Back to documentation
CA Service
The Certificate Authority (CA) Service is the core component of the Quantum-Safe PKI project. It is responsible for issuing X.509 certificates signed with post-quantum cryptography, managing certificate revocation, and providing OCSP responses.
Key Features
- Issues X.509 certificates signed with EdDilithium2, a post-quantum digital signature algorithm.
- Provides endpoints for signing Certificate Signing Requests (CSRs).
- Manages Certificate Revocation Lists (CRLs) and serves them via a dedicated endpoint.
- Implements an Online Certificate Status Protocol (OCSP) responder for real-time certificate validation.
- Uses an ECDSA P-256 key for its own root CA certificate and TLS identity (for compatibility).
- Supports mutual TLS (mTLS) for client authentication with CRL checks.
- Flexible key storage options: filesystem (
fs) or PKCS#11 hardware security modules (pkcs11).
API Endpoints
| Endpoint | Method | Description | Authentication |
|---|---|---|---|
/sign | POST | Signs a CSR and returns a certificate chain | mTLS |
/revoke-cert | POST | Revokes a certificate by serial number | mTLS |
/crl | GET | Returns the current Certificate Revocation List | None |
/ocsp | POST | Processes OCSP requests and returns OCSP responses | None |
/healthz | GET | Health check endpoint | None |
/readyz | GET | Readiness check endpoint | None |
Configuration
The CA Service is configured primarily through environment variables:
| Variable | Description | Default |
|---|---|---|
PORT_CA / ADDR | Listen address for the service | :5000 |
KEY_DIR | Directory to store/load cryptographic keys and certificates | keys |
KEYSTORE_TYPE | Method for storing private keys: fs or pkcs11 | fs |
SERVICE_HOST | Publicly accessible hostname for the service | Derived from request Host header |
Key Files
The CA Service uses the following key files, stored in the directory specified by KEY_DIR:
ca-root: ECDSA P-256 private key for the root CA certificateca-pqc-key.bin: EdDilithium2 private key for signing issued certificatesca-cert: The CA's own certificaterevocations.json: JSON file storing information about revoked certificates
Usage Examples
Signing a CSR
curl -X POST \ --cert client.pem \ --key client-key.pem \ --cacert ca-cert.pem \ -H "Content-Type: application/x-pem-file" \ --data-binary @request.csr \ https://localhost:5000/signRevoking a Certificate
curl -X POST \ --cert client.pem \ --key client-key.pem \ --cacert ca-cert.pem \ -H "Content-Type: application/json" \ -d 'serial": "1234567890ABCDEF' \ https://localhost:5000/revoke-certFetching the CRL
curl -o crl.der https://localhost:5000/crlNext Steps
Now that you understand the CA Service, you might want to explore:
- ACME Server: Learn about the ACME Server that interacts with the CA Service.
- Transparency Log: Understand how certificates are logged for auditability.
- Revocation: Learn about certificate revocation and CRL management.