Paradym Feature Showcase: X509-based signing and verification
Paradym now supports X509 certificate across its platform. This means you can now add X509-based trust to your issuance and verification flows.
To better align with the emerging verifiable credential standards and deployments (especially government based), Paradym now supports X509 certificates. This makes it easier to build systems that work with the upcoming EU Digital Identity Wallet, US-based mDLs, and other ecosystems that build on X509 certificates for trust. All while staying compatible with existing DID-based digital identity ecosystems.
So why is it so important for Paradym to support X509 certificates? The European Union's Architecture Reference Framework (ARF), the High Assurance interoperability Profile (HAIP), ISO 18013-5 mDL/mDOC and SD-JWT VC all emphasize X509 certificates as a foundation for trust. By supporting X509 certificates across all APIs, Paradym aligns with the technical requirements that organizations will need to meet for compliance with emerging verifiable credential ecosystems. Many digital identity ecosystems worldwide are adopting similar approaches, whether it's the EU Digital Identity Wallet, one of the several mDOC-based US identity ecosystems, or other non-government-backed digital identity initiatives. Paradym's protocol and technology agnostic architecture ensures your organization can adapt to different regional requirements without major architectural changes.
In this post, we'll highlight the new X509 certificate support in Paradym, and how you can use it to issue and verify credentials based on X509 certificates.
Managing X509 Certificates Made Simple
It can be incredibly complex to manage the lifecycle of X509 certificates used in verifiable credential ecosystems can be complex. You need to create root certificates, manage and periodically rotate signing certificates, host certificate revocation lists, and ensure compatibility with several credential specifications integrating X509 certificates.
Paradym simplifies this by letting you create X509 root certificates directly in the dashboard or through the API. You select the type of root certificate you want to create (currently either "Issuer Root" or "Verifier Root"), and the platform automatically generates root and signer certificates that are compliant with ISO 18013-5 (mDL/mDOC), ISO 18013-7, SD-JWT VC, and OpenID for Verifiable Presentations.
Paradym handles the hosting and updating of Certificate Revocation Lists (CRLs) and gives you the ability to revoke certificates when needed. Signer certificates are automatically rotated when they expire, and we send email reminders when it's time to rotate a root certificate. You set it up, we keep it going.
To create your own certificate, check out the Trust -> My Certificates tab in the Paradym dashboard, Create a certificate through the API, or read more in the Certificate documentation.
Creating an X509 root certificate
Verifying SD-JWT VC and mDOC Credentials
When verifying credentials signed with an X509 certificate, the most important part is to establish and know who you trust. Recently, we introduced Trusted Entities. With Trusted Entities you can configure the DIDs and X509 certificates you trust for a specific entity, and link these to specific credentials within a presentation template. Each trusted entity can contain up to 20 DIDs and 20 X509 certificates. And you can link up to 20 trusted entities to each credential within a presentation template.
When you verify a credential using Paradym, it will check whether the credential is signed by a trusted entity. It can be signed directly by a DID configured on the trusted entity, or with an X509 certificate that is trusted through the X509 certificate chain.
In the future we will extend trusted entities with pre-configured entities based on existing credential ecosystems, such as EU Trusted List, or the Swiss eID. But for now, configuring your trusted X509 (root) certificates gives a lot of flexibility to start accepting credentials from any issuer.
To start verifying credentials signed with X509 certificates, check out the Trust -> Trusted Entities tab in the Paradym dashboard, Create a trusted entity through the API, or read more in the Trusted Entities documentation.
Creating a trusted entity with an X509 certificate
Issuing SD-JWT VC Credentials with X509 Signatures
When creating a credential template you can now choose an X509 certificate as the issuer of an SD-JWT VC credential. When a credential template uses an X509 certificate as the issuer, all credentials issued based on the template will be signed with an X509 certificate. If revocation is enabled, the Status List of the credential will also be signed with the same X509 certificate. Issuance of SD-JWT VCs based on X509 certificates supports both Ed25519 and P-256 key types, and the signer certificates created by Paradym are compliant with both the SD-JWT VC and ISO 18013-5 mDOC/mDL specifications (support for issuance of mDOCs will be released soon).
To start issuing credentials signed with X509 certificates, create a SD-JWT VC credential template in the Paradym dashboard, Create a SD-JWT VC credential template through the API, or read more in the Issue Credentials documentation.
Creating an SD-JWT VC credential template for credentials signed with an X509 certificate
Signing OpenID4VP Requests
An important factor in verifiable credential ecosystems is verifying the verifier. Paradym recently added support for signing OpenID4VP requests with X509 certificates, in addition to the existing DID based signing for OpenID4VP requests, providing a choice in how to authenticate as a verifier to a wallet. When you select an X509 certificate as authentication method in an OpenID4VP presentation template, the OpenID4VP request will be signed using the X509 certificate and use the x509_san_dns client ID prefix.
To start creating OpenID4VP requests signed with X509 certificates, create a presentation credential template in the Paradym dashboard, Create a presentation template through the API, or read more in the Certificates documentation.
Creating an OpenID4VP presentation template for requests signed with an X509 certificate
What's Coming Next
There is no denying it, verifiable credentials are becoming mainstream. With the EU Digital Identity rapidly taking shape, more and more states in the US issuing mDLs (Mobile Driving Licenses), Japan issuing their My Number Card as verifiable credential, and both Apple and Google announcing support for the W3C Digital Credentials API (a browser-based API for requesting verifiable credentials) we are moving beyond pilot programs into real-world deployments.
At Paradym we want to be a global connector between all the different credential formats, trust mechanisms and exchange protocols, so you're ready to integrate with any verifiable credential ecosystem. That's why aside from the EU Digital Identity ecosystem we also support DID-based trust, DIDComm messaging and AnonCreds credentials. We are closely following emerging standards and ecosystems.
Currently we're working on mDOC/mDL issuance based on X509 certificates, along with support for the recently released OpenID4VP v1. These additions will provide even more alignment with emerging standards and verifiable credential deployments. For organizations looking to participate in the EUDI ecosystem or other X509-based digital identity ecosystems, these features remove significant technical barriers. The infrastructure handles the complexity so you can focus on building applications that serve your users.
👉 Start building for free or explore the Paradym API docs to integrate directly into your stack.
