Overview
The X.509 Certificate Service issues X.509 certificates for PKI deployments, including ISO/IEC 18013-5 compliant certificates for mobile driving licence (mDL) ecosystems. It supports self-signed IACA certificates, Document Signer certificates, generic CA and leaf certificates, and PKCS#10 Certificate Signing Requests (CSRs).
By default, the service is stateless. If one or more X.509 Store services are attached as dependencies, issued certificates can also be persisted automatically.
The X.509 Certificate Service is controlled by the x509 feature flag. The flag is enabled by default via the _features.conf. This means the service is available unless you explicitly add x509 to disabledFeatures.
Service Dependencies
The X.509 Certificate Service supports two dependency types:
- Key Management Service for requests that use
kms-hosted-key-descriptor. - X.509 Store Service for persisting issued certificates.
If a request uses jwk-encoded-key-descriptor, no KMS dependency is required for that key input.
Core Features
- Generic Certificates: Issue self-signed or CA-signed X.509 certificates with full control over extensions, key usage, and validity.
- ISO mDL Certificates: Issue self-signed IACA root certificates and Document Signer certificates anchored to an IACA.
- CSR-based Issuance: Accept CSR PEM as a subject public key source for Document Signer and generic certificate issuance, enabling proof-of-possession workflows.
- Flexible Key Sources: Accept signing keys from linked KMS services or directly as JWKs.
- Automatic Persistence: Persist issued certificates into all attached X.509 Store services when configured.
- CSR Creation: Generate PKCS#10 Certificate Signing Requests for use in external CA workflows or CSR-based certificate issuance.
Get Started
- Setup - Create the service and attach optional dependency services.
- Issue Certificates - Create IACA, Document Signer, and generic certificates.
- CSR Workflows - Create CSRs and use them for certificate issuance.