Create Your Own Xero API Private Public Key Pair


Xero has now deprecated OAuth1a and the use of these keys in favour of the more secure OAuth2 protocol which uses slightly different keys.

Optional Xero Security Keys

Xeroom uses the standard Xero method to encrypt/decrypt communications to its API.  This involves using a private/public key pair to generate a separate specific API key and secret pair to use with your account.  Xeroom ships with a private/public key pair that is valid until March 2022.  These are generic and can be used to generate or seed your own specific Xero application API keys.

If you prefer to have more security then you can optionally create your own pair as described below or there are other security apps that will generate these keys too. There are many key generators available but we work with Xero’s specified one which is from Shining Light which offers the ability to create a X509 certificate which is time limited.  For further information please visit these links: for a tutorial  and for documents on using openssl.


Generating a Private/Public Key Pair 

Xero’s API uses 2-step OAuth for validating all private and partner application connections. To set up the connection between your WooCommerce shopping cart and your Xero account, there are two steps: a) Generate a Self-signed Certificate (X509) for use with this module; and b) define your WooCommerce site as a Private Application and allow it to connect to your Xero account.

Watch the video and/or follow the instructions below:

(These instructions are taken from the Xero Developer Blog).


Using OpenSSL

Windows users

You can download OpenSSL for Windows at Shining Light Productions OpenSSL. Use the light version and select either 32 bit or 64 bit depending on your windows version.  Most versions are now 64 bit including version 10.  Windows 7 can be either and both can run.  Save the download and the run it to install and set the directory to be OpenSSL to make it easier to run the commands afterwards.


  • You may need to open the command prompt with elevated status (Run as administrator)
  • If the OpenSSL just recently installed, you might need to restart the computer

Mac users

OpenSSL comes shipped with Mac OS X lucky you guys!  More information at: Mac Developer Library OpenSSL.

Linux users

Open SSL comes shipped with most distributions of Linux.


How to create the key pair

Use a command line prompt (in windows do start and enter CMD in the box that says search) and the following commands EXACTLY with no extra spaces to generate a private and public key pair.  To run the commands below, go to the OpenSSL directory on your PC, and then change to the /bin directory. These are two files one named privatekey.pem the other publickey.cer.

1.  Privatekey.pem – The following command will generate a private key file named “privatekey.pem” in the current directory.  This contains both a public key and private key. As the file’s name suggests, the private key is coded using the Privacy Enhanced Email, or PEM, standard.

openssl genrsa -out privatekey.pem 1024

2.  Publickey.cer –  This command uses the previously created private key file (in PEM format) to create a self-signed x509 public certificate that can be used by the Xero application manager in the next step to generate the API credentials.  To find out more please visit the openssl site.  You will be asked to provide 7 pieces of information about your company that will be included in the certificate file: Country Name (2 letter code), State or Province Name (Full name), Locality (eg city), Organization Name (eg, company), Organizational Unit Name (eg, section), Common Name (eg, Your name), Email Address.  Days is set to 1825 (5 years) so this step doesn’t have to be replaced every year.  Apart from the days which will govern the validity of your certificate the rest is not crucial and can be any values as they are used as a seed to generate the certificate.

openssl req -newkey rsa:1024 -x509 -key privatekey.pem -out publickey.cer -days 1825

3.  Verification – To verify the files were created correctly, verify the first line of each file:

The private key will begin with the following line: —–BEGIN RSA PRIVATE KEY—–

The public certificate will begin with the following line: —–BEGIN CERTIFICATE—–

4. Export Certificate – This step is not required for Xeroom but put here for completeness – Finally export your x509 certificate and private key to a pfx file. If your chosen wrapper library uses the .pem file to sign requests then this step is not required.

openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer

Windows 10 Users

You will need to run cmd as Windows Powershell Admin user to give you the user access rights to run this command.  Right click the Windows start button to find this.  Then change to the bin directory and run the first command, then for the second one do it in 2 stages first run the openssl program by typing .openssl and you will get the openssl command prompt.  Then run the rest of this command:

req -newkey rsa:1024 -x509 -key privatekey.pem -out publickey.cer -days 1825

Note that these commands can be cut and pasted in Windows 10 but not earlier versions that require you to type them although once typed you can use the up/down arrow keys to access the buffer to rerun commands.

Note: If you are using Java libraries which require extracting the private key in PKCS8 format, please refer here.

Please make a note of the expiry date of your certificate as you will need to upload a replacement .cer file in the Xero Developer Center and generate new Xero API credentials before the expiry date otherwise the communications will stop.