#Overview

The X.509 Certificate Service issues ISO/IEC 18013-5 certificates for mobile driving licence ecosystems. It supports both self-signed IACA certificates and Document Signer certificates.

By default, the service is stateless. If one or more X.509 Store services are attached as dependencies, issued certificates can also be persisted automatically.

The X.509 Certificate Service is controlled by the x509 feature flag. The flag is enabled by default via the _features.conf. This means the service is available unless you explicitly add x509 to disabledFeatures.

#Service Dependencies

The X.509 Certificate Service supports two dependency types:

Key Management Service for requests that use kms-hosted-key-descriptor.
X.509 Store Service for persisting issued certificates.

If a request uses jwk-encoded-key-descriptor, no KMS dependency is required for that key input.

#Core Features

Issue self-signed IACA root certificates.
Issue Document Signer certificates anchored to an IACA.
Accept signing keys from linked KMS services or directly as JWKs.
Persist issued certificates into all attached X.509 Store services when configured.

#Get Started

Setup - Create the service and attach optional dependency services.
Issue Certificates - Create IACA and Document Signer certificates.

Last updated on March 11, 2026

X.509 Store Service Setup