My private key is server-side and the public one are client-side. I use them to sign JWT from my server and sent to my clients, for authorisation. I have now to also encrypt the user password client-side during the authentication using JWE and verify it from server-side.
This two use case have the same requirements: private key is server-side, public key are client-side, and encryption algorythms can be the same. This is why I am thinking to use the same key pair but I am affraid to miss something about security and I would like to have confirmation, is it safe ?
CodePudding user response:
As best practice, you should not re-use the same key pair for different purposes. Just have two distinct key pairs, one for digital signatures, the other for public key encryption.