This command generates the public key from the private key, stripping ASN.1
header information from the raw public key.
Python
importbase64fromcryptography.hazmat.primitivesimportserializationfromcryptography.hazmat.primitives.asymmetricimported25519defgenerate_ed25519_keypair(private_key_filename:str="private.key",public_key_filename:str="public.pub")-> None:"""Generate Ed25519 Keys Pairs. Args: private_key_filename(default private.key): private key filename as a string. public_key_filename(default public.pub): public key filename as a string Returns: """private_key=ed25519.Ed25519PrivateKey.generate()public_key=private_key.public_key()private_key_str=private_key.private_bytes(encoding=serialization.Encoding.Raw,format=serialization.PrivateFormat.Raw,encryption_algorithm=serialization.NoEncryption(),)print("Private Key:\t",base64.urlsafe_b64encode(private_key_str))public_key_str=public_key.public_bytes(encoding=serialization.Encoding.Raw,format=serialization.PublicFormat.Raw)print("Public Key:\t",base64.urlsafe_b64encode(public_key_str))withopen(private_key_filename,"wb")asfp:fp.write(base64.urlsafe_b64encode(private_key_str))print(f"Private Key is written to:\t{private_key_filename}")withopen(public_key_filename,"wb")asfp:fp.write(base64.urlsafe_b64encode(public_key_str))print(f"Public Key is written to:\t{public_key_filename}")
With the key in this format, you can now add it to a keyset.
When the keyset is associated with a route as a cdnPolicy.signedRequestKeyset,
Media CDN validates that the requests were signed before
serving any content.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Create asymmetric key pairs\n\nThis guide demonstrates how to create asymmetric key pairs for\nMedia CDN.\n\nGenerate keys\n-------------\n\n### Command line\n\nYou can generate both a private and public key by using Python 3 and OpenSSL\n1.1.1 or later (earlier versions of OpenSSL don't support Ed25519).\n\n1. Generate the private key.\n\n ```\n openssl genpkey -algorithm ed25519 -outform PEM -out test.private.key\n ```\n\n This outputs a PEM-encoded private key. Keep this key secure, ideally by\n using a key management system or [Secret Manager](/secret-manager).\n2. Generate the public key from the private key in URL-safe base64 format.\n\n ```\n openssl pkey -outform DER -pubout -in test.private.key | tail -c +13 | python3 -c \"import base64, sys; print(('%s' % base64.urlsafe_b64encode(sys.stdin.buffer.read()))[2:-1])\"\n ```\n\n This command generates the public key from the private key, stripping ASN.1\n header information from the raw public key.\n\n### Python\n\n import base64\n\n from cryptography.hazmat.primitives import serialization\n from cryptography.hazmat.primitives.asymmetric import ed25519\n\n\n def generate_ed25519_keypair(\n private_key_filename: str = \"private.key\", public_key_filename: str = \"public.pub\"\n ) -\u003e None:\n \"\"\"Generate Ed25519 Keys Pairs.\n\n Args:\n private_key_filename(default private.key): private key filename as a string.\n public_key_filename(default public.pub): public key filename as a string\n\n Returns:\n\n \"\"\"\n private_key = ed25519.Ed25519PrivateKey.generate()\n public_key = private_key.public_key()\n\n private_key_str = private_key.private_bytes(\n encoding=serialization.Encoding.Raw,\n format=serialization.PrivateFormat.Raw,\n encryption_algorithm=serialization.NoEncryption(),\n )\n print(\"Private Key:\\t\", base64.urlsafe_b64encode(private_key_str))\n\n public_key_str = public_key.public_bytes(\n encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw\n )\n print(\"Public Key:\\t\", base64.urlsafe_b64encode(public_key_str))\n\n with open(private_key_filename, \"wb\") as fp:\n fp.write(base64.urlsafe_b64encode(private_key_str))\n print(f\"Private Key is written to:\\t{private_key_filename}\")\n\n with open(public_key_filename, \"wb\") as fp:\n fp.write(base64.urlsafe_b64encode(public_key_str))\n print(f\"Public Key is written to:\\t{public_key_filename}\")\n\nWith the key in this format, you can now [add it to a keyset](/media-cdn/docs/create-keyset).\nWhen the keyset is associated with a route as a `cdnPolicy.signedRequestKeyset`,\nMedia CDN validates that the requests were signed before\nserving any content."]]
