Root certificate authority

Root certificate authority is self-signed, and defines the start of the chain of trust for generated credentials.

The resulting certificate is usually included as a static entity within root stores of verifiers or user devices.

Create a new root CA (JavaScript)

import {
    createCertificateAuthority,
    CreateCertificateAuthorityRequestOriginType,
    ExtendedKeyUsage,
    KeyUsage
} from "@vaultie/document-rails";

const response = await createCertificateAuthority(
    client,
    accessToken,
    organizationId,
    {
        // Root CAs are self-signed, which means we don't have to supply the parent CA.
        type: CreateCertificateAuthorityRequestOriginType.SelfSigned,

        // Signing key identifier to use to manage the certificate authority.
        // Consult signing key documentation for information about supported key types.
        key_id: keyId,

        // Define CA common name fields, required.
        common_name: {
            // Required.
            common_name: "Example",

            // Other fields are optional.
            organization_name: "Example",
            organization_unit_name: "Development",
            country_name: "XX",
            state_name: "XX",
        },

        // Define CA constraints. The field itself and all nested fields are optional.
        constraints: {
            key_usage: [
                KeyUsage.DigitalSignature,
                KeyUsage.KeyCertSign,
                KeyUsage.CrlSign
            ],

            extended_key_usage: [
                ExtendedKeyUsage.Critical,
                ExtendedKeyUsage.EmailProtection
            ],

            pathlen: 1
        },

        // Define custom validity term in days. Default is ~10 years.
        validity_term: 365
    },
);