--- title: "Intermediate Certificates" description: " " url: https://instituteofprovenance.org/docs/intermediate-certificates source: Institute of Provenance --- # Intermediate Certificates Intermediate certificates are issued by the Root CA to Certified Orbital operators. They authorize the holder to issue leaf certificates and manage certificate state within their organizational scope. ## Properties | Field | Value | |-------|-------| | Issuer | Institute of Provenance Root CA | | Algorithm | Ed25519 | | Validity | Multi-year (typically 2–5 years) | | Key Usage | Certificate Sign, CRL Sign | | Basic Constraints | CA:TRUE, pathLenConstraint:0 | | Extended Key Usage | id-xio-orbital-intermediate | ## Certified Orbital Program Organizations receive intermediate certificates through the Certified Orbital program. This process verifies that the operator: 1. Has the infrastructure to securely manage private key material 2. Can issue and revoke leaf certificates in compliance with the specification 3. Maintains the Sparse Merkle Tree state for certificate revocation proofs 4. Operates an Orbital node that responds to wire protocol queries The Certified Orbital program is administered by the Institute and documented separately. ## Scope Each intermediate certificate is scoped to the issuing organization. An intermediate can only sign leaf certificates for identities within its authorized domain. The scope is encoded in the certificate's Subject and custom extensions. ## Path Length Constraint Intermediate certificates have `pathLenConstraint:0`, meaning they can sign leaf certificates but cannot create further intermediate certificates. This enforces the three-tier hierarchy. ## Revocation Intermediate certificates can be revoked by the Institute. Revocation state is maintained in the Root CA's Sparse Merkle Tree and is verifiable via inclusion/exclusion proofs. Given the long validity of intermediates, revocation is a critical safety mechanism for cases where an operator's key material is compromised or the operator is no longer authorized. ## Renewal Intermediate certificates are renewed through the same key ceremony process used for initial issuance. The operator may generate a new key pair or, if key material has not been compromised, request re-signing of the existing public key with updated validity dates.