1.1.4 Generating Keys

Concourse's various components use RSA keys to verify tokens and worker registration requests.

A minimal deployment will require the following keys:


Used by the web node for signing and verifying user session tokens.


Used by the web node for the SSH worker registration gateway server ("TSA").

The public key is given to each worker node to verify the remote host when connecting via SSH.

worker_key (one per worker)

Each worker node verifies its registration with the web node via a SSH key.

The public key must be listed in the web node's authorized keys configuration in order for the worker to register.

To generate these keys, run:

concourse generate-key -t rsa -f ./session_signing_key
concourse generate-key -t ssh -f ./tsa_host_key
concourse generate-key -t ssh -f ./worker_key

...and we'll also start on an authorized_keys file, currently listing this initial worker key:

cp worker_key.pub authorized_worker_keys