Create a Document signer
To issue a DCC through the MATTR VII DCC extension you first need to create a Document signer that can sign a DCC payload.
The Document signer is a certificate that contains a private key. This private key is created and stored in the MATTR Key Management System (KMS), and used in any sign operations on the DCC extension under your tenant.
Prerequisites
You need the following in order to proceed with this tutorial:
Access to MATTR VII APIs. If you’re experiencing any difficulties, contact us.
Contact us prior to uploading any PEM Certificates that represent an association to a CSCA so that we can discuss the appropriate key management policy MATTR can implement for your tenant.
Request
Make the following request to create a Document signer:
1POST https://YOUR_TENANT_URL/ext/dcc/v1/documentsigners
This request will create a self-signed certificate (private-public key pair) that can be used to sign a DCC. The private key generated as part of this operation will be stored in the MATTR KMS.
Response
1{
2 "id": "f83550d7-8e01-4948-b311-63a44d6b2f13",
3 "publicKey": {
4 "kty": "EC",
5 "crv": "P-256",
6 "x": "TU5rETqOt_2G1FNlltr78UUxR4lNCOzYqnJJcLhn_wo",
7 "y": "swCToS3XpqqnRpUVjCR9wNMGySPKH-w39ShyfGv8zpk"
8 },
9 "certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIIBdzCCAR2gAwIBAgIBATAKBggqhkjOPQQDAjAgMR4wCQYDVQQGEwJOWjARBgNV\r\nBAMeCgBNAGEAdAB0AHIwHhcNMjExMTAyMjEyMjUwWhcNMjMxMTAyMjEyMjUwWjAg\r\nMR4wCQYDVQQGEwJOWjARBgNVBAMeCgBNAGEAdAB0AHIwWTATBgcqhkjOPQIBBggq\r\nhkjOPQMBBwNCAARNTmsROo63/YbUU2WW2vvxRTFHiU0I7NiqcklwuGf/CrMAk6Et\r\n16aqp0aVFYwkfcDTBskjyh/sN/Uocnxr/M6Zo0gwRjASBgNVHRMBAf8ECDAGAQH/\r\nAgEDMDAGA1UdJQQpMCcGCysGAQQBjjePZQECBgsrBgEEAY43j2UBAQYLKwYBBAGO\r\nN49lAQMwCgYIKoZIzj0EAwIDSAAwRQIhAKXlTF7I3zP6RhOWGvLiFYWRZNcMl3+y\r\n8UCgFkC9UG/dAiBPZQhPE2Q632Eou/YuSKHWXTUAkyjBJivi+OpPS6H+rQ==\r\n-----END CERTIFICATE-----\r\n",
10 "certificateFingerprint": "cfa5f6838915bee7df7a11bbcc2594de835bb9ff57455a067d97dcd96456cc27",
11 "certificateKid": "cfa5f6838915bee7",
12 "certificateData": {
13 "notAfter": "2023-11-02T21:22:50.000Z",
14 "notBefore": "2021-11-02T21:22:50.000Z",
15 "keyUsage": {
16 "recovery": true,
17 "test": true,
18 "vaccination": true
19 },
20 "country": "NZ"
21 }
22}
The response will include the resulting self-signed certificate along with its unique id
, publicKey
, certificatePEM
, certificateKid
and associated metadata (certificateData
).
The associated publicKey
and certificatePEM
made available in the response can be shared with a CSCA to then associate and provide an updated PEM certificate. The PEM certificate represents the chain of trust between the issuing entities, as outlined under the EUDCC trust framework. This step is only required if the issued DCC is to be trusted under this framework.
The id
value can be used to update the Document signer with a new certificatePEM
, or remove it.
What's next?
You can now use the Document signer to sign a DCC.