Caution
This repository contains experimental code and is not suitable for production usage!
The X509 certificate Issuer is a Go-based tool designed for issuing Verifiable Credentials signed by a X509 certificate. The issuer creates a did:x509 based on the PKI certificate chain. Its main purspose is to create verificable credentials form certificates issued by the UZI certificate chain from the CIBG registry.
The X509 certificate Issuer generated a Verifiable Credential of type X509Credential with the following features:
- The DID method is a customized did:x509 DID pointing to the x5c header.
- The x5c filled with the certificate chain. The chain is built from:
- The provided UZI server (Test) certificate
- All the required certificates from the UZI register.
- If the test mode is enabled, the Test UZI register
- Signed by the private key of the X509 certificate.
- The VC issued to the provided DID and name.
The VC that is signed by this application are cryptographic proofs, signed by the private key used in the X509 certificate process. Note that:
- This private key is supposed to be kept very secret.
- The Subject DID of the signed credential is mandated with cryptographic proof to act on behalf of the owner of the private key on the NUTS network.
Before you begin, ensure you have met the following requirements:
- You have installed Go SDK 1.23.1 or compatible version.
- You are using a Unix-based operating system like macOS or Linux.
- You have the necessary permissions to install software and manage certificates.
Follow these steps to set up the project:
- Clone the repository:
git clone https://github.com/nuts-foundation/uzi-did-x509-issuer
- Change to the project directory:
cd uzi-did-x509-issuer
- Download dependencies:
go mod download && go mod verify
- Build the project:
or
go build -ldflags="-w -s " -o ./issuer
make build
-
Run the application:
./issuer
-
Getting command line help:
- Use the CLI options provided by the application to generate new certificates. Refer to the help command for more details:
./issuer --help
-
Call for generating a VC:
- The following parameters are required:
- certificate_file, the PEM file of the URA server certificate
- signing_key ,the unencrypted PEM file of the private key used for signing.
- subject_did and subject_name, the vc.subject.id and vc.subject.name of the generated verifiable credential.
- The following parameters are required:
- Example call with a TEST certificate
./issuer vc cert.pem key.key did:web:example.com:example --test
- Example call with a production certificate
./issuer vc cert.pem key.key did:web:example.com:example
This project downloads the relevant CA certs from:
The following command converts .cer files to PEM:
openssl x509 -inform der -in certificate.cer -out certificate.pem
The logic on Validating a X509Credential is described in the VC_VALIDATION.md file.
We welcome contributions! To contribute:
- Fork the repository.
- Create a new branch (
git checkout -b feature-branch
). - Make your changes.
- Commit your changes (
git commit -am 'Add new feature'
). - Push to the branch (
git push origin feature-branch
). - Create a new Pull Request.
Please ensure your code follows the project's coding conventions and passes all tests.
This project is licensed under the MIT License. See the LICENSE file for details.
If you have any questions or suggestions, feel free to open an issue or contact the project maintainers at roland@headease.nl.