Create a document signer


To issue a DCC through the MATTR DCC extension you first need to create a document signer that can be used to sign a DCC payload.

The document signer certificate contains the private key, which is created and stored in the MATTR KMS, to then be used in any sign operations on the DCC extension under your tenant.

The trust model used by the EUDCC format, and supported by the MATTR DCC extension, consists of a list of Country Signing Certificate Authorities (CSCA) that sign Document Signer Certificates (DSC).
This tutorial takes you through the creation and potential association to this trust model.

For more information on the EUDCC trust model, please see the certificate specification used by the EUDCC.


You need the following in order to proceed with this tutorial:

  • Access to the MATTR VII APIs.

Contact us prior to uploading any PEM Certificates that represent an association to a CSCA so that we can discuss the appropriate key management policy MATTR can implement for your tenant.

Create a Document Signer by invoking the API as follows.


Copy to clipboard.
1POST https://YOUR_TENANT_URL/ext/dcc/v1/documentsigners

This request will create a self-signed certificate (private-public key pair) that can be used as the basis to sign a DCC. The private key generated as part of this operation will be stored in the MATTR KMS.

The associated publicKey and certificatePEM made available in the response can be shared with a CSCA to then associate and provide an updated PEM certificate. The PEM certificate represents the chain of trust between the issuing entities, as outlined under the EUDCC trust framework.
This step is only required if the issued DCC is to be trusted under this framework.


Copy to clipboard.
2    "id": "f83550d7-8e01-4948-b311-63a44d6b2f13",
3    "publicKey": {
4        "kty": "EC",
5        "crv": "P-256",
6        "x": "TU5rETqOt_2G1FNlltr78UUxR4lNCOzYqnJJcLhn_wo",
7        "y": "swCToS3XpqqnRpUVjCR9wNMGySPKH-w39ShyfGv8zpk"
8    },
10    "certificateFingerprint": "cfa5f6838915bee7df7a11bbcc2594de835bb9ff57455a067d97dcd96456cc27",
11    "certificateKid": "cfa5f6838915bee7",
12    "certificateData": {
13        "notAfter": "2023-11-02T21:22:50.000Z",
14        "notBefore": "2021-11-02T21:22:50.000Z",
15        "keyUsage": {
16            "recovery": true,
17            "test": true,
18            "vaccination": true
19        },
20        "country": "NZ"
21    }

The response will include the resulting self-signed certificate along with its unique id, publicKey, certificatePEM, certificateKid and associated metadata (certificateData).

The newly created certificate can be updated, with a new certificatePEM, or removed using the id value from the above response.