# Generate a key

For exchanges that authenticate with asymmetric signatures, the vault generates the key material through a distributed ceremony. The private key is never assembled in any single location.

## Before you start

* Confirm the target venue exists and uses an Ed25519 or RSA signing scheme.
* You need the `import_generate_keys` capability.

## Steps for Ed25519

1. In the sidebar, click **Offchain Keys**.
2. Click **New API Key** (top right).
3. Enter a **Name** for the key.
4. Open the **Venue** dropdown and select an exchange with an Ed25519 signing scheme.
5. Click **Generate Ed25519 Key**. The vault runs a distributed key-generation ceremony and returns the public key.
6. Copy the displayed public key.
7. In a new browser tab, open the exchange's API key registration page and paste the public key. The exchange returns an API key identifier.
8. Back in the vault modal, paste the API key identifier into the **API Key** field.
9. (Optional) Set **Environment**, **Expiration date**, and **Metadata**.
10. Click **Submit API Key**.

![New API Key dialog on the Ed25519 path with the Generate Key button enabled](/img/guide/keys/generate-key-form.png)
*Pick an Ed25519 venue and name the key, then click Generate Key.*

![The generated Ed25519 public key shown in PEM format with a Copy button](/img/guide/keys/generate-public-key.png)
*The vault runs distributed key generation and returns the public key. Register it with the venue, paste back the venue API key, set the environment, and submit.*

## Steps for RSA

1. Follow steps 1 through 4 above, selecting a venue with an RSA signing scheme.
2. Click **Generate RS256 Key**. The vault generates key material and produces a certificate-signing request (CSR).
3. The CSR downloads automatically. Submit it to your exchange or certificate authority per their instructions.
4. After the exchange processes the CSR, retrieve your API key identifier.
5. Back in the vault, enter the **API Key** identifier and any other metadata, then click **Submit API Key**.

## After generation

The key is now in the Offchain Keys table. Its public key is registered with the exchange and the secret is held in shares across the key store nodes. To rotate the key later, see [Versions & rotation](/guide/keys/versions-rotation).
