Create a Document signer

To issue a DCC through the MATTR VII DCC extension you first need to create a Document signer that can sign a DCC payload.

The Document signer is a certificate that contains a private key. This private key is created and stored in the MATTR Key Management System (KMS), and used in any sign operations on the DCC extension under your tenant.

Prerequisites

You need the following in order to proceed with this tutorial:

  • Access to MATTR VII APIs. If you’re experiencing any difficulties, contact us.

Contact us prior to uploading any PEM Certificates that represent an association to a CSCA so that we can discuss the appropriate key management policy MATTR can implement for your tenant.

Request

Make the following request to create a Document signer:

http
Copy to clipboard.
1POST https://YOUR_TENANT_URL/ext/dcc/v1/documentsigners

This request will create a self-signed certificate (private-public key pair) that can be used to sign a DCC. The private key generated as part of this operation will be stored in the MATTR KMS.

Response

json
Copy to clipboard.
1{
2    "id": "f83550d7-8e01-4948-b311-63a44d6b2f13",
3    "publicKey": {
4        "kty": "EC",
5        "crv": "P-256",
6        "x": "TU5rETqOt_2G1FNlltr78UUxR4lNCOzYqnJJcLhn_wo",
7        "y": "swCToS3XpqqnRpUVjCR9wNMGySPKH-w39ShyfGv8zpk"
8    },
9    "certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIIBdzCCAR2gAwIBAgIBATAKBggqhkjOPQQDAjAgMR4wCQYDVQQGEwJOWjARBgNV\r\nBAMeCgBNAGEAdAB0AHIwHhcNMjExMTAyMjEyMjUwWhcNMjMxMTAyMjEyMjUwWjAg\r\nMR4wCQYDVQQGEwJOWjARBgNVBAMeCgBNAGEAdAB0AHIwWTATBgcqhkjOPQIBBggq\r\nhkjOPQMBBwNCAARNTmsROo63/YbUU2WW2vvxRTFHiU0I7NiqcklwuGf/CrMAk6Et\r\n16aqp0aVFYwkfcDTBskjyh/sN/Uocnxr/M6Zo0gwRjASBgNVHRMBAf8ECDAGAQH/\r\nAgEDMDAGA1UdJQQpMCcGCysGAQQBjjePZQECBgsrBgEEAY43j2UBAQYLKwYBBAGO\r\nN49lAQMwCgYIKoZIzj0EAwIDSAAwRQIhAKXlTF7I3zP6RhOWGvLiFYWRZNcMl3+y\r\n8UCgFkC9UG/dAiBPZQhPE2Q632Eou/YuSKHWXTUAkyjBJivi+OpPS6H+rQ==\r\n-----END CERTIFICATE-----\r\n",
10    "certificateFingerprint": "cfa5f6838915bee7df7a11bbcc2594de835bb9ff57455a067d97dcd96456cc27",
11    "certificateKid": "cfa5f6838915bee7",
12    "certificateData": {
13        "notAfter": "2023-11-02T21:22:50.000Z",
14        "notBefore": "2021-11-02T21:22:50.000Z",
15        "keyUsage": {
16            "recovery": true,
17            "test": true,
18            "vaccination": true
19        },
20        "country": "NZ"
21    }
22}

The response will include the resulting self-signed certificate along with its unique id, publicKey, certificatePEM, certificateKid and associated metadata (certificateData).

The associated publicKey and certificatePEM made available in the response can be shared with a CSCA to then associate and provide an updated PEM certificate. The PEM certificate represents the chain of trust between the issuing entities, as outlined under the EUDCC trust framework. This step is only required if the issued DCC is to be trusted under this framework.

The id value can be used to update the Document signer with a new certificatePEM, or remove it.

What's next?

You can now use the Document signer to sign a DCC.