    DomainKeys Public/Private Key-pair Generation

    DomainKeys Public/Private Key-pair Generation Last Updated: July 9, 2005

    Command Line Tools Available
    Perhaps the easiest way to generate DomainKeys public/private key-pairs is to use the CPAN command line tools available. The tool can create a key-pair, and format them for DNS publication.

    Generating a private-key for the MTA

    For ease of explanation, the openssl command is used throughout this document to describe the mechanism by which keys are managed.

    One way to generate a 768 bit private-key suitable for DomainKeys, is to use openssl like this:

    $ openssl genrsa -out rsa.private 768

    Which results in the file rsa.private containing the key information
    similar to this:

    -----END RSA PRIVATE KEY-----

    This private key will be inserted into your DomainKeys-enabled MTA. Your MTA or plugin should provide instructions on how to do so.

    Generating the public-key for the DNS selector record

    To extract the public-key component from the private-key, use openssl like this:

    $ openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM

    Which results in the file rsa.public containing the key information similar to this:

    -----BEGIN PUBLIC KEY-----
    -----END PUBLIC KEY-----

    This public-key data is placed in the selector's DNS record as the value of p. Thus, a selector's record may look like:

    k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB;

