Skip to content

Certificate authority management

Some credentials support the usage of X.509 certificates for issuance and verification process. To help credential issuers with certificate management, Document Rails features its own certificate authority management API.

The API can be used to create root and intermediate CAs, and to sign end-entity certificates that are used during the credential issuance process.

The certificate authority API supports using both local and remote keys (Azure Key Vault, Google Cloud KMS) to manage certificate authorities. This offers higher level of security by delegating key management to a hardware-backed service.

Supported flag values

Key usage

  • DigitalSignature

  • NonRepudiation

  • KeyEncipherment

  • DataEncipherment

  • KeyAgreement

  • KeyCertSign

  • CrlSign

Extended key usage

  • Critical

  • ServerAuth

  • ClientAuth

  • CodeSigning

  • EmailProtection

  • Timestamping