KAKUNIN

Certificates

Kakunin issues X.509 certificates for AI agents using AWS KMS. Private key material never leaves the HSM.

Overview

Each certificate is an RSA-2048 X.509 certificate issued via AWS KMS in eu-west-1. The design guarantees:

  • No key escrow — private keys are generated inside KMS and never exported
  • 365-day validity — aligned with MiCA Article 70 requirements
  • One active cert per agent — issuing a new cert when one is active returns 409

Issuing a Certificate

POST /v1/agents/{id}/certify

Response 201:

{
  "data": {
    "id": "uuid",
    "agent_id": "uuid",
    "serial_number": "abc123...",
    "certificate_pem": "-----BEGIN CERTIFICATE-----\n...",
    "kms_key_arn": "arn:aws:kms:eu-west-1:...",
    "status": "active",
    "issued_at": "2026-05-17T00:00:00Z",
    "expires_at": "2027-05-17T00:00:00Z"
  }
}

Error cases:

  • 404 — Agent not found or not in tenant scope
  • 409 — Agent already has an active certificate
  • 422 — Agent is retired
  • 503 — KMS credentials not configured

Revoking a Certificate

Revocation suspends the agent and records a reason. Revoking a certificate that is already revoked or expired returns 409/422.

POST /v1/certificates/{id}/revoke
{
  "reason": "Anomalous trading behaviour detected by compliance team"
}

Response 200:

{
  "data": {
    "id": "uuid",
    "status": "revoked",
    "revoked_at": "2026-05-17T10:00:00Z",
    "revocation_reason": "Anomalous trading behaviour..."
  }
}

AWS KMS Agent Security

To ensure maximum isolation and security, Kakunin utilizes AWS KMS Agent Security primitives for certificate signing keys. Instead of storing plaintext private keys in a centralized database:

  1. Ephemeral session key-pairs are generated directly inside AWS KMS Hardware Security Modules (HSMs).
  2. All cryptographic operations (such as signing transaction payloads or authentication requests) are executed inside KMS.
  3. Only the kms_key_arn is stored in the database for tracking and reference.

This model guarantees that private key material is never exported, never touched by human operators, and cannot be leaked even in the event of an application-layer database breach.

Certificate Validity

FieldValue
AlgorithmRSA-2048
Validity365 days
StorageKMS ARN only — no private key in DB
RegulationMiCA Art. 70

Auto-Revocation

Agents with a risk score ≥ 0.85 trigger an automatic revocation check. See Event Ingest for risk band details.

Agents

Agents are the core resource in Kakunin — they represent AI systems that need cryptographic identity and compliance monitoring.

Event Ingest

Stream behaviour events from your AI agents to Kakunin for real-time risk scoring and anomaly detection.

On this page

OverviewIssuing a CertificateRevoking a CertificateAWS KMS Agent SecurityCertificate ValidityAuto-Revocation