Unable To Generate Key Pair Please Use New Token

While Encrypting a File with a Password from the Command Line using OpenSSLis very useful in its own right, the real power of the OpenSSL library is itsability to support the use of public key cryptograph for encrypting orvalidating data in an unattended manner (where the password is not required toencrypt) is done with public keys.

Unable To Generate Key Pair Please Use New Tokens

The Commands to Run

You must return your key fob to IT prior to the expiration date and obtain a new device. You are responsible for the safe keeping of your key fob and must return the device to IT if you leave the employ of the University or no longer require the use of such a device. Jun 13, 2017 Use a third-party tool of your choice to generate a key pair and a CSR. Submit the CSR to your CA, and request an SSL server certificate. If your CA does not provide an option for an SSL server certificate, make sure that your certificate includes the key-usage extension with Key Encipherment selected. The key algorithm must be RSA Public Key. Successful public-key authentication requires: (1) generating a key pair, (2) uploading the public key to the Secure Shell server, and (3) configuring the client to use the public-key authentication method. SecureCRT and SecureFX provide utilities to generate keys and automatically place a copy of the public key on a VShell® server. Instead of using static keys and/or worrying about key distribution, the server generates a public/private key pair upon startup itself and just keeps it in memory. The keys will be reset and thereby all existing tokens invalidated when the server restarts, which is fine for the intended use case. The key pair is generated using pycrypto.

Generate a 2048 bit RSA Key

You can generate a public and private RSA key pair like this:

openssl genrsa -des3 -out private.pem 2048

That generates a 2048-bit RSA key pair, encrypts them with a password you provideand writes them to a file. You need to next extract the public key file. You willuse this, for instance, on your web server to encrypt content so that it canonly be read with the private key.

Export the RSA Public Key to a File

This is a command that is

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

The -pubout flag is really important. Be sure to include it.

Next open the public.pem and ensure that it starts with-----BEGIN PUBLIC KEY-----. This is how you know that this file is thepublic key of the pair and not a private key.

To check the file from the command line you can use the less command, like this:

less public.pem

Do Not Run This, it Exports the Private Key

A previous version of the post gave this example in error.

openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM

The error is that the -pubout was dropped from the end of the command.That changes the meaning of the command from that of exporting the public keyto exporting the private key outside of its encrypted wrapper. Inspecting theoutput file, in this case private_unencrypted.pem clearly shows that the keyis a RSA private key as it starts with -----BEGIN RSA PRIVATE KEY-----.

Visually Inspect Your Key Files

It is important to visually inspect you private and public key files to makesure that they are what you expect. OpenSSL will clearly explain the nature ofthe key block with a -----BEGIN RSA PRIVATE KEY----- or -----BEGIN PUBLIC KEY-----.

You can use less to inspect each of your two files in turn:

  • less private.pem to verify that it starts with a -----BEGIN RSA PRIVATE KEY-----
  • less public.pem to verify that it starts with a -----BEGIN PUBLIC KEY-----

The next section shows a full example of what each key file should look like.

The Generated Key Files

The generated files are base64-encoded encryption keys in plain text format.If you select a password for your private key, its file will be encrypted withyour password. Be sure to remember this password or the key pair becomes useless.

The private.pem file looks something like this:

The public key, public.pem, file looks like:

Protecting Your Keys

Depending on the nature of the information you will protect, it’s important tokeep the private key backed up and secret. The public key can be distributedanywhere or embedded in your web application scripts, such as in your PHP,Ruby, or other scripts. Again, backup your keys!

Remember, if the key goes away the data encrypted to it is gone. Keeping aprinted copy of the key material in a sealed envelope in a bank safety depositbox is a good way to protect important keys against loss due to fire or harddrive failure.

Oh, and one last thing.

If you, dear reader, were planning any funny business with the private key that I have just published here. Know that they were made especially for this series of blog posts. I do not use them for anything else.

Found an issue?

Rietta plans, develops, and maintains applications.

Learn more about our services or drop us your email and we'll e-mail you back.

Other Blog Articles Published by Rietta.com



Although .NET Core supports strong-named assemblies, and all assemblies in the .NET Core library are signed, the majority of third-party assemblies do not need strong names. For more information, see Strong Name Signing on GitHub.

There are a number of ways to sign an assembly with a strong name:

  • By using the Signing tab in a project's Properties dialog box in Visual Studio. This is the easiest and most convenient way to sign an assembly with a strong name.

  • By using the Assembly Linker (Al.exe) to link a .NET Framework code module (a .netmodule file) with a key file.

  • By using assembly attributes to insert the strong name information into your code. You can use either the AssemblyKeyFileAttribute or the AssemblyKeyNameAttribute attribute, depending on where the key file to be used is located.

  • By using compiler options.

You must have a cryptographic key pair to sign an assembly with a strong name. For more information about creating a key pair, see How to: Create a public-private key pair.

Create and sign an assembly with a strong name by using Visual Studio

  1. In Solution Explorer, open the shortcut menu for the project, and then choose Properties.

  2. Choose the Signing tab.

  3. Select the Sign the assembly box.

  4. In the Choose a strong name key file box, choose Browse, and then navigate to the key file. To create a new key file, choose New and enter its name in the Create Strong Name Key dialog box.


In order to delay sign an assembly, choose a public key file.

Create and sign an assembly with a strong name by using the Assembly Linker


At the Developer Command Prompt for Visual Studio, enter the following command:

al/out:<assemblyName> <moduleName>/keyfile:<keyfileName>


  • assemblyName is the name of the strongly signed assembly (a .dll or .exe file) that Assembly Linker will emit.

  • moduleName is the name of a .NET Framework code module (a .netmodule file) that includes one or more types. You can create a .netmodule file by compiling your code with the /target:module switch in C# or Visual Basic.

  • keyfileName is the name of the container or file that contains the key pair. Assembly Linker interprets a relative path in relation to the current directory.

The following example signs the assembly MyAssembly.dll with a strong name by using the key file sgKey.snk.

For more information about this tool, see Assembly Linker.

Sign an assembly with a strong name by using attributes

  1. Add the System.Reflection.AssemblyKeyFileAttribute or AssemblyKeyNameAttribute attribute to your source code file, and specify the name of the file or container that contains the key pair to use when signing the assembly with a strong name.

  2. Compile the source code file normally.


    The C# and Visual Basic compilers issue compiler warnings (CS1699 and BC41008, respectively) when they encounter the AssemblyKeyFileAttribute or AssemblyKeyNameAttribute attribute in source code. You can ignore the warnings.

The following example uses the AssemblyKeyFileAttribute attribute with a key file called keyfile.snk, which is located in the directory where the assembly is compiled.

You can also delay sign an assembly when compiling your source file. For more information, see Delay-sign an assembly.

Sign an assembly with a strong name by using the compiler

Compile your source code file or files with the /keyfile or /delaysign compiler option in C# and Visual Basic, or the /KEYFILE or /DELAYSIGN linker option in C++. After the option name, add a colon and the name of the key file. When using command-line compilers, you can copy the key file to the directory that contains your source code files.

Unable To Generate Key Pair Please Use New Token Card

For information on delay signing, see Delay-sign an assembly.

Unable To Generate Key Pair Please Use New Token 2017

The following example uses the C# compiler and signs the assembly UtilityLibrary.dll with a strong name by using the key file sgKey.snk.

Unable To Generate Key Pair Please Use New Token Account

See also