Skip to main content

Automatically Sign Requests

In this tutorial, you will learn how to generate a self-signed certificate with VaultCode.

You will create an SKA key with a policy that has the Positive Approval sample executable as its only approver. Thus any usage of the SKA key needs to be approved by the executable. This executable runs in VaultCode and blindly approves everything. To demonstrate this, you will create a self-signed certificate. This signing operation will be approved by the executable, and you will be able to download the resulting certificate.

Upload JAR file

First, you need to upload your custom executable to VaultCode. Let's assume the executable is stored in /path/to/code.jar. Upload the JAR by calling POST /api/v1/upload_execution_code:

JAR=/path/to/code.jar
curl "https://demo-vaultcode.securosys.com/api/v1/upload_execution_code" \
  --form "file=@${JAR};type=application/java-archive"

You can use the example JARs.

You can get the SHA-256 hash of the currently loaded JAR by calling GET /api/v1/get_evidence:

curl "https://demo-vaultcode.securosys.com/api/v1/get_evidence"

# to also decode the JSON
curl --silent "https://demo-vaultcode.securosys.com/api/v1/get_evidence" | jq --raw-output ".executionCodeFingerprint" | base64 --decode

Create a New SKA Key

Next, create a new key with SKA policies, with details of who can approve usage of the key. To do this, make a POST /v1/key request to your TSB:

{
  "label": "vaultcode_sign",  # Name your key something relevant
  "algorithm": "RSA",         # Algorithm, check below for list of options
  "keySize": 2048,
  "attributes": {
    "encrypt": true,
    "decrypt": true,
    "verify": true,
    "sign": true,
    "wrap": true,
    "unwrap": true,
    "derive": false,
    "bip32": false,
    "slip10": false,
    "extractable": false,
    "modifiable": true,
    "destroyable": true,
    "sensitive": true,
    "copyable": false,
    "rollover": false
  },
  "policy": { # Begin defining approval policies
    "ruleUse": {
      "tokens": [
        {
          "name": "automated_approval_t1",  # Define token name
          "timelock": 0,
          "timeout": 3600,
          "groups": [
            {
              "name": "automated_approval_g1",  # Define token group
              "quorum": 1,
              "approvals": [
                {
                  "type": "public_key",           # Define approval key type
                  "name": "vault_output_pub_key", # Name the key of the Approver, in this case it is VaultCode
                  # For value, use the public outputKey of VaultCode
                  "value": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArGlydWhVL3cT66BEV/exn+QUh9gSCO+vQqVO6Ac/CfUt42+XN9VBGiDp0VYHksI2gHdWB5645iW2p6K4mbS3OeDo7yFLBV82++raz0YCmTq3WWBptDxmlKh6MJMWmrKKJIgypLmzjT6M2mGpxh2AmVb/+QiDzyVvb727O4n9E9W2ura7ci1Pds58i2JJ4NgDKwldggLlQPMNhiKmY4IIDpbUdi8pDJCEz6HB4vlEIPwAX5kQ6mspH5rvQ6frusx0lLDevXLpXNS/Ok35H0paOt3yxpkPygYjYFs329sYzNNDpAVZMQbr71uunEl00OgJ3VJ2zNesR+L+JO1GbpuB8QIDAQAB"
                }
              ]
            }
          ]
        }
      ]
    },
    "keyStatus": {
      "blocked": false
    }
  }
}

This policy requires a single approval, signed by the output key of VaultCode. (Recall that your executable implements the automated approval logic, and its output is an approval or rejection.) You can obtain this key by calling GET /api/v1/get_public_key:

curl --silent "https://demo-vaultcode.securosys.com/api/v1/get_public_key" | jq --raw-output ".outputKey.publicKey"

See the SKA Authorization Policy documentation for more details on the policies that you can build.

Creating a self-signed certificate

You now have a signing key. Here's how to use it to create a self-signed certificate. Make a call to the POST /v1/certificate/selfsign endpoint of the TSB with the following request body:

{
  "selfSignCertificateRequest": {
    "signKeyName": "vaultcode_sign",  # Name of the key created in the previous section
    "keyPassword": null,
    "validity": 3650,
    "signatureAlgorithm": "SHA256_WITH_RSA",
    "commonName": "VaultCode",        # CN value that the certificate should have
    "certificateAuthority": false,
    "keyUsage": [
      "DIGITAL_SIGNATURE"
    ],
    "extendedKeyUsage": [
      "ANY_EXTENDED_KEY_USAGE"
    ]
  }
}
Supported Algorithms
SHA224_WITH_RSA
SHA256_WITH_RSA
SHA384_WITH_RSA
SHA512_WITH_RSA
SHA256_WITH_ECDSA
SHA384_WITH_ECDSA
SHA512_WITH_ECDSA

Response:

{
  "signRequestId": "f3c8c4b2-e8e3-4198-87d1-1608c1540b26"
}

This has triggered a certificate generation, which requires a signing operation. You have two ways of tracking the request.

VaultCode Log

In the VaultCode container you will see a message like this:

Creating connection with vaultcode service without mTLS
Issued a Self-Signed Certificate with key 'vaultcode_sign' 
Signed request with id f3c8c4b2-e8e3-4198-87d1-1608c1540b26 using key 'vaultcode_sign' and sign-algorithm 'SHA256withRSA'

However, the VaultCode log message only confirms that the work was done, but does not provide the needed output. For the signed certificate, query the TSB for the request id.

Query by RequestID

Call the GET /v1/request/{id} endpoint of the TSB with the request id from earlier.

Response:

{
  "id": "f3c8c4b2-e8e3-4198-87d1-1608c1540b26",
  "status": "EXECUTED",
  "executionTime": "2025-07-31T09:43:48Z",
  "approvedBy": [
    "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ....gJ3VJ2zNesR+L+JO1GbpuB8QIDAQAB" # VaultCode public key
  ],
  "notYetApprovedBy": [],
  "rejectedBy": [],
  "result": "-----BEGIN CERTIFICATE-----\nMIIDADCCAeigAwIBAgIBADANBg...j/nZ1A\n9j2wGA==\n-----END CERTIFICATE-----"
}

You now have a self-signed certificate, approved by the Positive Approval executable.

Get started withCloudHSM for free.
Other questions?Ask Sales.
Last updated on
Feedback
Need help?