SkyV2X PKI Open Testbed

First open public C-ITS PKI testbed for Europe — ETSI Release 2 conformant, multi-curve, cross-validated. Free sandbox for V2X integrators.

ETSI TS 102 941 ETSI TS 103 097 ETSI TS 103 759 MA-ready IEEE 1609.2-2022 NIST P-256 Brainpool P-256r1 Brainpool P-384r1

Disclaimer: Open testbed for V2X integrators — NOT a certified C-ITS CCMS Trust Point. Best-effort SLA, rate-limited, free, no NDA, no signup. Material conformant to ETSI Release 2, suitable for integration testing and validation. For production CCMS, use a certified provider.

Quickstart — 60 seconds to first verify

# 1. Fetch the trust anchor (RCA cert, COER binary, ~191 bytes)
curl https://pki.skyv2x.com/trustanchor -o root.cert

# 2. Discover capabilities (curves, endpoints, hashes for pinning)
curl https://pki.skyv2x.com/capabilities | jq

# 3. Get the European Trust List (ECTL, signed by TLM)
curl https://pki.skyv2x.com/getectl -o ectl.bin

# 4. Get the MA cert for misbehaviour reporting (TS 103 759)
curl https://pki.skyv2x.com/ma -o ma.cert

What this gives you

Multi-curve real

NIST P-256 + Brainpool P-256r1 + P-384r1 sign / verify / ECIES. Unique among open testbeds in Europe.

Cross-validated bit-exact

Every byte we emit is parsed identically by 3 independent ASN.1 stacks (asn1tools, asn1c, tshark) — no “works on our parser” surprises.

ETSI Release 2 wire

OER literal TS 102 941 Annex C envelopes. ECIES IEEE 1609.2 cl 5.3.5 strict KEM+DEM. 180+ pytest checks green.

TS 103 759 MA-ready

Misbehaviour Authority cert + /mr endpoint live. Test your detector pipeline against a real backend.

Interop verified

Cross-validated bidirectionally against an independent GPLv2 V2X stack. EC decrypt + verify chain works end-to-end.

Open-source validator

The cits-prove conformance suite (Apache-2.0) is the same one we use internally. Self-certify your stack.

Endpoints

Discovery & trust material

Endpoint	Purpose
`GET /capabilities`	Machine-readable JSON: curves, endpoints, hashes
`GET /.well-known/skyv2x-pki`	Alias of /capabilities (RFC 8615 convention)
`GET /trustanchor`	RCA cert (COER binary)
`GET /tlm`	TLM cert — top-of-trust for federation
`GET /ma`	MA cert — for misbehaviour reporting (TS 103 759)
`GET /getectl`	ECTL signed by TLM (TS 102 941 Annex E)
`GET /getctl/{hashedId8}`	RCA CTL (TS 102 941 §6.3.4)
`GET /getcrl/{hashedId8}`	CRL signed by RCA

Enrolment & authorization

Endpoint	Purpose
`POST /ec-request`	EnrolmentRequest → EnrolmentResponse (§6.2.3.2)
`POST /at-request`	AuthorizationRequest → AuthorizationResponse (§6.2.3.3)
`POST /mr`	Misbehaviour Report (TS 103 759 §5-7)

Transparency

Endpoint	Purpose
`GET /audit-log`	Privacy-preserving append-only log of PKI activity
`GET /metrics`	Prometheus-style counters
`GET /healthz`	Liveness probe

Rate limits

Bucket	Limit
GET endpoints	60 req/min/IP
POST /ec-request	10 req/min/IP
POST /at-request	30 req/min/IP
POST /mr	60 req/min/IP

If you need higher limits for sustained interop testing or CI integration, get in touch.

Roadmap

Now: ETSI Release 2 wire OER + multi-curve + TS 103 759 MA-ready + open-source validator.
Next: Butterfly key authorization (TS 102 941 v2.2.1 + IEEE 1609.2.1) spec-strict via rasn bridge.
Then: Federation cross-RCA — load other Root CAs into the ECTL for community trust.
Eventually: CPOC-style endpoints for plugfest integrators.

Operator

Operated by BlackCycle under the SkyV2X brand. Built on top of sentinel-pki, the internal R&D PKI stack for our Sentinel C-ITS RSU embedded in traffic-signal infrastructure.

For partnership integrations, custom deployments, or production CCMS handoff: hello@blackcycle.ai