Generate separate key pair for digital signatures

[Copilot]

Purpose

This PR addresses the security best practice of using separate key pairs for different purposes (TLS vs. digital signatures). Previously, the same key pair (server.cert and server.key) was used for both TLS connections and JWT/token signing operations, which violates security best practices and increases risk if one key is compromised.

Changes:

• TLS uses server.cert / server.key
• Digital signatures use signing.cert / signing.key (new)

Certificate Generation Strategy:

• Backend distribution and development mode: Generates both certificate pairs (for TLS and JWT signing)
• Sample apps (all scenarios): Only generate server certificates (only need TLS for local development)
  • Build phase
  • Distribution phase
  • Run/development mode

Approach

Build Scripts (build.sh / build.ps1)

• Refactored ensure_certificates() / Ensure-Certificates() functions to accept a cert_name_prefix parameter
• The parameter defaults to "server" for backward compatibility
• Uses generic messages showing the certificate type in parentheses (e.g., "Generating certificates (server)...")
• Generates RSA 2048-bit self-signed certificates using OpenSSL (or .NET fallback on Windows)
• Makes the method flexible and reusable for generating different certificate types

Certificate Generation Locations:

• Backend distribution: Called twice - once for "server" certificates and once for "signing" certificates
• Backend development mode: Generates both certificate types
• Sample apps (all locations): Called once - only for "server" certificates (TLS only)
  • During build phase (build_sample_app)
  • During distribution phase (packaging sample distributions)
  • During run/development mode

Configuration (default.json)

  "crypto": {
    "keys": [
      {
        "id": "default-key",
-       "cert_file": "repository/resources/security/server.cert",
-       "key_file": "repository/resources/security/server.key"
+       "cert_file": "repository/resources/security/signing.cert",
+       "key_file": "repository/resources/security/signing.key"
      }
    ]
  }

Related Issues

• N/A

Related PRs

• N/A

Checklist

• Followed the contribution guidelines.
• Manual test round performed and verified.
• Documentation provided. (Add links if there are any)
• Tests provided. (Add links if there are any)
  • Unit Tests
  • Integration Tests
• Breaking changes. (Fill if applicable)
  • Breaking changes section filled.
  • breaking change label added.

Security checks

• Followed secure coding standards in WSO2 Secure Coding Guidelines
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Create a separate key pair for digital signatures</issue_title>
<issue_description>### Current Limitation

Currently, the same key pair is used for both TLS and digital signatures which is not a good practice.

Suggested Improvement

Since we already have different configurations for TLS and Signing certificates, we need to update build scripts to generate a separate key pair for digital signatures.

Version

No response</issue_description>

<agent_instructions>update build scripts (.sh and .ps1 files) to generate another key pair alongside with server.cert and server.key and store their file names in the crypto.keys config in default.json</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Create a separate key pair for digital signatures #1117

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.85%. Comparing base (e674c18) to head (0f9dbf1).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1131      +/-   ##
==========================================
+ Coverage   89.78%   89.85%   +0.07%     
==========================================
  Files         586      586              
  Lines       38880    38875       -5     
  Branches     1967     1967              
==========================================
+ Hits        34907    34931      +24     
+ Misses       2239     2230       -9     
+ Partials     1734     1714      -20     

Flag	Coverage Δ
backend-integration-postgres	53.54% <ø> (ø)
backend-integration-sqlite	53.51% <ø> (ø)
backend-unit	80.54% <ø> (+0.24%)	⬆️
frontend-apps-develop-unit	91.11% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.