Where can I find the public key for the identity.pem file?

I’m looking for more information around the dfx identity (identity.pem) file.

I would appreciate articles or other related links on this topic.

For me the identity.pem file is a private key, my questions is where is the corresponding public key ?

Thanks for any help to understand that point.

To get Principal - dfx identity get-principal
To get Account Id - dfx ledger account-id

Short update in my findings.

The private key from the identity.pem file will be verified by the corresponding subnet public key which I’m going to deploy my canister or I interact with my principal ID.

Can someone confirm this conclusion?

And this is the corresponding sentence in the documentation:

The first time you run the dfx canister create command to register an identifier, your public/private key pair credentials are used to create a default user identity. The credentials for the default user are migrated from $HOME/.dfinity/identity/creds.pem to $HOME/.config/dfx/identity/default/identity.pem .

I can`t find this file on my machine:


And all further identities are created based on the first default identity?

1 Like

I don’t think that’s how it works, you can create private keys offline, they don’t need to be verified by a subnet and you can use and idenity dervied from a private key to communicate with different subnets, it’s not tied to a specific one.

The reason you can’t this file is probably that you used the default identity to create a canister, which migrates it to $HOME/.config/dfx/identity/default/identity.pem as stated in the sentence you quoted.

And to my understanding further identites are created independent of the default identity.

Thanks for your answer.
But, if a private key is not verified by someone what is it for ?

I agree that the public key will not firmly bound to a particular subnet, because if you deploy a canister then no one has the possibility to select a subnet (at least I haven’t seen it yet).

I think the private key must be verified by every subnets public key.

This file is also not available if use a completely new installation. It looks to me, that the documentation is not up to date for that point, maybe ??

I think i misunderstood your question, in this context the signature of a message is being verified before it reaches a canister. Usually you don’t say that a private key is verified, you say that a signature is verified.

Your private key and the subnets public key aren’t in any relationship.

If you want to find out more about the topic there are a couple of nice resources out there.

Did you delete the entire ~/.config/dfx folder before reinstalling? Note that this will delete all of your identities so make sure you back them up!

thanks a lot, I will study those videos to hoping to find some answer on my questions.

1 Like

After watching some videos I try to wrap up my findings:

  • The pem file represents the identity with its private key (it’s the only thing I have to backup)
  • The principal ID represents the textual representation from the public key in form of a hash value
  • In the identity folder there is no public key file, so according to my explanation, the public key must be generated from that pem file?
  • So when I call dfx identity get-principal, this principal must be gerneated from the pem file.

I hope my understand is correct now.

1 Like

that seems correct :slight_smile:

cool, another point I would like to discuss:

When an identity deploy a canister, per default this identity gets the controller of that canister. So I need this identity to interact with that canister for state changing requests.

If I want an other identity to allow also to interact with that canister I can add another controller or custodian to that canister. This process is called delegation in that content, right?

You don’t need the identity to make state changing (upgrade) calls. Only if you explicitly restrict access to that method in your code.

Controllers of canisters in general have “admin” access to the canister itself, this means they can upgrade, delete or uninstall the canister andl also add/remove other controllers for the canister.

And no, a delegation is something different :slight_smile:

Thanks for all the infos and help around the identity.pem file questions.

Attached I would like to share my article about my observations and findings on that topic.