acme rfc 8555 · 30-day leaves · auto-rotation
Hive Certificate Authority

Bind did:hive to the TLS certificate you already have.

Hive runs an ACME-style middle certificate authority. It issues short-lived X.509 certificates that link a did:hive:* identity to your service's existing TLS identity, using the Subject Alternative Name URI extension. Every browser, every load balancer, and every audit tool already knows how to read it. You don't need a new transport or a new client. The trust works with the tools you already have.

Enrollment: RFC 8555 with one extension

If you already run certbot, this will feel familiar.

# Sign up a service for a cert tied to its did:hive. Standard ACME steps.
certbot certonly \
  --server https://ca.thehiveryiq.com/acme/directory \
  --domain api.your-service.com \
  --hive-did did:hive:your-service-001 \
  --hive-pubkey ed25519:<your_published_key>

# The cert you get back includes a SAN URI: did:hive:your-service-001
# Good for 30 days. It renews itself through the standard ACME process.
# Chain: your cert -> Hive Intermediate CA -> public trust anchor
Endpoints

Three URLs. That's the whole thing.

GET ca.thehiveryiq.com/acme/directory ACME directory document, per RFC 8555 section 7.1.1
POST ca.thehiveryiq.com/acme/new-order Order with an optional did-binding extension
GET ca.thehiveryiq.com/intermediate.crt Hive intermediate CA, the public chain anchor
Spec

One page. Works with existing standards. Nothing fancy.

Why this matters for HARM

The CA connects to everything you've already deployed.

An agent reading the Hive transparency log sees signed receipts. But a browser visiting api.your-service.com just sees a TLS handshake. The Hive CA makes both of those match up. The certificate your browser checks is the same identity the agent is reasoning about.

Cloudflare, Datadog, every SIEM, and every enterprise procurement team already understand certificates like this. We're not asking them to adopt a new transport. We hand them a cert chain their existing tools accept on day one, and that cert chain happens to carry a did:hive right where every modern toolchain already looks.

What a certificate looks like once it's issued

Standard X.509, plus one SAN URI.

Certificate:
    Data:
        Version: 3 (0x2)
        Issuer: CN=Hive Civilization Intermediate CA G1
        Validity:
            Not Before: 2026-05-29 00:00:00 UTC
            Not After : 2026-06-28 00:00:00 UTC
        Subject: CN=api.your-service.com
        Subject Public Key Info:
            Public Key Algorithm: Ed25519
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:api.your-service.com,
                URI:did:hive:your-service-001      ← the binding
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            CT Precertificate SCTs:
                Log: ct.thehiveryiq.com/v1           ← own log inclusion
                Log: ct.googleapis.com/logs/argon2026  ← public CT log mirror

Sign up once. All your existing tools light up.

Bind your did:hive to the certificate your browser already trusts. The trust travels with you. The receipts are visible everywhere.