Skip to Content
API and DashboardCertificates

Certificates

Paradym enables you to use X.509 certificates to sign OpenID4VC presentation requests, issue mDoc/SD-JWT-VC credentials, and sign credential revocation status lists.

To do so, you can either create a root certificate within Paradym for the specific use case, or create a certificate signing request to request an externally signed certificate.

When you create a root certificate within Paradym, the root certificate is used to automatically generate leaf certificates, which are used for the actual signing of credentials and OpenID4VP presentation requests. When you use an externally signed certificate, you need to first create a certificate signing request, get your certificate signed by an external certificate authority, and then import the resulting certificate into Paradym.

You can only have one active certificate for each certificate type (issuer/verifier) and key type combination at a time. This applies to both root certificates created in Paradym, as well as externally signed leaf certificates.

For example, you cannot have both an active issuer root certificate and an active externally signed issuer leaf certificate for the same key type.

However, you can have both an active and a pendingActivation certificate at the same time, which allows for pre-rotation and preparation for certificate renewal.

Creating a Root Certificate

When creating a root certificate, you need to provide the following information:

  • The type of the root certificate to create. At the moment you can choose to create a verifier root certificate (which will generate a leaf certificate used for OpenID4VP presentation requests), or an issuer root certificate (which will generate a leaf certificate used for signing credentials).
  • The type of the Private Key used to sign the root certificate.
  • The ISO 3166-1 2-letter country code of the country where the issuer is located, and, optionally, a human-readable common name, identifying the certificate issuer.
  • The issuer alternative name, which is the URL that identifies the issuer.

By default, the root certificate has a validity of 5 years. If you need to renew it beforehand because, for example, your details have changed, you can create a new certificate, and activate it. This will automatically deactivate the old one (but not revoke it).

When a root certificate is about to expire, an email will be sent to the project owner to inform about the renewal. For verifier root certificates this is 6 months before expiration of the certificate. For issuer root certificates this is 6 months before the the longest validity of any of the credentials issued by this issuer root certificate. For example if you have a credential template that issues credentials that are valid for up to 1 year, the notification will be sent 1.5 years before expiration. The 6 months allows for enough time to share the new root certificate with all relevant parties.

To create a certificate from the API, make a POST request to https://api.paradym.id/v1/projects/{projectId}/certificates. See the API Reference  for detailed usage information.

{
  "type": "verifierRoot",
  "keyType": "P-256",
  "countryName": "NL",
  "commonName": "Example Company BV",
  "issuerAlternativeNameUrl": "https://example.com"
}

Creating a Certificate Signing Request

Creating externally signed certificates is not available in the Free tier, and only available to the Pro and Custom tiers.

In a lot of cases the authority issuing certificates is external to your issuer or verifier solution, in which case it is not possible to directly generate a certificate that will be trusted by other parties within Paradym.

Paradym supports creating Certificate Signing Requests based on PKCS#10 if you need a certificate to be signed by an external certificate issuer. A certificate signing request can only be created for leaf certificates (the certificate that will be used directly to sign a credential or OpenID4VP presentation request). Certificate Signing Requests are automatically removed, including the associated cryptographic keys, after 30 days if no certificate has been imported yet.

While root certificates within Paradym are valid for 5 years, leaf certificates used for issuing credentials and signing OpenID4VP verification requests are valid for a maximum of 457 days, in line with the requirement from ISO 18013-5 mDoc specification for Document Signer Certificates.

We recommend initiating the renewal process for externally signed certificates at least 1 month before expiration of the certificate for externally signed verifier certificates.

For externally signed issuer certificates this is 1 month before the longest validity of any of the credentials issued by this issuer certificate. For example, if you have a credential template that issues credentials that are valid for up to 1 year, and the certificate is valid for 457 days (the maximum allowed within Paradym), you only have around 2 months to use the certificate before we recommend initiating the renewal process.

An email will be sent to the project owner to inform about the renewal. We highly recommend automating the external certificating singing process through our API if possible.

To create a certificate signing request from the API, make a POST request to https://api.paradym.id/v1/projects/{projectId}/certificates/csrs. See the API Reference  for detailed usage information.

