Proof Certificate Authority
Proof's public Certificate Authority anchors every Verifiable Credential in a published chain of trust.
A Certificate Authority is an organization responsible for the creation, issuance, revocation, and management of certificates. Proof operates a Certificate Authority that signs every Verifiable Credential we issue, so a Verifier can validate any credential by walking standard X.509 certificates up to the Proof Root CA R1.
PKI hierarchy
Proof Root CA R1 is a self-signed Certificate Authority valid for 25 years. Its private key is held in an offline HSM and it does not directly sign Verifiable Credentials. The Root CA issues five Issuing CAs, each scoped to a specific category of artifact. Issuing CAs are valid for 5 years and stored in HSMs.
Verifiable Credential Issuing CAs
Two of the five Issuing CAs participate in Verifiable Credential operations.
Proof Organization Authenticity Issuing CA R1 signs an end-entity certificate issued to Proof.com. The corresponding private key signs every Verifiable Credential. A Verifier walks this chain to confirm Proof issued the credential.
Proof Individual Authenticity Issuing CA R1 signs an end-entity certificate issued to each Proof user. The user's public key appears in the credential's cnf.jwk claim, and the corresponding private key signs every Key Binding JWT. A Verifier walks this chain to confirm the right user is presenting.
PKI artifacts
| Artifact | Endpoint | Purpose |
|---|---|---|
| Root CA certificate | http://cert.proof.com/proof-root-ca-r1.crt | Trust anchor. Pin once. |
| Certificate Revocation List | http://crl.proof.com/crl/proof-root-ca-r1.crl | Revocation check for Issuing CAs. |
| OCSP responder | http://ocsp.proof.com | Real-time per-certificate revocation. |
| JWKS | https://api.proof.com/openid-connect/jwks | Public signing keys. Each entry has a kid and an x5c chain. |
With the Root CA certificate pinned as your trust anchor, every Proof Verifiable Credential validates offline, with no live call beyond the JWKS and (optional) OCSP.
Signature verification
Verifying the issuance chain:
- Fetch the JWKS and locate the issuer signing key by
kid. - Read its
x5cheader. The chain runs through Proof Organization Authenticity Issuing CA R1 to Proof Root CA R1. - Validate every certificate, checking revocation against the CRL or OCSP.
- Verify the credential signature with the validated public key.
Verifying the holder binding chain:
- Read
cnf.jwkfrom the credential payload. - The matching end-entity certificate, issued by Proof Individual Authenticity Issuing CA R1, also chains to Proof Root CA R1.
- Validate the chain, then verify the Key Binding JWT signature with
cnf.jwk.
A runnable example with library suggestions is on Verify a Credential.
Certificate Policy
Proof operates as a Certificate Authority under its published Certificate Policy, which governs key management, issuance, revocation, audit, and incident response.
See also: SD-JWT VC Format · Verify a Credential · Glossary
Updated about 2 hours ago