Signing keys
Signing keys are utilized to perform cryptographic operations during the credential issuance process, inbound webhook requests, and other functionality that requires cryptography.
Purposes
The following signature algorithms are supported for different purposes:
| ECDSA (P-256) | EdDSA (Ed25519) | |
|---|---|---|
| W3C | ✅ | ✅ |
| MDoc | ✅ | ❌ |
| SD-JWT | ✅ | ✅ |
| C2PA | ✅ | ✅ |
| CA management | ✅ | ❌ |
| OID4VP | ✅ | ✅ |
Key types
Document Rails supports the following key types with the following signature algorithms:
| ECDSA (P-256) | EdDSA (Ed25519) | |
|---|---|---|
| Local | ✅ | ✅ |
| Azure Key Vault | ✅ | ❌ |
| Google Cloud KMS | ✅ | ❌ |
FIPS mode
When operating in FIPS mode, Document Rails disables support for EdDSA (Ed25519).
Key management
Creating keys
Signing keys of all types are created via a single API.
You can also utilize different services for the key and the certificate (for example, Google Cloud KMS keys with Azure Key Vault certificates).
Review the corresponding key type documentation for more information on how to utilize them.
Managing existing keys
import { listKeys } from "@vaultie/document-rails";
const response = await listKeys(
client,
accessToken,
organizationId
);
import { updateKey, AzureAuthenticationType, CertificateType } from "@vaultie/document-rails";
await updateKey(
client,
accessToken,
organizationId,
keyId,
{
// You can either `key` or `certificate`, or both of them.
//
// Setting `certificate` to `null` instead of omitting the field
// will remove the certificate entirely.
certificate: {
type: CertificateType.Azure,
authentication: {
type: AzureAuthenticationType.VirtualMachineManagedIdentity,
},
vault_url: "https://testing.vault.azure.net/objectType/objectName/1",
name: "testcert",
version: "bb066f61702345fa8be48761e32c89f8",
},
}
);
import { deleteKey } from "@vaultie/document-rails";
await deleteKey(
client,
accessToken,
organizationId,
keyId
);
import { restoreKey } from "@vaultie/document-rails";
await restoreKey(
client,
accessToken,
organizationId,
keyId
);