--- title: "Leaf Certificates" description: " " url: https://instituteofprovenance.org/docs/leaf-certificates source: Institute of Provenance --- # Leaf Certificates Leaf certificates are short-lived content signing certificates issued on demand by Certified Orbital operators. They are the certificates that actually sign content — the trust block in a XION artifact contains a leaf certificate as the first entry in the chain. ## Properties | Field | Value | |-------|-------| | Issuer | Certified Orbital Intermediate | | Algorithm | Ed25519 | | Validity | Hours to one day | | Key Usage | Digital Signature | | Basic Constraints | CA:FALSE | | Extended Key Usage | id-xio-content-signing | ## Short Lifetime Leaf certificates are designed to be ephemeral. A typical leaf certificate is valid for 4–24 hours. This short lifetime is the primary security mechanism: - **Reduced blast radius** — Even if a signing key is compromised, the certificate expires within hours. The attacker's window to produce fraudulent signatures is tightly bounded. - **Simplified revocation** — While revocation via Sparse Merkle Tree proofs is available, it is rarely needed because certificates expire quickly on their own. - **Fresh key material** — Short lifetimes encourage frequent key rotation. Many implementations generate a new key pair for each certificate request. ## Issuance Leaf certificates are issued programmatically by the Certified Orbital that holds the intermediate certificate. The issuance flow: 1. The signer generates an Ed25519 key pair 2. The signer sends a certificate signing request (CSR) to their Certified Orbital 3. The Orbital validates the request against its authorization policies 4. The Orbital signs a leaf certificate with its intermediate private key 5. The certificate is returned to the signer along with the intermediate certificate (for chain construction) This process is typically transparent to the end user — the signing tool handles key generation, CSR creation, and certificate retrieval automatically. ## Certificate Extensions Leaf certificates include custom extensions that encode: - **Signer identity** — The authenticated identity of the content creator - **Scope** — What content types or domains the certificate is authorized to sign - **Orbital identifier** — Which Certified Orbital issued the certificate ## Revocation Although short lifetimes reduce the need for explicit revocation, leaf certificates can be revoked immediately via the Orbital's Sparse Merkle Tree. A revocation proof (inclusion proof showing the certificate serial number in the revoked set) can be verified by any party without trusting the Orbital.