Hive runs an ACME-style middle certificate authority. It issues short-lived X.509 certificates that link a did:hive:* identity to your service's existing TLS identity, using the Subject Alternative Name URI extension. Every browser, every load balancer, and every audit tool already knows how to read it. You don't need a new transport or a new client. The trust works with the tools you already have.
# Sign up a service for a cert tied to its did:hive. Standard ACME steps. certbot certonly \ --server https://ca.thehiveryiq.com/acme/directory \ --domain api.your-service.com \ --hive-did did:hive:your-service-001 \ --hive-pubkey ed25519:<your_published_key> # The cert you get back includes a SAN URI: did:hive:your-service-001 # Good for 30 days. It renews itself through the standard ACME process. # Chain: your cert -> Hive Intermediate CA -> public trust anchor
An agent reading the Hive transparency log sees signed receipts. But a browser visiting api.your-service.com just sees a TLS handshake. The Hive CA makes both of those match up. The certificate your browser checks is the same identity the agent is reasoning about.
Cloudflare, Datadog, every SIEM, and every enterprise procurement team already understand certificates like this. We're not asking them to adopt a new transport. We hand them a cert chain their existing tools accept on day one, and that cert chain happens to carry a did:hive right where every modern toolchain already looks.
Certificate:
Data:
Version: 3 (0x2)
Issuer: CN=Hive Civilization Intermediate CA G1
Validity:
Not Before: 2026-05-29 00:00:00 UTC
Not After : 2026-06-28 00:00:00 UTC
Subject: CN=api.your-service.com
Subject Public Key Info:
Public Key Algorithm: Ed25519
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:api.your-service.com,
URI:did:hive:your-service-001 ← the binding
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
CT Precertificate SCTs:
Log: ct.thehiveryiq.com/v1 ← own log inclusion
Log: ct.googleapis.com/logs/argon2026 ← public CT log mirror
Bind your did:hive to the certificate your browser already trusts. The trust travels with you. The receipts are visible everywhere.