> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Step 3: Deploy a PKI Signing service

> Deploy a PKI Signing service with an embedded signing certificate via the deploy API.

Deploy a code-signing service from the **PKI Signing** service template via `POST /cuserv/v1/services/deploy`. The signing certificate is minted **inside** the deploy call using a `newCert` block.

<Warning>
  **Deployment gotchas - read these first:**

  * The service block key is lowercase **`pkisigning`** (not `pkiSigning` or `PkiSigning`). A wrong case silently produces a service with no signing certificate.
  * You **must** mint the signing certificate through the embedded **`newCert`** block. A certificate created separately via `/api/v2/x509/generate` does **not** associate its private key with the service and cannot be used for signing.
  * `validityPeriod` is an object: `{ "unit": "Year", "amount": "5" }` - `amount` is a string, and `unit` is one of `Millisecond`, `Second`, `Minute`, `Hour`, `Day`, `Week`, `Month`, `Year`.
  * The deployer **auto-creates the signing policy** for you from `signingFormat`, `numApprovals`, and `hashAlgorithm`. You do not create the policy separately; you read it back in Step 4.
</Warning>

```bash expandable lines wrap title="POST /cuserv/v1/services/deploy" theme={null}
curl -sk "${AUTH[@]}" -b "$CJ" -X POST \
  "$B/cuserv/v1/services/deploy" \
  -H 'Content-Type: application/json' \
  -d @- <<JSON
{
  "template": "PKI Signing",
  "name": "REST API Code Signing",
  "pkisigning": {
    "newCert": {
      "issuerUuid": "$ROOT_CERT",
      "subjectOneline": "CN=REST API Code Signing,O=Example,C=US",
      "newKey": {
        "keyTypeUuid": "$RSA_KEYTYPE",
        "save": true
      },
      "certParams": {
        "validityPeriod": { "unit": "Year", "amount": "5" }
      }
    },
    "signingFormat": "CMS",
    "numApprovals": 0,
    "hashAlgorithm": "Sha2_256"
  }
}
JSON
```

```json expandable lines wrap title="Response" theme={null}
{
  "success": true,
  "errorCode": "Success",
  "response": {
    "serviceUuid": "040000cc-....-............"
  }
}
```

Record the service UUID:

```bash lines wrap theme={null}
SERVICE=040000cc-....-............   # serviceUuid from the deploy response
```

<Note>
  `hashAlgorithm` accepts the `HashType` enum: `Md5`, `RipeMd`, `Sha1`, `Sha2_224`, `Sha2_256`, `Sha2_384`, `Sha2_512`, `Sha3_224`, `Sha3_256`, `Sha3_384`, `Sha3_512`, `Shake128`, `Shake256`, `Shake256_64`. `Sha2_256` is the appropriate default for RSA code signing.

  `numApprovals: 0` means signing requests are signed immediately on submission. Set a higher value to require explicit approvals (see Step 5 and the closing note).
</Note>
