Creating keys and certificates
For security reasons, it is best that the airline creates or purchases the public/private key-pair and shares only the public key with BAGTAG. It may be a self-signed certificate.
There are many free online certificate creation tools, but it is strongly advised not to use any of these services. There is no certainty what the service does with the generated keys. Best method is to create a certificate locally.
A generic tool that runs on all platforms is OpenSSL. It comes pre-compiled with many OSs. In case it is not installed, it can be downloaded from OpenSSL
Create a public x509 certificate
Run the following commands in an elevated terminal/command prompt (e.g. “Run as administrator” on Windows or “sudo -i” on other operating systems like MacOS or Linux).
openssl req -x509 -days 356 -newkey rsa:2048 -nodes -keyout private-key.pem -out certificate.pem;
The command above creates two pem files:
certificate.pem– This is the base64 encoded public X509 certificate
private-key.pem– This is the base64 encoded private key
The public certificate must be send to BAGTAG, this can be done via regular email. The public certificate will be added to the BAGTAG backend, so it can be used to verify the message from the Client backend.
Depending on the JWT library used, it may be necessary to provide a key or certificate in a different format. Below are some examples for conversions to the most common conversion.
For some methods, a password is needed for signing, the password can be set during the conversion. The password does not have to be sent to BAGTAG.
PKCS#12/PFX binary certificate file
Use the following command to combine both PEM files into one .pfx file.
openssl pkcs12 -export -out certificate.pfx -inkey private-key.pem -in certificate.pem
Export your public key
In case a separate public key is required (not the same as public certificate)
openssl rsa -in private-key.pem -pubout -out public-key.pem
Convert der (binary) encoded certificate to pem (ascii) format.
openssl x509 -inform der -in certificate.der -out certificate.pem
Convert pem (ascii) encoded certificate to der (binary) format.
openssl x509 -outform der -in certificate.pem -out certificate.der
Check a certificate
openssl x509 -in certificate.pem -text -noout
Check PKCS#12 bundle
openssl pkcs12 -in certificate.pfx -noout -info
In case you need support with certificates, please contact BAGTAG