
Sigstore WebPKI

Primary LanguageGoApache License 2.0Apache-2.0

Fulcio logo


A New Kind of Root CA For Code Signing

fulcio is a free Root-CA for code signing certs - issuing certificates based on an OIDC email address.

fulcio only signs short-lived certificates that are valid for under 20 minutes.


Fulcio is a work in progress!

We're currently working hard on cutting a 1.0 release and productionizing the public instance. We don't have a date yet, but follow along on the GitHub project.

The fulcio root certificate running on our public instance (https://fulcio.sigstore.dev) can be obtained and verified against Sigstore's root (at the sigstore/root-signing repository). To do this, install and use go-tuf's CLI tools:

$ go get github.com/theupdateframework/go-tuf/cmd/tuf
$ go get github.com/theupdateframework/go-tuf/cmd/tuf-client

Then, obtain trusted root keys for Sigstore. This can be done from a checkout of the Sigstore's root signing repository at a trusted commit (e.g. after the livestreamed root signing ceremony)

$ git clone https://github.com/sigstore/root-signing
$ cd root-signing && git checkout 193343461a4d365ac517b5d668e01fbaddd4eba5
$ tuf -d ceremony/2021-06-18/ root-keys > sigstore-root.json

Initialize the TUF client with the previously obtained root keys and get the current Fulcio root certificate fulcio_v1.crt.pem.

$ tuf-client init https://raw.githubusercontent.com/sigstore/root-signing/main/repository/repository/ sigstore-root.json
$ tuf-client get https://raw.githubusercontent.com/sigstore/root-signing/main/repository/repository/ fulcio_v1.crt.pem 

We WILL change this and add intermediaries in the future.

Build for development

After cloning the repository:

$ make

There are other targets available in the Makefile, check it out.


The API is defined here.


Fulcio will publish issued certificates to a unique Certificate Transparency log (CT-log). That log will be hosted by the sigstore project.

We encourage auditors to monitor this log, and aim to help people access the data.

A simple example would be a service that emails users (on a different address) when ceritficates have been issued on their behalf. This can then be used to detect bad behavior or possible compromise.

CA / KMS support

Google Cloud Platform CA Service

The public Fulcio root CA is currently running on GCP CA Service with the EC_P384_SHA384 algorithm.

You can also run Fulcio with your own CA on CA Service by passing in a parent and specifying Google as the CA:

go run main.go serve --ca googleca  --gcp_private_ca_parent=projects/myproject/locations/us-central1/caPools/mypool


Fulcio may also be used with a pkcs11 capable device such as a SoftHSM. You will also need pkcs11-tool

To configure a SoftHSM:

Create a config/crypto11.conf file:

"Path" : "/usr/lib64/softhsm/libsofthsm.so",
"TokenLabel": "fulcio",
"Pin" : "2324"

And a config/softhsm2.conf

directories.tokendir = /tmp/tokens
objectstore.backend = file
log.level = INFO

Export the config/softhsm2.conf

export SOFTHSM2_CONF=`pwd`/config/softhsm2.cfg

Start a SoftHSM instance

softhsm2-util --init-token --slot 0 --label fulcio

Create keys within the SoftHSM

pkcs11-tool --module /usr/lib64/softhsm/libsofthsm.so --login --login-type user --keypairgen --id 1 --label PKCS11CA  --key-type EC:secp384r1
  • Note: you can import existing keys and import using pkcs11-tool, see pkcs11-tool manual for details

Create a root CA

Now that your keys are generated, you can use the fulcio createca command to generate a Root CA. This command will also store the generated Root CA into the HSM by the delegated id passed to --hsm-caroot-id

fulcio createca --org=acme --country=UK --locality=SomeTown --province=SomeProvince --postal-code=XXXX --street-address=XXXX --hsm-caroot-id 99 --out myrootCA.pem


fulcio serve --ca pkcs11ca --hsm-caroot-id 99

⚠️ A SoftHSM does not provide the same security guarantees as hardware based HSM Use for test development purposes only.


PKCS11CA has only been validated against a SoftHSM. In theory this should also work with all PCKS11 compliant HSM's, but to date we have only tested against a SoftHSM.

Other KMS / CA support

Support will be extended to the following CA / KMS systems, feel free to contribute to expedite support coverage

Planned support for:

  • AWS CloudHSM
  • Azure Dedicated HSM
  • YubiHSM


Should you discover any security issues, please refer to sigstores security process


Fulcio is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.