{
  "type": "verifierSignRequest",
  "keyType": "P-256",
  "countryName": "NL",
  "commonName": "Example Company BV"
}

Once the certificate signing request has been created you should share the request with the certificate issuer. The signed certificate can then be imported into Paradym, see Importing an Externally Signed Certificate below.

Importing an Externally Signed Certificate

When the certificate has been signed by the certificate issuer, you can import it into Paradym through the dashboard or API.

Make sure you import the certificate for the correct certificate signing request. The imported certificate must match the certificate signing request (subject, public key, and extensions), and will be rejected otherwise.

To import a signed certificate for a certificate signing request from the API, make a POST request to https://api.paradym.id/v1/projects/{projectId}/certificates/csrs/{certificateSigningRequestId}/import. See the API Reference  for detailed usage information.

{
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIB0zCCAYWgAwIBAgIUcxM9poL1rQ9qE+zKG66d1Ot/sswwBQYDK2VwMD8xCzAJ\nBgNVBAYTAk5MMRgwFgYDVQQKDA9BbmltbyBTb2x1dGlvbnMxFjAUBgNVBAMMDUFu\naW1vIFJvb3QgQ0EwHhcNMjYwMTEwMTYxMzU5WhcNMjcwMTEwMTYxMzU5WjApMRow\nGAYDVQQDExFVdG9waWEgR292ZXJubWVudDELMAkGA1UEBhMCTkwwWTATBgcqhkjO\nPQIBBggqhkjOPQMBBwNCAAT9WNvzCjNN2jMErOQ8SngFl9kOYrF2vGM6wzcjOlm5\nZkmP8hAw1Mq4ufWXLrJJSt6nttLmnjp+fhFtt5PLlWg4o3oweDAdBgNVHQ4EFgQU\niYGgIscPPL8onQf7XSjGoh02JgwwDgYDVR0PAQH/BAQDAgeAMCYGA1UdEQQfMB2C\nGzJlM2FmNDdlMTA3Ni5uZ3Jvay1mcmVlLmFwcDAfBgNVHSMEGDAWgBQZnA7JLD1U\nwdTyQo+7q6q34fq6HzAFBgMrZXADQQDUvLOLNklte8eSVzpd0RsPuAZPAdF1cFc3\ngHH2IjAugRiBnCMZ/iz/wtQRymwa5nmCX/xJF+f/n+C3e3jpNtoI\n-----END CERTIFICATE-----"
}

Activate a Certificate

If you have a certificate of a certain certificate type and key type combination and create a new one, the new one will be “pending activation”. This means that the new certificate won’t be used until it is activated. That happens automatically when the currently active one expires.

However, you can manually activate the new one, which automatically deactivates the old one. This can be useful when you want to update information contained in the certificate, or during renewal, if you have already shared the new certificate with all relevant parties and want to start using the new one immediately.

To activate a certificate from the API, make a POST request to https://api.paradym.id/v1/projects/{projectId}/certificates/{certificateId}/activate. See the API Reference  for detailed usage information.

Revoking a Certificate

Revoking a certificate should be done if the certificate is compromised. This can be easily done via the dashboard or the API. Afterwards, the certificate will be pending revocation. Once the Certificate Revocation List has been updated, the certificate status will change to revoked.

Note that revoking a certificate is an irreversible operation. In addition, if you revoke a root certificate, we will automatically revoke all its children certificates.

It is not possible to revoke an externally signed certificate (imported through a certificate signing request), as the revocation of certificates is handled by the certificate issuer.

If an externally managed certificate is compromised you need to contact the certificate issuer and request revocation.

To revoke a certificate from the API, make a POST request to https://api.paradym.id/v1/projects/{projectId}/certificates/{certificateId}/revoke. See the API Reference  for detailed usage information.

Presentation Templates

You can use the certificates to authenticate presentation requests. To do so, you first need to create a certificate, as described above. Then, you need to create a Presentation Template as described in the documentation. In that page, you can choose the authentication method, which, by default, will be did:web. You can also choose to use any of the available X.509 certificates.

Last updated on
Trusted EntitiesPresentation Templates