light-mode-image
Learn
API ReferenceHolder root CA certificates

Retrieve all holder root CA certificates

Roles

adminholder

Analytics Events

CREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_LIST_STARTCREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_LIST_SUCCESSCREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_LIST_FAIL
GET/v1/holder/certificates/ca

Retrieves all holder root CA certificates for the tenant.

Analytic events

  • CREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_LIST_START
  • CREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_LIST_SUCCESS
  • CREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_LIST_FAIL

Authorization

bearerAuth
AuthorizationBearer <token>

In: header

Query Parameters

limit?number

Range size of returned list.

Default100
Range1 <= value <= 1000
cursor?string

Starting point for the list of entries.

Response Body

application/json

application/json

curl -X GET "https://example.vii.au01.mattr.global/v1/holder/certificates/ca"
{
  "data": [
    {
      "id": "281d20b3-42a3-40dd-b29a-115ff32b02b7",
      "active": true,
      "certificatePem": "-----BEGIN CERTIFICATE-----\nMIIDXTCCAkWgAwIBAgIJAL5...\n-----END CERTIFICATE-----",
      "certificateFingerprint": "a3b2c1d4e5f67890a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4e5f67890",
      "certificateData": {
        "commonName": "Example Tenant Wallet Attestation Root",
        "country": "NZ",
        "notBefore": "2026-04-06T00:00:00.000Z",
        "notAfter": "2036-04-06T00:00:00.000Z"
      },
      "isManaged": true
    }
  ],
  "nextCursor": "Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM"
}
{
  "code": "string",
  "message": "string",
  "details": [
    {
      "value": "string",
      "msg": "Invalid value",
      "param": "id",
      "location": "body"
    }
  ]
}

How would you rate this page?

Create a holder root CA certificate POST

Creates a holder root CA certificate that is used to issue wallet attestation signer certificates. Two flows are supported: - **Managed** — MATTR VII generates the root certificate and manages the private key on the customer's behalf. Supply no `certificatePem` in the request body; `commonName` and `country` are optional. - **Unmanaged** — the customer supplies their own externally-managed root CA in PEM format. `commonName` and `country` are extracted from the certificate and must not be provided in the request. A maximum of three holder root CA certificates can be created per tenant. Only one can be active at a time. The newly-created root is always inactive. Activate it by issuing `PUT /v1/holder/certificates/ca/{certificateId}` with `{ "active": true }`, which also deactivates any previously active root for the tenant (single-active constraint). ### **Analytic events** * CREDENTIAL_HOLDER_CA_CERTIFICATE_CREATE_START * CREDENTIAL_HOLDER_CA_CERTIFICATE_CREATE_SUCCESS * CREDENTIAL_HOLDER_CA_CERTIFICATE_CREATE_FAIL

Retrieve a holder root CA certificate GET

Retrieves a holder root CA certificate by ID. ### **Analytic events** * CREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_START * CREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_SUCCESS * CREDENTIAL_HOLDER_CA_CERTIFICATE_RETRIEVE_FAIL