Docs

work in progress

A short orientation while full documentation is written. Certz is a research proof of concept on Oasis Sapphire testnet — the web app currently runs against a local mock of the data-layer.

Core concepts

Confidential CA key: The CA private key is generated inside an Oasis Sapphire confidential contract (a TEE) and is never exported. Signing happens inside the enclave.
DNS-01 challenge: Ownership is proven by publishing a TXT record at _certz-challenge.<domain>, mirroring the ACME DNS-01 method.
ROFL TEE oracle: An Oasis ROFL enclave resolves the DNS challenge off-chain and attests the result, authorising the on-chain CA to sign.
Transparency registry: A public on-chain contract mapping domain → certificate digest, with validity and revocation status. Certificate-Transparency style.
Out-of-band verifier: Checks a presented certificate against the CA root and registry. A DANE-like layer alongside normal HTTPS, not a replacement for it.

Try it

Create a certificate Verify a certificate

References

Honest scope: Certz certificates are not trusted by web browsers and a future extension can only offer soft, advisory verification. See the landing page's “What Certz is not” section for the full caveats.