How to add custom CA to PhenixID Server

This document describes how to add a custom Certificate Authority to PhenixID Server.

The reader of this document should have some basic knowledge about PhenixID Server.

System requirements

  • PhenixID Server installed
  • P12 file including Certificate Authority key
  •  Changes will be made to the file phenix-store.json, so please make sure to have a backup  of this file


When using services like signing in PhenixID Server, adding a custom Certificate Authority is preferred. So the signed document(s) will be signed with a CA that is well know within the organization.

This document will guide through the steps to add a custom CA to the PhenixID Server.


We will start by adding the p12 file to the configuration.
Login to the configuration UI, the go to Scenarios/Federation and click the plus sign next to Keystore.
Set a name, press next, add the p12 file and provide the password for the file.
Click verify and show to see the content.
Press next and then Create.
When the Scenario has completed, copy the ID, we will use this shortly.

We now need to edit the phenix-store.json file, so please make a backup of this file before continuing.

Open phenix-store.json in a text editor, find the section CA_CONFIGURATIONS and copy the configuration below into that section. There should already be a default PhenixID CA in place. Change the values according to your environment and make sure to set "ca_keystore_ref" to the id collected earlier.

Example configuration for a custom CA:

    "id" : "customsignca",
    "name" : "My signca",
    "alias" : "customsignca",
    "config" : {
      "ca_keystore_ref" : "yourkeystoreid",
      "ca_profiles" : [ {
        "id" : "signprofile",
        "name" : "My Sign ca profile",
        "alias" : "default",
        "description" : "Profile for signing documents",
        "pipe_ref" : "0ac71f4e-9e59-4e39-84a9-da1d16ce342a",
        "issue_pipe_ref" : "0ac71f4e-9e59-4e39-84a9-da1d16ce342a",
        "revoke_pipe_ref" : "9c4b54b5-53f9-4e91-8876-5f0cffc7c0ff",
        "rules" : {
          "subject" : {
            "regex" : "^CN=.*",
            "required" : "true"
          "key" : {
            "size" : "2048",
            "algorithm" : "RSA",
            "values" : {
              "size" : "2048",
              "algorithm" : "RSA"
          "key_usage" : { },
          "not_before" : {
            "value" : "now"
          "not_after" : {
            "value" : "duration:P365D"
          "extensions" : { },
          "signature_algorithm" : {
            "value" : "SHA256WithRSA"
      } ]

Change any parameters according to your environment.

The service needs to be restarted for the changes to take affect.