Managing digital signature key pairs
You can use Key Management Service to create, update, and destroy digital signature key pairs.
Creating digital signature key pairs
To create a digital signature key pair:
- In the management console
, select the folder to create your key pair in. - In the list of services, select Key Management Service.
- In the left-hand panel, select Asymmetric keys.
- In the top-right corner, click Create key. In the window that opens:
- Enter a name and an optional description.
- In the Type field, select
Signature
. - In the Algorithm field, select the appropriate signature algorithm.
- Enable deletion protection if required.
- Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command to create a digital signature key pair:
yc kms asymmetric-signature-key create --help
-
Get the ID of the folder to create the key pair in.
-
Create your digital signature key pair:
yc kms asymmetric-signature-key create \ --name <key_pair_name> \ --folder-id <folder_ID> \ --signature-algorithm <signature_algorithm>
Where:
-
--name
: Name of the digital signature key pair. -
--folder-id
: ID of the folder where the key pair will be created. -
--signature-algorithm
: Digital signature algorithm. The following ECDSA and RSA algorithms are available:rsa-2048-sign-pss-sha-256
rsa-2048-sign-pss-sha-384
rsa-2048-sign-pss-sha-512
rsa-3072-sign-pss-sha-256
rsa-3072-sign-pss-sha-384
rsa-3072-sign-pss-sha-512
rsa-4096-sign-pss-sha-256
rsa-4096-sign-pss-sha-384
rsa-4096-sign-pss-sha-512
ecdsa-nist-p256-sha-256
ecdsa-nist-p384-sha-384
ecdsa-nist-p521-sha-512
ecdsa-secp256-k1-sha-256
Result:
id: abj9g2dil5sj******** folder_id: b1gt6g8ht345******** created_at: "2023-08-16T09:06:57Z" name: sample-signature-key status: ACTIVE signature_algorithm: RSA_2048_SIGN_PSS_SHA_512
-
Updating digital signature key pairs
After creating a key pair, you can change its name, description, and labels, as well as enable or disable deletion protection.
To update a digital signature key pair:
- In the management console
, select the folder with the appropriate key pair. - In the list of services, select Key Management Service.
- In the left-hand panel, select Asymmetric keys.
- Go to the Signature tab.
- In the row with the appropriate key pair, click
and select Edit. In the window that opens:- Change the required key pair attributes.
- Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command to update a digital signature key pair:
yc kms asymmetric-signature-key update --help
-
Get the ID of the folder with the key pair.
-
Get the ID of the required digital signature key pair by specifying the folder ID:
yc kms asymmetric-signature-key list \ --folder-id <folder_ID>
Result:
+----------------------+----------------------+---------------------------+---------------------+--------+ | ID | NAME | SIGNATURE ALGORITHM | CREATED AT | STATUS | +----------------------+----------------------+---------------------------+---------------------+--------+ | abj9g2dil5sj******** | sample-signature-key | RSA_2048_SIGN_PSS_SHA_512 | 2023-08-16 09:06:57 | ACTIVE | +----------------------+----------------------+---------------------------+---------------------+--------+
-
Update the digital signature key pair:
yc kms asymmetric-signature-key update \ --id <key_pair_ID> \ --new-name <new_key_pair_name> \ --deletion-protection
Where:
--id
: ID of the digital signature key pair.--new-name
: New name for the key pair.--deletion-protection
: Flag to enable deletion protection. To disable the key pair deletion protection, use the--no-deletion-protection
flag.
Result:
id: abj9g2dil5sj******** folder_id: b1gt6g8ht345******** created_at: "2023-08-16T09:06:57Z" name: sample-new-key status: ACTIVE signature_algorithm: RSA_2048_SIGN_PSS_SHA_512 deletion_protection: true
The command renamed the digital signature key pair and enabled its deletion protection.
Deleting a digital signature key pair
To delete a digital signature key pair:
- In the management console
, select the folder with the appropriate key pair. - In the list of services, select Key Management Service.
- In the left-hand panel, select Asymmetric keys.
- Go to the Signature tab.
- In the row with the appropriate key pair, click
and select Delete. - Confirm the deletion.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command to delete a signature key pair:
yc kms asymmetric-signature-key delete --help
-
Get the ID of the folder with the key pair.
-
Get the ID of the required digital signature key pair by specifying the folder ID:
yc kms asymmetric-signature-key list \ --folder-id <folder_ID>
Result:
+----------------------+----------------------+---------------------------+---------------------+--------+ | ID | NAME | SIGNATURE ALGORITHM | CREATED AT | STATUS | +----------------------+----------------------+---------------------------+---------------------+--------+ | abj9g2dil5sj******** | sample-signature-key | RSA_2048_SIGN_PSS_SHA_512 | 2023-08-16 09:06:57 | ACTIVE | +----------------------+----------------------+---------------------------+---------------------+--------+
-
Delete the digital signature key pair by specifying its ID:
yc kms asymmetric-signature-key delete \ --id <key_pair_ID>
Result:
done (1s) id: abj9g2dil5sj******** folder_id: b1gt6g8ht345******** created_at: "2023-08-16T09:06:57Z" name: sample-new-key signature_algorithm: RSA_2048_SIGN_PSS_SHA_512