Network Certificate

A network certificate contains the network's public key along with additional metadata, all cryptographically signed by the Staex private key. It serves as the root of trust for an entire Staex network and is required to issue node certificates.

The primary function of a network certificate is to verify that a given node certificate was issued by the corresponding network. To sign a node certificate, you need the network private key -- the counterpart of the public key contained in the network certificate. This ensures that only the network operator can authorize new nodes.

By default, nodes signed by different network keys cannot communicate with each other. Each network certificate defines a trust boundary. This isolation can be selectively overridden using the trusted-nodes and trusted-networks configuration settings, which allow cross-network communication for specific nodes or entire partner networks.

Network certificates are represented as BASE64-encoded strings. This is the format expected by the mcc init command and other CLI tools. When sharing a network certificate with a partner organization or passing it as a command-line argument, use the BASE64-encoded form.