“Key pair generation” refers to securely creating a matched private and public key for asymmetric cryptography (e.g., RSA, ECC/Curve25519). The objective is to produce a unique, unpredictable private key and the corresponding public key for verification, encryption, or authentication. This relies on cryptographically secure randomness and—depending on requirements—hardware-based protections.
Algorithm and parameter selection: Choosing RSA, ECC (e.g., P-256, secp384r1) or Ed25519, including key sizes/curves.
Cryptographically secure RNG (CSPRNG): Using vetted entropy sources and DRBGs (e.g., FIPS/BSI compliant) with health checks.
Hardware-backed generation: Creating keys inside HSMs, TPMs, or Secure Enclave/TEE; private keys never leave hardware.
Key attributes & policies: Defining purpose (signing, encryption), export/usage policies, and expiry/rotation rules.
Key attestation: Proving keys were generated in trusted hardware (attestation/certificates).
Integrity and quality checks: Primality testing for RSA, curve validation for ECC, RNG self-tests.
Key labeling & metadata: Assigning key IDs, tags, and ownership/compliance data for lifecycle management.
CSR creation (Certificate Signing Request): Automatically generating a CSR from the new key pair for PKI certificates.
Secure storage & backup: Protected storage/backup (e.g., key wrapping, Shamir-based recovery) per corporate policies.
Logging & audit: End-to-end logging (who, what, when, where) for traceability and compliance.
API and KMS integration: Exposure via REST/PKCS#11/KMS interfaces for applications, CI/CD, and DevOps workflows.
An enterprise PKI creates an ECC key pair in an HSM for a new TLS web server and issues a CSR from it.
A DevOps team generates SSH key pairs with passphrase-protected private keys and defined parameters for production access.
A mobile app has devices generate a key pair in the Secure Enclave at first launch; only the public key is registered with the backend.
During IoT provisioning, each device generates an Ed25519 key pair and proves origin via attestation.
A build pipeline creates a code-signing key pair exclusively inside an HSM; the private key is never exported.
A company rolls out S/MIME: users create local key pairs and use them to request personal certificates.
A wallet application derives deterministic key pairs from a secure seed for transactions.