Creating keys and certificates

For security reasons, it is best that the airline creates or purchases the public/private key-pair and shares only the public key with BAGTAG. It may be a self-signed certificate.

There are many free online certificate creation tools, but it is strongly advised not to use any of these services. There is no certainty what the service does with the generated keys. Best method is to create a certificate locally.

A generic tool that runs on all platforms is OpenSSL. It comes pre-compiled with many OSs. In case it is not installed, it can be downloaded from OpenSSL

Create a public x509 certificate

Run the following commands in an elevated terminal/command prompt (e.g. “Run as administrator” on Windows or “sudo -i” on other operating systems like MacOS or Linux).

openssl req -x509 -days 356 -newkey rsa:2048 -nodes -keyout private-key.pem -out certificate.pem;

The command above creates two pem files:

  • certificate.pem – This is the base64 encoded public X509 certificate
  • private-key.pem – This is the base64 encoded private key

The public certificate must be send to BAGTAG, this can be done via regular email. The public certificate will be added to the BAGTAG backend, so it can be used to verify the message from the Client backend.

Optional conversions

Depending on the JWT library used, it may be necessary to provide a key or certificate in a different format. Below are some examples for conversions to the most common conversion.

For some methods, a password is needed for signing, the password can be set during the conversion. The password does not have to be sent to BAGTAG.

PKCS#12/PFX binary certificate file

Use the following command to combine both PEM files into one .pfx file.

openssl pkcs12 -export -out certificate.pfx -inkey private-key.pem -in certificate.pem
Export your public key

In case a separate public key is required (not the same as public certificate)

openssl rsa -in private-key.pem -pubout -out public-key.pem
Convert der (binary) encoded certificate to pem (ascii) format.
openssl x509 -inform der -in certificate.der -out certificate.pem 
Convert pem (ascii) encoded certificate to der (binary) format.
openssl x509 -outform der -in certificate.pem -out certificate.der
Check a certificate
openssl x509 -in certificate.pem -text -noout 
Check PKCS#12 bundle
openssl pkcs12 -in certificate.pfx -noout -info 

In case you need support with certificates, please contact BAGTAG

Any questions about integration? Reach out to integration@bagtag.com

We're here to help

Please fill in your details and we will contact you.