X.509-SVID Issuance
Acquire an X.509 certificate encoding a SPIFFE ID as a URI SAN via the Workload API (SPIFFE X.509-SVID spec §2). X.509-SVIDs are the primary credential type in SPIFFE, used for mTLS authentication between workloads. The SPIRE Agent generates the key pair, obtains a signed certificate from the SPIRE Server's CA, and delivers the complete credential set (certificate, private key, trust bundle) to the workload via the local Unix socket.
X.509-SVID Issuance
Acquire an X.509 certificate encoding a SPIFFE ID as a URI SAN via the Workload API (SPIFFE X.509-SVID spec §2). X.509-SVIDs are the primary credential type in SPIFFE, used for mTLS authentication between workloads. The SPIRE Agent generates the key pair, obtains a signed certificate from the SPIRE Server's CA, and delivers the complete credential set (certificate, private key, trust bundle) to the workload via the local Unix socket.
Sequence Diagram
Click any step for details
Step-by-Step Breakdown
Token Inspector
Specs for this flow
Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.