> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Step 2: Mint a signing CA

> Mint a self-signed signing CA using a certificate profile and an RSA Signing key type.

The signing service needs an issuer. In this stage you mint a **self-signed root CA** using the built-in **Root Certificate Authority** certificate profile and an **RSA Signing** key type.

<Steps>
  <Step title="List the certificate profiles">
    Certificate-profile UUIDs are environment-specific, so list them rather than hardcoding:

    ```bash lines wrap title="GET /api/v2/x509/cert-profiles/stubs" theme={null}
    curl -sk "${AUTH[@]}" -b "$CJ" \
      "$B/api/v2/x509/cert-profiles/stubs?pageSize=50"
    ```

    ```json expandable lines wrap title="Response (truncated to relevant profiles)" theme={null}
    {
      "success": true,
      "errorCode": "Success",
      "response": {
        "results": [
          {
            "objInfo": {
              "name": "Root Certificate Authority",
              "uuid": "01000000-b069-0001-0000-000000000001"
            },
            "validityPeriod": { "unit": "Year", "amount": "20" },
            "system": true
          },
          {
            "objInfo": {
              "name": "Code Signing Certificate",
              "uuid": "01000000-b069-0001-0000-000000000007"
            },
            "system": true
          }
        ]
      }
    }
    ```
  </Step>

  <Step title="List the key types">
    Key-type UUIDs are likewise environment-specific. The `key-types/stubs` endpoint is a `POST` that accepts a pagination/filter body; use `search` to narrow the results:

    ```bash lines wrap title="POST /api/v2/key-types/stubs" theme={null}
    curl -sk "${AUTH[@]}" -b "$CJ" -X POST \
      "$B/api/v2/key-types/stubs" \
      -H 'Content-Type: application/json' \
      -d '{"pageSize":200,"search":"RSA"}'
    ```

    ```json expandable lines wrap title="Response (RSA Signing key types)" theme={null}
    {
      "success": true,
      "errorCode": "Success",
      "response": {
        "results": [
          { "objInfo": { "name": "RSA 2048 Signing", "uuid": "01000001-5b7d-0001-0001-000000000001" },
            "parameters": { "keyAlgorithm": "Rsa", "keySize": 2048 } },
          { "objInfo": { "name": "RSA 3072 Signing", "uuid": "01000001-5b7d-0001-0001-000000000004" },
            "parameters": { "keyAlgorithm": "Rsa", "keySize": 3072 } },
          { "objInfo": { "name": "RSA 4096 Signing", "uuid": "01000001-5b7d-0001-0001-000000000007" },
            "parameters": { "keyAlgorithm": "Rsa", "keySize": 4096 } }
        ],
        "pagination": { "total": 4 }
      }
    }
    ```

    Capture the two UUIDs you intend to use:

    ```bash lines wrap theme={null}
    ROOT_PROFILE=01000000-b069-0001-0000-000000000001   # Root Certificate Authority
    RSA_KEYTYPE=01000001-5b7d-0001-0001-000000000007     # RSA 4096 Signing
    ```
  </Step>

  <Step title="Generate the CA">
    Call `POST /api/v2/x509/generate` with the root profile, a new RSA key (`newKey`), and both `saveCert` and `trustCert` set to `true` so the resulting certificate is persisted and trusted as an issuer.

    ```bash expandable lines wrap title="POST /api/v2/x509/generate" theme={null}
    curl -sk "${AUTH[@]}" -b "$CJ" -X POST \
      "$B/api/v2/x509/generate" \
      -H 'Content-Type: application/json' \
      -d @- <<JSON
    {
      "certProfileUuid": "$ROOT_PROFILE",
      "subjectOneline": "CN=REST API Code Signing Root,O=Example,C=US",
      "newKey": {
        "keyTypeUuid": "$RSA_KEYTYPE",
        "save": true
      },
      "certParams": {
        "validityPeriod": { "unit": "Year", "amount": "10" },
        "caType": "Root"
      },
      "saveCert": true,
      "trustCert": true
    }
    JSON
    ```

    ```json expandable lines wrap title="Response" theme={null}
    {
      "success": true,
      "errorCode": "Success",
      "response": {
        "certificateUuid": "020000aa-....-............",
        "keyUuid": "030000bb-....-............",
        "certificate": "-----BEGIN CERTIFICATE-----\nMIIF...\n-----END CERTIFICATE-----\n"
      }
    }
    ```

    Record `certificateUuid`; it is the issuer UUID you will reference when deploying the signing service:

    ```bash lines wrap theme={null}
    ROOT_CERT=020000aa-....-............   # certificateUuid from the response
    ```

    <Note>
      When `newKey.keyTypeUuid` is supplied, the key parameters (algorithm, size, usages) are inherited from the chosen key type, so an explicit `keyParams` block is not required. Set `save: true` so the private key is persisted and can be used to issue further certificates.
    </Note>
  </Step>
</Steps>
