---
title: "Root Certificate Authority"
description: ""
url: https://instituteofprovenance.org/docs/root-ca
source: Institute of Provenance
---
# Root Certificate Authority

The Institute of Provenance Root CA is the trust anchor for the entire XION ecosystem. It is a self-signed Ed25519 certificate managed with strict offline key ceremony procedures.

## Properties

| Field | Value |
|-------|-------|
| Subject | Institute of Provenance Root CA |
| Algorithm | Ed25519 |
| Validity | 2025-11-02 to 2035-10-31 (10 years) |
| Key Usage | Certificate Sign, CRL Sign |
| Basic Constraints | CA:TRUE, pathLenConstraint:1 |
| Self-signed | Yes |

## Offline Management

The Root CA private key is never exposed to online systems. It exists only on air-gapped hardware used during formal key ceremony procedures. A key ceremony occurs when:

- A new intermediate certificate is issued to a Certified Orbital operator
- An intermediate certificate is renewed
- The Root CA certificate itself is renewed (prior to 2035 expiration)

Each ceremony follows a documented procedure with multiple witnesses and produces an auditable record.

## Public Key Distribution

The Root CA public key is the single well-known constant needed to verify any XION artifact. It is distributed through:

- This specification document
- The Institute's website and documentation
- Embedded in compliant client implementations
- Published in machine-readable format at a well-known URI

Implementers MUST hardcode or securely distribute the Root CA public key. It MUST NOT be fetched from the network at verification time, as this would reintroduce the third-party trust dependency that XION is designed to eliminate.

## Key Rotation

The current Root CA certificate has a 10-year validity period. Key rotation planning will begin no later than 2032, allowing a 3-year overlap period where both the current and successor Root CA are recognized. The transition procedure will be published as an amendment to this specification.

## Path Length Constraint

The Root CA has `pathLenConstraint:1`, meaning it can sign intermediate certificates that can in turn sign leaf certificates, but intermediates cannot create further intermediates. This limits the hierarchy to exactly three tiers.