light-mode-image
Learn
API ReferenceHolder root CA certificates

Retrieve a holder root CA certificate revocation list

GET/v1/holder/certificates/ca/{certificateId}/crl

Retrieves the Certificate Revocation List (CRL) for a managed holder root CA certificate, as a DER-encoded binary document.

This endpoint is only available for managed roots — for unmanaged roots it returns 404 NoCertificateRevocationList.

Path Parameters

certificateId*string

Unique identifier of the holder root CA certificate.

Formatuuid

Response Body

application/pkix-crl

application/json

curl -X GET "https://example.vii.au01.mattr.global/v1/holder/certificates/ca/281d20b3-42a3-40dd-b29a-115ff32b02b7/crl"
"string"
{
  "code": "string",
  "message": "string",
  "details": [
    {
      "value": "string",
      "msg": "Invalid value",
      "param": "id",
      "location": "body"
    }
  ]
}
Empty

How would you rate this page?

Delete a holder root CA certificate DELETE

Deletes a holder root CA certificate and cascade-deletes all associated signer certificates. For managed roots and signers, MATTR VII also removes the private key material it was holding on the customer's behalf. Deletion does not invalidate any wallet attestation JWTs that were issued under this root. Those JWTs remain cryptographically valid until their natural expiry — verifiers that have already cached the signer's public key may continue to accept them. CRL-based revocation of issued attestations is not supported in this release. ### **Analytic events** * CREDENTIAL_HOLDER_CA_CERTIFICATE_DELETE_START * CREDENTIAL_HOLDER_CA_CERTIFICATE_DELETE_SUCCESS * CREDENTIAL_HOLDER_CA_CERTIFICATE_DELETE_FAIL

Create a wallet attestation signer POST

Creates a wallet attestation signer for an unmanaged root CA and returns its Certificate Signing Request (CSR). This endpoint is only available for unmanaged roots — managed root signers are auto-provisioned on demand during the first wallet attestation request and never need to be created explicitly. The returned signer is created with `active: false`; use the CSR to obtain a signed certificate externally and upload it via `PUT /v1/holder/certificates/wallet-attestation-signers/{certificateId}` to activate the signer. A maximum of five wallet attestation signers can be created per root. ### **Analytic events** * CREDENTIAL_HOLDER_WALLET_ATTESTATION_SIGNER_CERTIFICATE_CREATE_START * CREDENTIAL_HOLDER_WALLET_ATTESTATION_SIGNER_CERTIFICATE_CREATE_SUCCESS * CREDENTIAL_HOLDER_WALLET_ATTESTATION_SIGNER_CERTIFICATE_CREATE_FAIL