Create a DCC Document signer

To issue a DCC through you must first create a Document signer that can sign a DCC payload.

The Document signer is a certificate that contains a private-private key pair. The private key is stored in the MATTR Key Management System (KMS) and used in any sign operations by your tenant's DCC extension.


  • Access to MATTR VII APIs. If you’re experiencing any difficulties, contact us.

Contact us prior to uploading any PEM Certificates that represent an association to a CSCA so that we can discuss the appropriate key management policy MATTR can implement for your tenant.


Make the following request to create a Document signer:

Copy to clipboard.
1POST https://YOUR_TENANT_URL/ext/dcc/v1/documentsigners


Copy to clipboard.
2    "id": "f83550d7-8e01-4948-b311-63a44d6b2f13",
3    "publicKey": {
4        "kty": "EC",
5        "crv": "P-256",
6        "x": "TU5rETqOt_2G1FNlltr78UUxR4lNCOzYqnJJcLhn_wo",
7        "y": "swCToS3XpqqnRpUVjCR9wNMGySPKH-w39ShyfGv8zpk"
8    },
10    "certificateFingerprint": "cfa5f6838915bee7df7a11bbcc2594de835bb9ff57455a067d97dcd96456cc27",
11    "certificateKid": "cfa5f6838915bee7",
12    "certificateData": {
13        "notAfter": "2023-11-02T21:22:50.000Z",
14        "notBefore": "2021-11-02T21:22:50.000Z",
15        "keyUsage": {
16            "recovery": true,
17            "test": true,
18            "vaccination": true
19        },
20        "country": "NZ"
21    }

The response includes the self-signed certificate along with its unique id, publicKey, certificatePEM, certificateKid and associated metadata (certificateData).

The associated publicKey and certificatePEM made available in the response can be shared with a CSCA to then associate and provide an updated PEM certificate. The PEM certificate represents the chain of trust between the issuing entities, as outlined under the EUDCC trust framework. This step is only required if the issued DCC is to be trusted under this framework.

The id value can be used to retrieve the Document signer, update it with a new certificatePEM, or remove it.

What's next?

You can now use the Document signer to sign a DCC.