X.509-SVID Issuance

Acquire an X.509 certificate encoding a SPIFFE ID as a URI SAN via the Workload API (SPIFFE X.509-SVID spec §2). X.509-SVIDs are the primary credential type in SPIFFE, used for mTLS authentication between workloads. The SPIRE Agent generates the key pair, obtains a signed certificate from the SPIRE Server's CA, and delivers the complete credential set (certificate, private key, trust bundle) to the workload via the local Unix socket.

Try in Looking Glass
X.509 CertificateWorkload API

Sequence Diagram

Click any step for details

WorkloadAgentKeysServerCA1FetchX509SVID Request2Key Pair Generation3CSR Submission to SPIRE Server4Certificate Signing by SPIRE CA5SVID and Trust Bundle Delivery
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
FetchX509SVID Request
WorkloadSPIRE Agent
2
Key Pair Generation
SPIRE AgentKey Manager
3
CSR Submission to SPIRE Server
SPIRE AgentSPIRE Server
4
Certificate Signing by SPIRE CA
SPIRE ServerCertificate Authority
5
SVID and Trust Bundle Delivery
SPIRE AgentWorkload

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Core specs

· The specifications that define this protocol.

Security & privacy

· Dedicated security and privacy considerations.