1. Home
  2. /
  3. Resources
  4. /
  5. #KEYMASTER: Introducing Unsigned X.509 Certificates for a Simpler Root of Trust

#KEYMASTER: Introducing Unsigned X.509 Certificates for a Simpler Root of Trust

hero-sub-3
PKI hierarchies - 1, 2, 3 tiers ?

2025-12-02

In this episode, Sven Rajala, International PKI Man of Mystery, is joined by David Hook, VP of Software Engineering for Bouncy Castle, to explore a surprisingly elegant change coming to X.509 certificates: the concept of unsigned certificates.

David explains that for self-signed (root) certificates, the signature itself does not add value; it does not prove key provenance, since it is signed by the same key it certifies. With post-quantum cryptography introducing much larger signature sizes, this redundancy can become costly in both storage and processing.

The new standard introduces a “no signature” option: a defined empty signature field representing a trusted anchor without unnecessary data. The result is smaller certificates, more straightforward validation logic, and a more efficient foundation for future cryptographic systems.

Watch video on YouTube

Bouncy Castle already supports the draft specification, with full alignment to the finalized object identifier coming in the next release. The draft is expected to be formally published as a new RFC titled “Unsigned Trust Anchors” in January 2026, which will also act as an update to the existing RFC 5280 (Internet X.509 Public Key Infrastructure Certificate and CRL Profile).

Key Takeaways

  • Simple but powerful idea: Remove redundant signatures from self-signed root certificates.
  • Efficiency boost: Saves space and simplifies handling, especially important for post-quantum algorithms with large signatures.
  • Trust model unchanged: Roots remain trust anchors, their authenticity is assumed, having never been proven by a self-signature.
  • Already supported: Bouncy Castle has implemented the latest version in the 1.83-SNAPSHOT with backwards compatibility for earlier drafts, which is supported in the current release.
  • Standard evolution: The concept will be published as “Unsigned Trust Anchors”, updating and extending RFC 5280 in early 2026.

Learn more

Related resources

PKI hierarchies - 1, 2, 3 tiers ?
Implementing Cryptography
Post-Quantum Cryptography
Signing
Tech Update
Ejbca
Signserver
25 November, 2025

#KEYMASTER: The Current State of Composites Signatures and Certificates

In this episode, host Sven Rajala, International PKI Man of Mystery, is joine...
Read more
PKI hierarchies - 1, 2, 3 tiers ?
Implementing Cryptography
Post-Quantum Cryptography
Tech Update
Ejbca
Signserver
18 November, 2025

#KEYMASTER: Can PKCS#10 Handle Post-Quantum Certificates?

In this Keymaster session, Sven Rajala, International PKI Man of Mystery, sit...
Read more

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Check to consent to the use of Necessary cookies
Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Check to consent to the use of Functional cookies
Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

Check to consent to the use of Cookies for statistics
For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

Check to consent to the use of Cookies for ad-tracking
To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data
Close