Certificate

On-chain X.509 certificates

A Certificate transaction allows an identity on the LTO Network to anchor an X.509 certificate on-chain, typically an organizational or Extended Validation (EV) certificate. This enables trusted identification of legal entities, such as companies, within decentralized workflows.

By registering the certificate on-chain, the organization’s identity can be cryptographically verified and linked to its LTO account. This serves as a foundation for verifiable credentials, cross-chain identity proofs, and secure interactions in regulated environments.

The Subject Public Key Info (SPKI) in the X.509 certificate must match the sender’s public key and key type in the transaction.

If they differ, the transaction is considered invalid and will be rejected by the network.

JSON

{
  "type": 24,
  "version": 3,
  "id": "2GqzNqFvxRQh7DQENecUj6kQMsA6JPXjvS7p1yx7PePx",
  "sender": "3Jq8mnhRquuXCiFUwTLZFVSzmQt3Fu6F7HQ",
  "senderKeyType": "secp256r1",
  "senderPublicKey": "AJQn2L4EhJhQh2NX5NvyDDB5BUPuiZBiNRmqRcSmj3g7",
  "fee": 500000000,
  "timestamp": 1326499200000,
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUGgAwIBAgIUBTg9WprxEdpxu8cLV2CKyGJ7bVQwCgYIKoZIzj0EAwIw\nIzEhMB8GA1UEAwwYQWxpY2UsTz1FeGFtcGxlIEx0ZCxDPU5MMB4XDTI1MDYwMjEy\nNTYzMloXDTI2MDYwMjEyNTYzMlowIzEhMB8GA1UEAwwYQWxpY2UsTz1FeGFtcGxl\nIEx0ZCxDPU5MMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2/WATtZvChbb3xrQ\nEXzszXz3IgpUyA7jbLVQ9B2ibL/SZtvhjU84S8fI1HhzyE5eAqKvkh/pdArBjyXL\naqw0Q6NTMFEwHQYDVR0OBBYEFEb3OV2UesAgnXz8VOieyXgEilyHMB8GA1UdIwQY\nMBaAFEb3OV2UesAgnXz8VOieyXgEilyHMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZI\nzj0EAwIDRwAwRAIgVo0OBEFkXDgJGuIrOl15UKdkvrhe0THS8MO64Jw2F7cCIBpC\nNLnbu23KWkzoIdACHRTGc3MqZrWh53lGq/+tK13P\n-----END CERTIFICATE-----",
  "proofs": [
    "2omugkAQdrm9P7YPx6WZbXMBTifRS6ptaTT8rPRRvKFr1EPFafHSosq6HzkuuLv78gR6vaXLA9WtMsTSBgi3H1qe"
  ],
  "height": 1070000
}
  • id and height should be omitted when broadcasting. These fields are set by the node.

  • recipient andsubject are optional.

  • Binary strings are base58 encoded.

  • timestamp is in microseconds since epoch.

  • fee includes 8 digits, so LTO * 10^8

  • certificate is PEM encoded

  • certificate can be null to clear the certificate of the address

Fields

#
Field Name
Type
Length

1

Transaction type

Byte (constant, value=16)

1

2

Version

Byte (constant, value=3)

1

3

Network id

Byte

1

4

Timestamp

Long

8

5

Sender's key type

KeyType (Byte)

1

6

Sender's public key

PublicKey (Array[Byte])

32 | 33

7

Fee

Long

8

8

Certificate length (N)

Short

1

9

Certificate

Array[Byte]

N

  • Network id can be obtained by taking the 2nd byte from the sender address.

  • Each key type has a numeric id in addition to the reference from the JSON.

  • Integers (short, int, long) have a big endian byte order.

  • Certificate is DER encoded

Last updated