Certificate Setup
DocsConfigurationCertificate Setup

Certificate Setup

Self-signed vs CA-signed KSP certificates

KSP uses custom binary certificates signing Ed25519 public keys. Standard X509 certificates (used in TLS) are not supported.

Generating Developer Keys

Use the built-in KSP command-line utility (ksp-cli) to generate keypairs and sign certificates.

1. Generate Self-Signed Cert (for local testing):

# Create a self-signed certificate bound to domain localhost
ksp-cli cert generate --subject "localhost" --out-cert server.cert --out-key server.key

2. Generate CA-Signed Certificates:

# Step A: Generate CA Root Authority Keys
ksp-cli cert generate-ca --subject "KSP Local Root CA" --out-cert ca.cert --out-key ca.key

# Step B: Sign a Server Certificate using the CA Root
ksp-cli cert sign --ca-cert ca.cert --ca-key ca.key --subject "api.service.internal" --out-cert server.cert

Trust Store Setup

Clients verifying CA-signed certificates must possess a copy of the root ca.cert. Register the root cert in your client configuration file under trust_anchors = ["/etc/ksp/certs/ca.cert"].