Key Mx Generation by Issuer


This document explains how to generate any “M*” RSA key pair and to deliver its public part to the MeaWallet. Those are but not limited to:

  • M1 – Wrapping key for MeaWallet calls to the issuer.
  • M8 – Mutual Authentication certificate for issuer to use when calling MeaWallet APIs.
  • M9 – OAuth 1.0a key pair for signing messages sent to the MeaWallet.
  • M10 – OAuth Consumer Key

This document is more as a sample for how the RSA key pair can be generated. There are many tools available for generating a key pair and they are all good as long as MeaWallet can receive a public key in one of the following formats:

  • Public Key PKCS1
  • CSR
  • CRT*

* encodings PEM and DER are both good.

Wherever you see “mX” in this document, replace the “X” with the digit of the key you are generating. mX.issuer... => m1.issuer...

WARNING: Do not send the Private Key! Formats PFX, P12, JKS and others containing private keys will not be accepted!

WARNING: This document assumes you will use the OpenSSL tool for key pair generation. However, Hardware Security Module (HSM) is recommended (and in many cases required by compliance) to be used. Therefore, this document might not be applicable to all and it’s up to the customer to decide if to follow it or not.


  • Issuer’s Key Officers are responsible for executing this task.

Input and Output

Provided by MeaWallet:
  • Key-length: 2048 or 4096 bits
  • Padding: OAEP, SHA-512
Generated by Key Officers:
  • mX.issuer.private-key-enc-prd.key
  • mX.issuer.private-key-psw-prd.txt
  • m1.issuer.fingerprint-prd.txt [M1 only]
  • m10.issuer.consumer-key-prd.txt [M10 only]
  • m8.issuer.csr-prd.csr [M8 only]
  • mX.issuer.cert-prd.crt [OPTIONAL]


Step 1 – Generate Private Key

[For M1, M8, M9 key]

Run one of the following commands to generate an RSA key pair. Choose a command based on the key length you prefer to use. 

MeaWallet recommends to use 4096 bit, but it’s known to be slow and consume a lot of processing power when decryption takes place.

Generate RSA key pair 2048 bit:

openssl genrsa -des3 -out mX.issuer.private-key-enc-prd.key 2048

Or generate RSA key pair 4096 bit:

openssl genrsa -des3 -out mX.issuer.private-key-enc-prd.key 4096

It will ask to choose a password. Set a strong password and save it in mX.issuer.private-key-psw-prd.txt

Step 2 – Retrieve the Public Key

[For M1, M9 key]

openssl rsa -in mX.issuer.private-key-enc-prd.key -pubout >

Send the public key ( to MeaWallet key officers.

Step 3 – Generate Fingerprint (Consumer Key)

[For M1, M9, M10 key]

As there is no common algorithm for calculating the fingerprint from a public key and piping (‘|’) of commands is dangerous (can provide non-expected output if the first command fails). Instead use some random generator, like the following one to generate 16 or 32 bytes of HEX data:

Remove the spaces and newlines and save it in a file m1.issuer.fingerprint-prd.txt.

In case of M9 key name the file m10.issuer.consumer-key-prd.txt instead.



Send the fingerprint (m1.issuer.fingerprint-prd.txt) or consumer key (m10.issuer.consumer-key-prd.txt) to MeaWallet key officers.

Step 4 – Generate Certificate Signing Request

[For M8 key]

This command generates a Certificate Signing Request. Fill the yellow fields with values as per your need. MeaWallet has no requirements for the input fields, except that the certificate can’t contain sha1 signature, therefore include the -sha256 as a parameter. 

openssl req -new -sha256 -key mX.issuer.private-key-enc-prd.key -out m8.issuer.csr-prd.csr -subj "/C=LV/ST=Riga/L=Riga/O=Issuer Name/OU=APIName API PROD/CN=mx-api-prod"

It will ask to enter the password. Enter the one from mX.issuer.private-key-psw-prd.txt file.

Send the CRT (m8.issuer.csr-prd.csr) to MeaWallet key officers.

Step 5 – Generate Self-Signed Certificate


Optional step in case you need to use a signed certificate within your software.

openssl x509 -req -days 3650 -in mX.issuer.csr-prd.csr -signkey mX.issuer.private-key-enc-prd.key -sha256 -out mX.issuer.cert-prd.crt

Now you should find the mX.issuer.cert-prd.crt file.

Change log

v1.02020-12-16Karlis BalcersFirst version.

On this page