Email This List Email This List Print This List Print This List

Cre­ate a public/​private key pair


Private and Part­ner applic­a­tions must sign mes­sages using the OAu­th RSA-SHA1 meth­od.

This requires that you cre­ate a public/​private key-pair, and upload the pub­lic cer­ti­fic­ate dur­ing applic­a­tion regis­tra­tion. We refer to this cer­ti­fic­ate as an applic­a­tion cer­ti­fic­ate.

To get star­ted with cre­at­ing a public/​private key-pair we recom­mend the use of OpenSSL

Win­dows users

Down­load OpenSSL for Win­dows

To run the com­mands below, go to the OpenSSL32 dir­ect­ory on your PC, and change to the /​bin dir­ect­ory.


  • You may need to open the com­mand prompt with admin priv­ileges (Run as admin­is­trat­or)
  • If OpenSSL has just been installed, you might need to restart your com­puter before it can gen­er­ate certs

Mac users

OpenSSL comes shipped with Mac OS X ver­sion 10.6.2 onwards. You can use Ter­min­al to run OpenSSL (search for ‘ter­min­al’ using the search bar in the top right of your screen on your desktop) to open the ter­min­al win­dow and then run the com­mands below.


  • You may need to run each OpenSSL com­mand lines with elev­ated priv­ileges – add sudobefore each com­mand lines

Using OpenSSL

The basics com­mand line steps to gen­er­ate a private and pub­lic key using OpenSSL are as fol­lows:

openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer
  • Step 1: gen­er­ates a private key
  • Step 2: cre­ates a X509 cer­ti­fic­ate (.cer file) con­tain­ing your pub­lic key which you upload when regis­ter­ing your private applic­a­tion (or upgrad­ing to a part­ner applic­a­tion).
  • Step 3: Export your x509 cer­ti­fic­ate and private key to a pfx file. If your chosen wrap­per lib­rary uses the .pem file to sign requests then this step is not required.

Please make a note of the expiry date of your cer­ti­fic­ate as you will need to upload a replace­ment in the Xero Developer Cen­ter before the expiry date to ensure unin­ter­rup­ted ser­vice.

admin has written 133 articles