Hierarchy v1 · 2026

Trust roots,
distribution,
verification keys.

This is the public face of NetStable's PKI. Every certificate signed by NetStable chains to the root listed below, and every signed artifact — container image, Helm chart, SBOM, license, code release — can be verified against a key published here.

All seventeen signing keys are HSM-backed (FIPS 140-2 Level 3, Google Cloud HSM). No private key material exists outside the hardware boundary.

Status

Operational

Hierarchy

v1 · 2026

HSM keys

Trust roots

The root

Anchor of every NetStable trust chain. Add this certificate to a system or application trust store to validate any chain we publish.

NetStable, LLC Root CA v1

The single anchor under which the Corporate and Heliopolis trust domains both chain. Self-signed, ceremonial only — never used at runtime to issue end-entity certificates.

Algorithm ECDSA P-384 / SHA-384 Validity 25 years pathLen 2 Protection FIPS 140-2 L3 HSM

netstable-llc-root-ca-v1.crt

Intermediates

Trust-domain anchors. Customers usually only need the root, but bundling the matching intermediate alongside a leaf cert lets clients validate without an AIA fetch.

Corporate Intermediate CA v1

corporate-intermediate-ca-v1.crt · ECDSA P-384 · 12y · pathLen 1

download
Heliopolis Intermediate CA v1

heliopolis-intermediate-ca-v1.crt · ECDSA P-384 · 12y · pathLen 1

download

Issuing CAs & cosign keys

Each artifact NetStable signs uses a role-scoped issuing CA. The same KMS-backed key serves both X.509 chain signing (Track A) and raw cosign signature verification (Track B). Public keys for cosign verification live under /verify/.

Corporate · 4 keys

Corporate Code Signing Issuing CA v1

corporate-code-signing-issuing-ca-v1

.crt .pub
Corporate Document Signing Issuing CA v1

corporate-document-signing-issuing-ca-v1

.crt .pub
Corporate Timestamping Issuing CA v1

corporate-timestamping-issuing-ca-v1

.crt .pub
Corporate OCSP Issuing CA v1

corporate-ocsp-issuing-ca-v1

.crt .pub

Heliopolis · 9 keys

Heliopolis Code Signing Issuing CA v1

heliopolis-code-signing-issuing-ca-v1

.crt .pub
Heliopolis Image Signing Issuing CA v1

heliopolis-image-signing-issuing-ca-v1

.crt .pub
Heliopolis Chart Signing Issuing CA v1

heliopolis-chart-signing-issuing-ca-v1

.crt .pub
Heliopolis SBOM Signing Issuing CA v1

heliopolis-sbom-signing-issuing-ca-v1

.crt .pub
Heliopolis Model Signing Issuing CA v1

heliopolis-model-signing-issuing-ca-v1

.crt .pub
Heliopolis Licensing Issuing CA v1

heliopolis-licensing-issuing-ca-v1

.crt .pub
Heliopolis Document Signing Issuing CA v1

heliopolis-document-signing-issuing-ca-v1

.crt .pub
Heliopolis Timestamping Issuing CA v1

heliopolis-timestamping-issuing-ca-v1

.crt .pub
Heliopolis OCSP Issuing CA v1

heliopolis-ocsp-issuing-ca-v1

.crt .pub

Verifying signatures

Two flows. Adapt to your toolchain.

Add NetStable's root to your trust store

# RHEL / Rocky / Fedora
$ sudo curl -fsSL https://pki.netstable.io/certs/netstable-llc-root-ca-v1.crt \
    -o /etc/pki/ca-trust/source/anchors/netstable-root.crt
$ sudo update-ca-trust

# Debian / Ubuntu
$ sudo curl -fsSL https://pki.netstable.io/certs/netstable-llc-root-ca-v1.crt \
    -o /usr/local/share/ca-certificates/netstable-root.crt
$ sudo update-ca-certificates

# macOS
$ sudo security add-trusted-cert -d -r trustRoot \
    -k /Library/Keychains/System.keychain netstable-llc-root-ca-v1.crt

Verify a Heliopolis container image with cosign

$ cosign verify \
    --key https://pki.netstable.io/verify/heliopolis-image-signing-issuing-ca-v1.pub \
    --insecure-ignore-tlog=true \
    harbor.netstable.io/heliopolis/gateway:rc1

Revocation

Two channels. CRL is HTTP per RFC 5280; OCSP is HTTP per RFC 6960. Both bypass HTTPS upgrade by design.

Certificate Revocation Lists

http://crl.netstable.io/ · renewed 16h · cached 24h

browse
OCSP Responder

http://ocsp.netstable.io/ · per-chain · OCSP stapling recommended

endpoint