Guides
Platform management
Identifiers
Certificates
Create an IACA

How to create an IACA

An IACA (Issuing Authority Certificate Authority) is a X.509 based certificate used to identify a Mobile Credential issuer and verify the Mobile Credentials they issue.

Request

Make a request of the following structure to create an IACA:

POST /v2/credentials/mobile/iacas
{
    "commonName": "Example IACA",
    "country": "US",
    "stateOrProvinceName": "US-AL",
    "notAfter": "2034-09-26"
}
  • commonName : This optional parameter indicates the common name of the IACA certificate. When specified, the value must be a valid PrintableString and cannot be an empty string. If not provided and a custom domain is configured and verified, the custom domain is used followed by the word IACA. If no custom domain is configured, the tenant subdomain is used instead.
  • country : This optional parameter indicates the issuer country. If not provided, a country is selected based on the region of the tenant subdomain cloud host. When specified, the value must be uppercase and a valid country code as per ISO 3166-1 (opens in a new tab).
  • stateOrProvinceName: This optional parameter indicates the issuer state or province. When specified, the value must be uppercase and a valid country code as per ISO 3166-2 (opens in a new tab).
  • notAfter : This optional parameter is used to set the IACA expiry date. When not provided, defaults to 10 years from issuance. Maximum value is 20 years from issuance.

Response

{
    "id": "e86dd9bc-1414-4f60-aeb1-9143451424bb",
    "certificatePem": "-----BEGIN CERTIFICATE-----\\r\\nMIIBwzCCAWigAwIBAgIKRGC+CqoTGJKkkTAKBggqhkjOPQQDAjAgMR4wCQYDVQQG\\r\\nEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwHhcNMjMwODA4MDAwOTIxWhcNMzMwODA1\\r\\nMDAwOTIxWjAgMR4wCQYDVQQGEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwWTATBgcq\\r\\nhkjOPQIBBggqhkjOPQMBBwNCAASRu69fzdgM4odkyPtRcZd3eGWCw4BB7StZNGRm\\r\\nuIlrraUyv9SWPHgUYjYmRB1g7ERzj/pOSAspk71Y+QA+j9nPo4GJMIGGMBIGA1Ud\\r\\nEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgAGMB0GA1UdDgQWBBSONcHGh4If\\r\\nO1dYorRpsuFrs+f8SDAcBgNVHRIEFTATgRFpbmZvQG1hdHRyLmdsb2JhbDAjBgNV\\r\\nHR8EHDAaMBiiFoYUaHR0cHM6Ly9tYXR0ci5nbG9iYWwwCgYIKoZIzj0EAwIDSQAw\\r\\nRgIhAPKJIGDSvp7VxRBLCWWeghqi8UUeO+dZsC49TUZcDMNxAiEAoh+7dT+l+GzX\\r\\nk0J2SoGmPiagrbAuIYyTHwzZZuYr1W4=\\r\\n-----END CERTIFICATE-----\\r\\n",
    "certificateData": {
        "commonName": "Example IACA",
        "country": "US",
        "stateOrProvinceName": "US-AL",
        "notAfter": "2034-09-26T00:09:21.000Z",
        "notBefore": "2023-08-08T00:09:21.000Z"
    },
    "certificateFingerprint": "57b178a6c2b8c1877dba515ad4fd60f9c805efc309287182db7debfe43a22928",
    "publicKeyJwk": {
        "kty": "EC",
        "crv": "P-256",
        "x": "kbuvX83YDOKHZMj7UXGXd3hlgsOAQe0rWTRkZriJa60",
        "y": "pTK_1JY8eBRiNiZEHWDsRHOP-k5ICymTvVj5AD6P2c8"
    }
}
  • id : Unique identifier created for each IACA.
  • certificatePEM : Certificate PEM format.
  • certificateData : Key details of the created IACA:
    • notAfter : IACA's expiry date.
    • notBefore : IACA’s active from date.
    • commonName : IACA's name, as provided in the request.
    • country : IACA’s issuer country, as provided in the request.
  • certificateFingerprint : Hashed value of the IACA certificate that includes all certificate data and its signature.
  • publicKeyJwk : JWK format of the IACA public key.

Once an IACA is created on a MATTR VII tenant, it can be retrieved from the mdoc_iacas_uri property of its OID4VCI issuer metadata.

Configure a custom domainCreate a DSC