Learn

Create a Document Signer Certificate

MATTR VII uses Document Signer Certificates (DSCs) to digitally sign Mobile Security Objects (MSO) in Mobile Credentials. The DSC itself must be issued and signed by the root certificate, which is the Issuing Authority Certificate Authority (IACA).

A single MATTR VII tenant can have multiple DSCs, signed by the same IACA. Different DSCs can have the same or different validity and activation status.

To sign Mobile Credentials, a valid and active DSC must be used. If there are multiple valid and active DSCs on the tenant and one isn’t explicitly specified in your sign request, the most recently created or modified will be used to sign the Mobile Credential by default.

Make the following request to create a new document signer:

Request

http
Copy to clipboard.
1POST /v2/credentials/mobile/documentsigners
json
Copy to clipboard.
1{
2  "active": true,
3  "commonName": "MATTR DSC"
4}

  • active: This field is required and defines the status of DSC being created. Only active DSCs can be used to sign Mobile Credentials.

  • commonName: This optional parameter indicates the common name of the DSC certificate. The value if specified must be a valid PrintableString. If not provided, the tenant subdomain is used.

Response

json
Copy to clipboard.
1{
2    "id": "e7ffdcb3-be6b-4476-a1a9-bbb92db1bc0f",
3    "publicKeyJwk": {
4        "kty": "EC",
5        "crv": "P-256",
6        "x": "3roTNEegJH4Y3QNRDCfBe8K0_rBYL8FoYvyJEaDSYWI",
7        "y": "ZXvaLVjQIHJHAUcWR5jPcYBLkdQPum4h5i0EJ1iYxx4"
8    },
9    "certificatePem": "-----BEGIN CERTIFICATE-----\\r\\nMIIB7zCCAZWgAwIBAgIKVvisuUgAu633uzAKBggqhkjOPQQDAjAgMR4wCQYDVQQG\\r\\nEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwHhcNMjMwODA4MDAwOTIxWhcNMjQwODAy\\r\\nMDAwOTIxWjAfMR0wCQYDVQQGEwJOWjAQBgNVBAMTCU1BVFRSIERTQzBZMBMGByqG\\r\\nSM49AgEGCCqGSM49AwEHA0IABN66EzRHoCR+GN0DUQwnwXvCtP6wWC/BaGL8iRGg\\r\\n0mFiZXvaLVjQIHJHAUcWR5jPcYBLkdQPum4h5i0EJ1iYxx6jgbcwgbQwEgYDVR0T\\r\\nAQH/BAgwBgEB/wIBAzAdBgNVHQ4EFgQU1fqFUtZavQ4hgjh8AyjJpJeEWuswHwYD\\r\\nVR0jBBgwFoAUjjXBxoeCHztXWKK0abLha7Pn/EgwDgYDVR0PAQH/BAQDAgCAMBwG\\r\\nA1UdEQQVMBOBEWluZm9AbWF0dHIuZ2xvYmFsMBwGA1UdEgQVMBOBEWluZm9AbWF0\\r\\ndHIuZ2xvYmFsMBIGA1UdJQQLMAkGByiBjF0FAQIwCgYIKoZIzj0EAwIDSAAwRQIg\\r\\nKwQAsGozvv4zzNN8nbDI7aCfWA14e9JxsbveD5nRgTMCIQCE7h9AxvYAMpP+iyS/\\r\\nX9cZo87CcUTOJSU7Am2Y7WEDfg==\\r\\n-----END CERTIFICATE-----\\r\\n",
10    "certificateFingerprint": "f6cad6e579d70b3973efa60624af731a580d1a11a7579e70f2f10f059dc86172",
11    "certificateData": {
12        "notAfter": "2024-08-02T00:09:21.000Z",
13        "notBefore": "2023-08-08T00:09:21.000Z",
14        "commonName": "MATTR DSC",
15        "country": "NZ"
16    }
17}

  • id: Each DSC created on MATTR VII will have a unique identifier which must be provided when using this DSC to sign a mobile credential.

  • publicKeyJwk: JWK format of the DSC public key.

  • certificatePEM: Certificate PEM format.

  • certificateFingerprint: DSC Hash that includes all certificate data and its signature.

  • certificateData: Key details of the created DSC:

    • notAfter: DSC expiry date. Cannot be later than the notAfter of the IACA used to sign the DSC.

    • notBefore: DSC creation date. Cannot be earlier than the notBefore date of the IACA used to issue the DSC.

    • commonName: DSC name.

    • country: Country of the IACA’s issuer.

What's Next?

Now that you have an IACA and a DSC, you need to create a new Mobile Credential Configuration before you can issue Mobile Credentials. Refer to Create a Mobile Credential Configuration for step-by-step instructions.