Key management
AMP2 requires RSA and ECDSA P-256 key pairs for issuer encryption and request signing. The page explains key generation, format requirements, validation, and rotation.
AMP2 requires two asymmetric key pairs for every issuer: an RSA key pair for encryption and an ECDSA P-256 key pair for request signing. This page covers generation, format requirements, validation, and rotation.
What you need
| Key | Algorithm | Format for AMP2 | Purpose |
|---|---|---|---|
| RSA public key | RSA-2048 | PEM string | AMP2 encrypts responses with this key |
| RSA private key | RSA-2048 | PEM file | Client decrypts responses (never sent to AMP2) |
| ECDSA public key | P-256 (prime256v1) | Compressed hex (66 chars) | AMP2 verifies request signatures |
| ECDSA private key | P-256 (prime256v1) | PEM file | Client signs requests (never sent to AMP2) |
Only the public keys are sent to AMP2 during account creation and key rotation.
Generate RSA key pair
# Generate private key
openssl genrsa -out rsa_private_key.pem 2048
# Extract public key
openssl rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pemValidate the keys:
openssl rsa -in rsa_private_key.pem -check -noout
# Expected: RSA key ok
openssl rsa -pubin -in rsa_public_key.pem -text -noout
# Expected: shows key size and modulusGenerate ECDSA key pair
# Generate private key
openssl ecparam -name prime256v1 -genkey -noout -out ecdsa_private_key.pem
# Extract public key (PEM)
openssl ec -in ecdsa_private_key.pem -pubout -out ecdsa_public_key.pemValidate:
openssl ec -in ecdsa_private_key.pem -check -noout
# Expected: EC Key valid.
openssl ec -pubin -in ecdsa_public_key.pem -text -noout
# Expected: shows P-256 curve and public key pointExport ECDSA public key as compressed hex
AMP2 expects the ECDSA public key in compressed hex format, not PEM. Export it in two steps:
# 1. Create DER with compressed point encoding
openssl ec -in ecdsa_private_key.pem -pubout -conv_form compressed -outform DER -out ecdsa_public_key_compressed.der
# 2. Convert DER to hex string
xxd -p ecdsa_public_key_compressed.der | tr -d '\n' > ecdsa_public_key_compressed.hexVerify the output:
cat ecdsa_public_key_compressed.hex
# Expected: starts with 02 or 03, total length is 66 hex charactersThe 02 or 03 prefix indicates the point compression. The 66 character length represents the SEC1 compressed encoding of a P-256 public key (1 byte prefix + 32 bytes x-coordinate).
File permissions
Set strict permissions on private key files:
chmod 600 rsa_private_key.pem ecdsa_private_key.pemPublic keys can be more permissive:
chmod 644 rsa_public_key.pem ecdsa_public_key.pemWhat goes to AMP2 vs. what stays secret
| Artifact | Sent to AMP2 | Where it lives |
|---|---|---|
rsa_public_key.pem | Yes (at account creation and key rotation) | AMP2 database (user table) |
rsa_private_key.pem | Never | Issuer's secure environment (secret manager, HSM, encrypted vault) |
ecdsa_public_key_compressed.hex | Yes (at account creation and key rotation) | AMP2 database (user table) |
ecdsa_private_key.pem | Never | Issuer's secure environment |
Key rotation
AMP2 supports in place key rotation without recreating the account:
- Generate new key pairs (RSA and ECDSA) using the commands above.
- Update your SDK/runtime configuration with the new private keys.
- Call the change-keys resource via the SDK to register the new public keys with AMP2.
After the rotation call succeeds, AMP2 immediately starts using the new public keys. The old keys are invalidated.
Caution: Coordinate the rotation carefully. The change-keys call must be signed with the current private keys. After it succeeds, all subsequent requests must use the new private keys. Ensure your deployment switches keys atomically to avoid a window where requests fail.
Operational checklist
- Keys generated in a secure, ephemeral environment (not on developer laptops)
- Private keys stored in a secret manager or encrypted vault
- Public keys exported in the correct format (PEM for RSA, compressed hex for ECDSA)
- File permissions set (
600for private,644for public) - Tested on testnet before using on mainnet
- Rotation process documented and rehearsed
- Key material never committed to source control
Related pages
- Authentication: using keys in the SDK flow
- Architecture: COSE encryption flow and system overview
- Environments: separate keys for testnet and mainnet
Restrictions
Restrictions define per-asset transfer policies for asset destinations and burn permissions. AMP2 uses restrictions as the primary compliance control for issuer-managed transfers.
Issuer guide overview
The guide provides the implementation track for issuer teams that integrate the private AMP2 SDK. The page covers account activation through ongoing asset monitoring.