. myprivate.pem is the generated private key file. 2,048 represents the private key length.

- You can download the latest OpenSSL installation package from http://www.openssl.org/source/.
**Use Keytool to generate and export a private key**Keytool is a key management tool installed with JDK. This tool can create keystore files in JKS format for SSL certificates. You can obtain Keytool when you download JDK from Java SE Downloads.

By default, the public key and private key that are created by using Keytool are not exported. You must export the private key from a .keystore file that has been created. For more information about how to export a private key from a .keystore file, see Certificate format conversion.

In the exported file, your private key is visible if a section of the file is similar to one of the following examples:`-----BEGIN RSA PRIVATE KEY----- ...... -----END RSA PRIVATE KEY-----`

Or`-----BEGIN PRIVATE KEY----- ...... -----END PRIVATE KEY-----`

**Note**We recommend that you keep your private key safe. If the private key is lost or becomes corrupt, you cannot use the matching public key and digital certificate that you have requested.