## What is a public key and a private key?

The public key and private key are also known as asymmetric encryption. This encryption is mathematically configured to create a public and private key. The public key is known and can be disclosed to many while the private key is known only to the key owner. The public key is usually used to encrypt session keys, verify digital signatures, or encrypt data that can be decrypted with the matching private key.

Both the keys are used relatively, which means if you use the public key for encryption, you must use the matching private key for decryption as well (and the opposite). The decryption fails if this process is not followed.

## How does a digital certificate work?

A digital certificate uses a public key encryption system (a matching key pair for encryption and decryption). Each user creates a private key (which is highly secured and not disclosed to anyone) for decryption. The user digitally signs it, and creates a public key, and discloses it with the user group to complete the encryption and signature verification process.

A digital signature is produced on a document that is verified by the key owners, and cannot be generated by anyone else.

A digital certificate is a document digitally signed by a certificate authority (CA) that contains information about a public key and information about the identity of its owner. The simplest certificate includes a public key, name, and digital signature of the certificate authority. The digital certificates are valid for a specific time period.

## How can I create a private key?

Alibaba Cloud Certificates Service has the following restrictions when generating the encryption algorithm and length of a private key:

- The algorithm must be RSA.
- The length must be at least 2,048 bits.

Note | |

We recommend that you use 2,048 bits, and the SHA256 digest algorithm. |

You can use either of the following methods to create your private key:

**Use OpenSSL to generate the private key**

Note | |

OpenSSL version 1.0.1g or later is required. |

After OpenSSL is installed, run `openssl genrsa -out myprivate.pem 2048`

in command line mode to generate your private key.

- myprivate.pem is your private key.
- 2,048 indicates the encryption length.

**Use Keytool to export the private key**

Keytool is a key management tool installed with JDK. It creates certificates based on the Keystore (JKS) format. You can obtain Keytool when you download JDK from Java SE Downloads.

By default, the public key and private key created by using Keytool are not exported. Therefore, you have to export the private key from a .keystore file that has already been created. see Mainstream formats used in digital certificates.

```
-----BEGIN RSA PRIVATE KEY-----
......
-----END RSA PRIVATE KEY-----
```

```
-----BEGIN PRIVATE KEY-----
......
-----END PRIVATE KEY-----
```

Note | |

You must maintain the privacy and security of the private key at all costs. Because, if the private key is lost or becomes corrupt, you cannot use the corresponding public key and digital certificate that you have requested. |