X.509 Signing Configuration
Configure the X.509 certificate signer to issue root CAs and sign X.509 certificates.
Configuration
Add a signer instance of type X509_CERTIFICATE to your configuration:
signer:
X509_CERTIFICATE:
display:
en: "X.509 Certificate Issuer"
de: "X.509 Certificate Issuer"
order: 2
type: X509_CERTIFICATE
params:
private:
payload:
maxValidityDuration: 157680000
allowCaSigning: true
pathLenConstraint: 0
keyIdDerivation: "sha-1"
revocationMethod: CRL
Parameters
| Parameter | Description |
|---|---|
maxValidityDuration | Maximum certificate validity in seconds. Acts as an upper cap; you can specify a shorter duration per request via the API. |
allowCaSigning | Enables the instance to issue CA certificates. |
pathLenConstraint | Controls the CA chain depth. Set to 0 for mdoc CA issuance (see below). Set to a value greater than 0, or omit, for other CA types. |
keyIdDerivation | Key identifier derivation algorithm. Set to sha-1 for mdoc CAs. |
revocationMethod | Revocation method for issued certificates. CRL is currently supported. |
mdoc CA issuance
mdoc CAs have specific requirements under ISO 18013-5: the root CA must directly sign document signer certificates, with no intermediate CAs in between.
To satisfy this, set:
pathLenConstraint: 0
keyIdDerivation: "sha-1"
note
If you need to issue both mdoc CAs and standard CAs, create two separate X509_CERTIFICATE signer instances — one configured for mdoc and one for general use. The pathLenConstraint and keyIdDerivation values can be incompatible across these use cases.
Usage
Once configured, reference the signer instance key in the following API calls:
POST /api/identifier/v1— Create a root CAPOST /api/signature/v1— Sign an X.509 certificate
For full request parameters and examples, see Certificate issuance.