Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

The signing service needs an issuer. In this stage you mint a self-signed root CA using the built-in Root Certificate Authority certificate profile and an RSA Signing key type.
1

List the certificate profiles

Certificate-profile UUIDs are environment-specific, so list them rather than hardcoding:
GET /api/v2/x509/cert-profiles/stubs
curl -sk "${AUTH[@]}" -b "$CJ" \
  "$B/api/v2/x509/cert-profiles/stubs?pageSize=50"
Response (truncated to relevant profiles)
{
  "success": true,
  "errorCode": "Success",
  "response": {
    "results": [
      {
        "objInfo": {
          "name": "Root Certificate Authority",
          "uuid": "01000000-b069-0001-0000-000000000001"
        },
        "validityPeriod": { "unit": "Year", "amount": "20" },
        "system": true
      },
      {
        "objInfo": {
          "name": "Code Signing Certificate",
          "uuid": "01000000-b069-0001-0000-000000000007"
        },
        "system": true
      }
    ]
  }
}
2

List the key types

Key-type UUIDs are likewise environment-specific. The key-types/stubs endpoint is a POST that accepts a pagination/filter body; use search to narrow the results:
POST /api/v2/key-types/stubs
curl -sk "${AUTH[@]}" -b "$CJ" -X POST \
  "$B/api/v2/key-types/stubs" \
  -H 'Content-Type: application/json' \
  -d '{"pageSize":200,"search":"RSA"}'
Response (RSA Signing key types)
{
  "success": true,
  "errorCode": "Success",
  "response": {
    "results": [
      { "objInfo": { "name": "RSA 2048 Signing", "uuid": "01000001-5b7d-0001-0001-000000000001" },
        "parameters": { "keyAlgorithm": "Rsa", "keySize": 2048 } },
      { "objInfo": { "name": "RSA 3072 Signing", "uuid": "01000001-5b7d-0001-0001-000000000004" },
        "parameters": { "keyAlgorithm": "Rsa", "keySize": 3072 } },
      { "objInfo": { "name": "RSA 4096 Signing", "uuid": "01000001-5b7d-0001-0001-000000000007" },
        "parameters": { "keyAlgorithm": "Rsa", "keySize": 4096 } }
    ],
    "pagination": { "total": 4 }
  }
}
Capture the two UUIDs you intend to use:
ROOT_PROFILE=01000000-b069-0001-0000-000000000001   # Root Certificate Authority
RSA_KEYTYPE=01000001-5b7d-0001-0001-000000000007     # RSA 4096 Signing
3

Generate the CA

Call POST /api/v2/x509/generate with the root profile, a new RSA key (newKey), and both saveCert and trustCert set to true so the resulting certificate is persisted and trusted as an issuer.
POST /api/v2/x509/generate
curl -sk "${AUTH[@]}" -b "$CJ" -X POST \
  "$B/api/v2/x509/generate" \
  -H 'Content-Type: application/json' \
  -d @- <<JSON
{
  "certProfileUuid": "$ROOT_PROFILE",
  "subjectOneline": "CN=REST API Code Signing Root,O=Example,C=US",
  "newKey": {
    "keyTypeUuid": "$RSA_KEYTYPE",
    "save": true
  },
  "certParams": {
    "validityPeriod": { "unit": "Year", "amount": "10" },
    "caType": "Root"
  },
  "saveCert": true,
  "trustCert": true
}
JSON
Response
{
  "success": true,
  "errorCode": "Success",
  "response": {
    "certificateUuid": "020000aa-....-............",
    "keyUuid": "030000bb-....-............",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIF...\n-----END CERTIFICATE-----\n"
  }
}
Record certificateUuid; it is the issuer UUID you will reference when deploying the signing service:
ROOT_CERT=020000aa-....-............   # certificateUuid from the response
When newKey.keyTypeUuid is supplied, the key parameters (algorithm, size, usages) are inherited from the chosen key type, so an explicit keyParams block is not required. Set save: true so the private key is persisted and can be used to issue further certificates.