Castell · SkyV2X
European
V2X

Open V2X PKI · ETSI Release 2

Castell.

Open V2X PKI Testbed · Europe

Built up.
Taken down.
Never fallen.

Public C-ITS PKI for V2X integrators in Europe. ETSI Release 2 · CCMS wire-aligned · multi-curve · in production. Open in your terminal. No portal, no signup.

Castell open V2X PKI testbed — Wireshark dissecting C-ITS traffic signed by Castell certificates. SPATEM, MAPEM, CAM, IVIM packets with full ETSI ASN.1 certificate chain and ecdsaNistP256 signature visible.
Anxaneta at work SPATEM · MAPEM · CAM · IVIM · signed by Castell

Enrolment

TS 102 941

Authorization

TS 102 941

Trust lists

RCA-CTL · TLM-ECTL

Misbehaviour

TS 103 759

Curves

NIST P-256 · Brainpool P-256r1 · P-384r1

Why Castell

A castell is a PKI
seen in physical form.

A castell is a human tower from Catalonia — UNESCO intangible heritage since 2010. Each tier of people holds the tier above it. The base — the pinya — is wide, dense, immovable. The top — the anxaneta — is a child, light, ephemeral; once they touch the sky the tower disassembles cleanly.

A PKI works the same way: a Root CA holds an authority layer holds a short-lived AT cert that signs one message and rotates. If the base moves, the tower falls — a trust anchor compromise is exactly that. Build it up cleanly. Take it down cleanly. Never let it fall.

Castell is the name we gave the testbed so the picture of how the trust is built — and how it should come down — stays in mind.

Castell · PKI

  • PinyaRoot CA + trust anchor
  • FolreLong-term sub-CA layer
  • ManillesAuthority layer (EA / AA)
  • TroncCert chain levels (1..N)
  • AnxanetaEnd-entity cert (AT)
  • AletaTLM (Trust List Manager)
  • CarregarIssue · build up
  • DescarregarRevoke · rotate cleanly
  • CaureCert compromise · chain collapse
  • PilarSingle-level self-signed cert

Quickstart

Sixty seconds
to first verify.

Trust anchor, discovery, ECTL. From any shell.

$ curlapplication/x-its-cert · COER
# Trust anchor (RCA cert, COER, ~191B)
curl https://pki.skyv2x.com/trustanchor -o root.cert

# Discovery — curves, endpoints, anchor hashes
curl https://pki.skyv2x.com/capabilities | jq

# European Trust List, TLM-signed
curl https://pki.skyv2x.com/getectl -o ectl.bin

# Misbehaviour Authority cert (TS 103 759)
curl https://pki.skyv2x.com/ma -o ma.cert

Trust anchors

Live material.

Pin by HashedId8 or SHA-256. Re-fetch /capabilities for current values.

RCA · Pinya

Root Certificate Authority

the base that holds it all

GET /trustanchor

TLM · Aleta

Trust List Manager

the spotter outside the pinya

GET /tlm

MA

Misbehaviour Authority

TS 103 759 — when something falls

GET /ma

Surface

Endpoints.

Discovery

GET/capabilitiesMachine-readable JSON
GET/.well-known/skyv2x-pkiAlias capabilitiesRFC 8615
GET/healthzLiveness

Trust material

GET/trustanchorRCA cert (COER)TS 103 097
GET/tlmTLM cert (COER)TS 102 940
GET/maMA cert (COER)TS 103 759
GET/cert/{name}By name (root/tlm/ea/aa/ma/at)
GET/lookup/{hashedId8}By HashedId8

Trust lists

GET/getectlECTL, TLM-signedTS 102 941
GET/getctl/{hashedId8}RCA-CTLTS 102 941
GET/getcrl/{hashedId8}CRL signed by RCATS 102 941

Enrolment · authorization · misbehaviour

POST/ec-requestEnrolmentRequest → ECTS 102 941
POST/at-requestAuthorizationRequest → ATTS 102 941
POST/mrMisbehaviour ReportTS 103 759

Transparency

GET/audit-logPrivacy-preserving activity log
GET/metricsPrometheus counters

Cryptography

Three curves.
One chain.

Sign and verify with whichever curve your stack expects. ECIES envelopes and certificate signatures both honour the curve choice.

NIST P-256
secp256r1

FIPS 186-5 · RFC 6090. The baseline ETSI / IEEE 1609.2 curve. Default in virtually every C-ITS stack shipping today.

Brainpool P-256r1
RFC 5639

Brainpool 256-bit. Required by some EU national profiles and BSI-aligned deployments.

Brainpool P-384r1
RFC 5639

Brainpool 384-bit. Higher security level for long-lived sub-CA certificates.

Disclaimer   ETSI / CCMS wire-aligned, but not a certified CCMS Trust Point. Open testbed under best-effort operation. For production CCMS deployments, contract a certified provider.