How to generate Key Pair & decrypt RESTful API Credentials

How to generate Key Pair & decrypt RESTful API Credentials

Generate a Key Pair

There are various methods for generating public/private keys. For the purposes of this example, we used OpenSSL.
Note: You are required to use the OpenSSL version 1.1.1.

  1. To generate the private key, run the following script:

    openssl genrsa -des3 -out /PATH/TO/privatekey.pem 2048 
  2. To generate the public key using the private key, run the following script:

    openssl rsa -in /PATH/TO/privatekey.pem -outform PEM -pubout -out /PATH/TO/publickey.pem 

    This option generates the private key in an encrypted file using a user-supplied passcode, which is recommended for most purposes. Depending on how you are connecting to the API (e.g. curl/related libraries, Postman, etc) you may need the private key in unencrypted form. 

    Note: In the event you need the key in unencrypted form, you can omit the -des3 from the command above.

    You're obligated to protect this private key as this would permit a third party to decrypt your credentials and access your mTLS Certificate.

    You will need to supply the contents of the publickey.pem file to GlobalSign during the account enrollment process for obtaining your Atlas account credentials. It has the format of:

-----END PUBLIC KEY----- 

Note: Since you will receive an mTLS Certificate with this public key to authenticate to the API Server, remember to generate the key using the tools and system that can be used by your client API application.

Decrypt the RESTful API Credentials

GlobalSign will return your Atlas account credentials in an encrypted file, which you must decrypt in order to receive the API Key and Secret. If using OpenSSL, you are required to use the OpenSSL version 1.1.1, and follow these steps:

  1. GlobalSign will email a file named something like:

  2. Save the file on your computer.
  3. Run the following command. Note that the privatekey.pem is the private key generated as part of the key generation process discussed above. If you protected your private key with a passcode, you will be prompted for it during this process step.

    openssl pkeyutl -inkey </PATH/TO/PRIVATE_KEY.PEM> -in </PATH/TO/ENCRYPTEDFILE.ENC> -out </PATH/TO/FILETOCREATE.txt> -decrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

    The FILETOCREATE.txt element will contain your Key and Secret. The format of this 2-line file is:

    key: key_value

    secret: secret_value

    The API key also forms part of the encrypted file. For example:


For Mac users, OpenSSL is already installed, however it is the wrong version and any user trying to use it to decrypt their API credentials will not be able to do so. The users with the wrong version would get the following error message:

"unsupported padding mode"

What users should get is the following version for decryption to work:
MBP~/keys(:|_) % openssl version
OpenSSL 1.1.1K 25 Mar 2021

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Scan your endpoints to locate all of your Certificates.

Log In / Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.