light-mode-image
Learn
API ReferenceHolder root CA certificates

Create a holder root CA certificate

Roles

adminholder

Analytics Events

CREDENTIAL_HOLDER_CA_CERTIFICATE_CREATE_STARTCREDENTIAL_HOLDER_CA_CERTIFICATE_CREATE_SUCCESSCREDENTIAL_HOLDER_CA_CERTIFICATE_CREATE_FAIL
POST/v1/holder/certificates/ca

Creates a holder root CA certificate that is used to issue wallet attestation signer certificates.

Two flows are supported:

  • Managed — MATTR VII generates the root certificate and manages the private key on the customer's behalf. Supply no certificatePem in the request body; commonName and country are optional.
  • Unmanaged — the customer supplies their own externally-managed root CA in PEM format. commonName and country are extracted from the certificate and must not be provided in the request.

A maximum of three holder root CA certificates can be created per tenant. Only one can be active at a time.

The newly-created root is always inactive. Activate it by issuing PUT /v1/holder/certificates/ca/{certificateId} with { "active": true }, which also deactivates any previously active root for the tenant (single-active constraint).

Analytic events

  • CREDENTIAL_HOLDER_CA_CERTIFICATE_CREATE_START
  • CREDENTIAL_HOLDER_CA_CERTIFICATE_CREATE_SUCCESS
  • CREDENTIAL_HOLDER_CA_CERTIFICATE_CREATE_FAIL

Authorization

bearerAuth
AuthorizationBearer <token>

In: header

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

Response Body

application/json

application/json

application/json

curl -X POST "https://example.vii.au01.mattr.global/v1/holder/certificates/ca" \  -H "Content-Type: application/json" \  -d '{}'
{
  "id": "281d20b3-42a3-40dd-b29a-115ff32b02b7",
  "active": true,
  "certificatePem": "-----BEGIN CERTIFICATE-----\nMIIDXTCCAkWgAwIBAgIJAL5...\n-----END CERTIFICATE-----",
  "certificateFingerprint": "a3b2c1d4e5f67890a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4e5f67890",
  "certificateData": {
    "commonName": "Example Tenant Wallet Attestation Root",
    "country": "NZ",
    "notBefore": "2026-04-06T00:00:00.000Z",
    "notAfter": "2036-04-06T00:00:00.000Z"
  },
  "isManaged": true
}
{
  "code": "string",
  "message": "string",
  "details": [
    {
      "value": "string",
      "msg": "Invalid value",
      "param": "id",
      "location": "body"
    }
  ]
}
{
  "code": "string",
  "message": "string",
  "details": [
    {
      "value": "string",
      "msg": "Invalid value",
      "param": "id",
      "location": "body"
    }
  ]
}
Empty

How would you rate this page?

Delete a registered holder application instance DELETE

Deletes a registered instance of a holder application. Deleted instances will no longer be able to interact with the platform or receive tokens, and any existing tokens will be revoked. Application owners can use this endpoint to remove individual instances that are no longer needed or were registered by mistake, without affecting the entire holder application or its other instances. This is useful for cleaning up test instances or managing specific devices, rather than deleting the whole application and all its associated instances. ### **Analytic events** * CREDENTIAL_HOLDER_APPLICATION_INSTANCE_DELETE_START * CREDENTIAL_HOLDER_APPLICATION_INSTANCE_DELETE_SUCCESS * CREDENTIAL_HOLDER_APPLICATION_INSTANCE_DELETE_FAIL

Retrieve all holder root CA certificates GET

Retrieves all holder root CA certificates for the tenant. ### **Analytic events** * CREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_LIST_START * CREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_LIST_SUCCESS * CREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_LIST_FAIL