Certificate Setup
Certificate Setup
Self-signed vs CA-signed KSP certificates
KSP uses custom binary certificates signing Ed25519 public keys. Standard X509 certificates (used in TLS) are not supported.
Generating Developer Keys
Use the built-in KSP command-line utility (ksp-cli) to generate keypairs and sign certificates.
1. Generate Self-Signed Cert (for local testing):
# Create a self-signed certificate bound to domain localhost ksp-cli cert generate --subject "localhost" --out-cert server.cert --out-key server.key
2. Generate CA-Signed Certificates:
# Step A: Generate CA Root Authority Keys ksp-cli cert generate-ca --subject "KSP Local Root CA" --out-cert ca.cert --out-key ca.key # Step B: Sign a Server Certificate using the CA Root ksp-cli cert sign --ca-cert ca.cert --ca-key ca.key --subject "api.service.internal" --out-cert server.cert
Trust Store Setup
Clients verifying CA-signed certificates must possess a copy of the root ca.cert. Register the root cert in your client configuration file under trust_anchors = ["/etc/ksp/certs/ca.cert"].