Skip to main content

Issuing CSA Matter certificates

Matter is a standard that seamlessly connects smart home devices. It is developed by the Connectivity Standards Alliance (CSA). With Matter, consumer device manufacturers can simplify device development, while providing consumers with a more friendly and compatible product. To implement Matter in your consumer product, you must be a member of the CSA and complete their certification program.

You can easily add Matter Device Attestation Certificates (DACs) to your device with DigiCert​​®​​Device Trust Manager. Our lifecycle management solutions speed up your go-to-market strategies, while ensuring your devices meet the Matter protocol, regardless of your production volume or device use case.

DigiCert​​®​​ is a member of the CSA and operates an approved, non-vendor ID Product Attestation Authority (PAA) root for the Matter. DigiCert​​®​​, as a PAA, provides CSA members with Product Attestation Intermediate (PAI) and Device Attestation Certificates (DACs). These are needed for Matter compliance. DigiCert​​®​​ can also provide test DACs during your development phase.

To learn more or request a demo, visit:

Before you begin

Before you can issue Matter DACs in DigiCert® Device Trust Manager, work with your DigiCert​​®​​ account representative to initialize your account for Matter. As part of this process, a DigiCert​​®​​ system administrator will:

In DigiCert® CA Manager:

  • Issue a Product Attestation Intermediate (PAI) for the CSA member from DigiCert’s Product Attestation Authority (PAA) root.

    • The PAI contains the member’s CSA vendor ID. A product ID in the PAI is optional.

  • Enable Certificate Revocation List (CRL) support on the member’s PAI. This is required as of Matter version 1.3 (section 6.2.4).

In DigiCert® Account Manager:

  • Add the needed license files. All Device Trust Manager subscription plans support issuing CSA Matter DACs.

  • Create your primary DigiCert ONE account administrator.

  • Create your primary DigiCert ONE Account and Organization.

In DigiCert® Device Trust Manager:

A system Certificate template, called Matter Standard Certificate Template, will be copied to create a custom template for you.

Nota

Contact your DigiCert​​®​​ account representative if you are missing any of the above.

Publishing the revocation list in the DCL

To support revocation, the Certificate Revocation List (CRL) must be enabled on each PAI. Also, it needs to be published in the CSA’s Distributed Compliance Ledger (DCL) as per CSA Matter v1.3. The CSA members must publish their PAI CRL information to the DCL using their CSA member login. DigiCert​​®​​ cannot do this on your behalf.

  1. Sign in to DigiCert ONE as an account administrator.

  2. On DigiCert ONE , in the Manager menu (grid at top right), select CA Manager.

  3. Under Manage CAs > Intermediates, select your PAI to view its details.

  4. Scroll down to the CRL configuration section and copy the CRL URL. For example, crl.one.digicert.com

  5. Sign in to the CSA DCL by navigating to https://webui.dcl.csa-iot.org/ using your member login.

    Contact CSA if you do not have an account or cannot sign in.

  6. Select PKI > PKI Revocation Distribution Point > Add Revocation Distribution Point.

  7. Complete all the required fields.

    For more information on these fields, see the PKI Revocation Distribution Point Schema in Matter v1.3 (section 11.23.8).

    1. Issuer Subject Key ID: The subject key identifier from the PAI certificate. For example, 115045193344599B4665D459FD3A15F1C116EEBF

    2. Is PAA: false

    3. CRL Signer Certificate: The PAI certificate encoded in X.509v3 PEM format.

      The PAI signs the revocation information that is provided in the distribution point entry. An example is provided below:

      -----BEGIN CERTIFICATE----- MIICDTCCAbKgAwIBAgIQe3eNNaVHZutrY7gRg4ItsjAKBggqhkjOPQQDAjBTMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xKzApBgNVBAMTIkRp Z2lDZXJ0IFJvb3QgQ0EgZm9yIE1BVFRFUiBQS0kgRzEwIBcNMjIwODI0MDAwMDAw WhgPOTk5OTEyMzEyMzU5NTlaMFMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdp Q2VydCwgSW5jLjErMCkGA1UEAxMiRGlnaUNlcnQgUm9vdCBDQSBmb3IgTUFUVEVS IFBLSSBHMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAVbq6wD9zzDXbEObnSN OMNLrGyLBok/Le7bYMzRBn8G4aNSEDw1ClO4gAbrZqpDJy5QSmF9VpKPx9FOsvmV bZujZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMB0GA1Ud DgQWBBQyUEUZM0RZm0Zl1Fn9OhXxwRbMvTAfBgNVHSMEGDAWgBQyUEUZM0RZm0Zl 1Fn9OhXxwRbMvTAKBggqhkjOPQQDAgNJADBGAiEAh88I/wwZ6/x4wrLLZeEZZEQi KqmgvTeRD3kPQ1LoCFgCIQCKVfavo16G+mSmMEFD2O/vsx15c2U1SS0rTK/ogRAP 4g== -----END CERTIFICATE-----

    4. DataURL: http://crl.one.digicert.com/.crl. For example, If the common name of the PAI certificate is Contoso PAI, then the DataURL is http://crl.one.digicert.com/ContosoPAI.crl

    5. Revocation Type: 1

  8. Submit the form.

  9. After the CSA has accepted and published the CRL to the DCL, anyone can view the CRL without the need to log in. You can navigate to https://webui.dcl.csa-iot.org/ , select PKI from the navigation bar, and search for the CRL.

    Nota

    The CRL URL is not included in the DAC because it increases the size of the DAC.

Issuing DACs

Once you set up your account and publish the PAI CRL to the Distributed Compliance Ledger, you can begin issuing DACs to devices using the Device Trust Manager.

You can issue DACs to devices using any method supported by the Device Trust Manager for certificate issuance, such as:

  • Device Trust Manager Portal UI for single or batch certificates.

  • EST

  • SCEP

  • CMPv2

  • ACME

  • REST APIs

Issuing test DACs

To issue test DACs, DigiCert provides a test Matter root (PAA) at demo.one.digicert.com. You can use this to create a test PAI and issue test DACs. Contact your DigiCert ONE account representative if you are interested in issuing test DACs.

© 2025 DigiCert, Inc.
fecha de publicación: