# Generate RSA client application key pair and certificate RSA is an encryption algorithm that uses a pair of keys to encrypt and decrypt data, ensuring secure data transmission. A private key and a public key are created with RSA: > > > - The public key is accessible to anyone. > - The private key is only known to the owner of the key pair. Either the public or private key can encrypt the data, and the other key decrypts it. Follow these steps to generate an RSA client application key pair and certificate. 1. To generate the root client application key pair and certificate, run the following commands: The key size used is 2048. However, a key size of 4096 is also supported. openssl genrsa -out qpsa_rootca.key 2048 Copy to clipboard openssl req -new -sha256 -key qpsa_rootca.key -x509 -out rootca_pem.crt -subj /C=US/ST=California/L="San Diego"/OU="General Use Test Key (for testing 13 only)"/OU="CDMA Technologies"/O=QUALCOMM/CN="QCT Root CA 1" -days 7300 -set_serial 1 -config opensslroot.cfg -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sigopt digest:sha256 Copy to clipboard openssl x509 -in rootca_pem.crt -inform PEM -out qpsa_rootca.cer -outform DER Copy to clipboard openssl x509 -text -inform DER -in qpsa_rootca.cer Copy to clipboard 2. To generate the attestation client application key pair and certificate, run the following commands using RSA with a key size of 2048: openssl genrsa -out qpsa_attestca.key 2048 Copy to clipboard openssl req -new -key qpsa_attestca.key -out attestca.csr -subj /C=US/ST=CA/L="San Diego"/OU="CDMA Technologies"/O=QUALCOMM/CN="QUALCOMM Attestation CA" -days 7300 -config opensslroot.cfg Copy to clipboard openssl x509 -req -in attestca.csr -CA rootca_pem.crt -CAkey qpsa_rootca.key -out attestca_pem.crt -set_serial 5 -days 7300 -extfile v3.ext –sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sigopt digest:sha256 Copy to clipboard openssl x509 -inform PEM -in attestca_pem.crt -outform DER -out qpsa_attestca.cer Copy to clipboard ## Next steps - To enhance security, ensure data integrity, and support secure digital signatures, see [Generate SHA-384 hash for RSA and ECDSA](https://docs.qualcomm.com/doc/80-70018-11/topic/generate-sha-384-hash-for-rsa-and-ecdsa.html#generate-sha-384-hash-for-rsa-and-ecdsa). - To verify that the software hasn’t been tampered with and is from a trusted source, see [Generate signed sec.elf image](https://docs.qualcomm.com/doc/80-70018-11/topic/generate-signed-sec-elf-image.html#generate-signed-sec-elf-image). Last Published: Apr 10, 2025 [Previous Topic Generate ECDSA root key and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/generate-ecdsa-root-key-and-certificate.md) [Next Topic Generate SHA-384 hash for RSA and ECDSA](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/generate-sha-384-hash-for-rsa-and-ecdsa.md)