Skip to main content

Issue CSA Matter certificates

Matter is a standard that seamlessly connects smart home devices. It is developed by the Connectivity Standards Alliance (CSA). With Matter, consumer device manufacturers can simplify device development, while providing consumers with a more friendly and compatible product. To implement Matter in your consumer product, you must be a member of the CSA and complete their certification program.

You can easily add Matter Device Attestation Certificates (DACs) to your device with DigiCert​​®​​Device Trust Manager. Our lifecycle management solutions speed up your go-to-market strategies, while ensuring your devices meet the Matter protocol, regardless of your production volume or device use case.

DigiCert​​®​​ is a member of the CSA and operates an approved, non-vendor ID Product Attestation Authority (PAA) root for the Matter. DigiCert​​®​​, as a PAA, provides CSA members with Product Attestation Intermediate (PAI) and Device Attestation Certificates (DACs). These are needed for Matter compliance. DigiCert​​®​​ can also provide test DACs during your development phase.

To learn more or request a demo, visit:

Before you begin

Before you can issue Matter DACs in DigiCert® Device Trust Manager, work with your DigiCert​​®​​ account representative to initialize your account for Matter. As part of this process, a DigiCert​​®​​ system administrator will:

In DigiCert® Private CA:

  • Issue a Product Attestation Intermediate (PAI) for the CSA member from DigiCert’s Product Attestation Authority (PAA) root.

    • For production deployments, DigiCert will issue the PAI from the production DigiCert PAA root (CN=DigiCert Root CA for MATTER PKI G1) registered in the DCL at Distributed Compliance Ledger.

    • Optionally, for testing purposes, DigiCert can issue the PAI from the test DigiCert PAA root (CN=DigiCert TEST Root CA for MATTER PKI) registered in the DCL at https://testnet.iotledger.io/pki.

  • The PAI contains the member’s CSA vendor ID. A product ID in the PAI is optional.

  • Enable Certificate Revocation List (CRL) support on the member’s PAI. This is required as of Matter version 1.3 (section 6.2.4).

In DigiCert® Account Manager:

  • Add the needed license files. All Device Trust Manager subscription plans support issuing CSA Matter DACs.

  • Create your primary DigiCert ONE account.

  • Create your primary organization.

In Device Trust Manager:

A system Certificate template, called Matter Standard Certificate Template, will be copied to create a custom template for you.

Note

Contact your DigiCert​​®​​ account representative if you are missing any of the above.

Additionally, ensure your company’s DigiCert ONE Account admin has provided you with a user account that has the Solution Administrator role in Device Trust Manager.

Note

DigiCert hosts the DigiCert CSA Matter PAA and all PAIs in the US region.

  1. Sign in to DigiCert ONE as a Solution Administrator.

  2. In DigiCert ONE, in the Manager menu (grid at top right), select Device Trust.

  1. In the Device Trust Manager menu, select Certificate management > Certificate profiles.

  2. Click Create certificate profile.

  3. Enter a Name for the certificate profile.

  4. Under Template, select the Matter Standard Certificate Template that was cloned for your account.

  5. Scroll down to the Value Sources section of the Vendor Identifier.

  6. Set the Value Sources for your Vendor Identifier.

    Your CSA-assigned Vendor ID (VID) is a 16-bit identifier in capitalized hexadecimal format. Your organization’s VID can be found at https://webui.dcl.csa-iot.org/vendors.

    For example, you can set a default value. A VID of 257 can be entered as 0101 (decimal value of 257).

  7. Scroll down to the Value Sources section of the Product Identifier.

  8. Set the Value Sources for your Product Identifier.

    Your Product ID (PID) is a 16-bit identifier in capitalized hexadecimal format.

    For example, you can set a default value. A PID of 59905 can be entered as EA01 (decimal value of 59905).

  9. Optionally, provide information for subject fields such as Common Name, Organization, and Organization Unit.

  10. Click Create.

  1. In the Device Trust Manager menu, select Certificate management > Certificate management policies > Create certificate management policy.

  2. Enter a Name for the certificate management policy.

  3. Choose a Division to assign the policy to.

  4. Under Select the certificate management model, choose Policy will be used for certificate issuance only. Requires an Essentials license.

  5. Under Certificate management methods, choose the certificate management method that this policy will support.

    For detailed information on available certificate management methods, see Create a certificate management policy.

  6. Select an Authentication policy if required.

    Note

    • If you are using EST, CMPv2, SCEP, or ACME, you must select an authentication policy to allow devices to authenticate using a passcode or an authentication certificate.

    • If you are using portal and REST API certificate management methods, selecting an authentication policy is optional if you intend to use an API key or a certificate in Account Manager for authentication.

  7. Click Next  to proceed to the certificate settings.

  8. Under Certificate settings:

    1. Select End entity certificate profile and choose the profile you created above.

    2. Select Issuing CA and choose your Product Attestation Intermediate (PAI) that will issue Device Attestation Certificates (DAC).

  9. Set the Keypair generation preferences.

  10. Click Next to proceed to the certificate management method settings.

  11. Under Certificate management method settings, complete configuring each issuance method to meet your requirements.

  12. Click Finish.

To support revocation, the Certificate Revocation List (CRL) must be enabled on each PAI. Also, it needs to be published in the CSA’s Distributed Compliance Ledger (DCL) as per CSA Matter v1.3. The CSA members must publish their PAI CRL information to the DCL using their CSA member login. DigiCert​​®​​ cannot do this on your behalf.

  1. Sign in to DigiCert® ONE as an Account Administrator.

  2. On DigiCert ONE , in the Manager menu (grid at top right), select CA Manager.

  3. Under Manage CAs > Intermediates, select your PAI to view its details.

  4. Scroll down to the CRL configuration section and copy the CRL URL. For example, crl.one.digicert.com

  5. Sign in to the CSA DCL by navigating to https://webui.dcl.csa-iot.org/ using your member login.

    Contact CSA if you do not have an account or cannot sign in.

  6. Select PKI > PKI Revocation Distribution Point > Add Revocation Distribution Point.

  7. Complete all the required fields.

    For more information on these fields, see the PKI Revocation Distribution Point Schema in Matter v1.3 (section 11.23.8).

    1. Issuer Subject Key ID: The subject key identifier from the PAI certificate. For example, 115045193344599B4665D459FD3A15F1C116EEBF

    2. Is PAA: false

    3. CRL Signer Certificate: The PAI certificate encoded in X.509v3 PEM format.

      The PAI signs the revocation information that is provided in the distribution point entry. An example is provided below:

      -----BEGIN CERTIFICATE----- MIICDTCCAbKgAwIBAgIQe3eNNaVHZutrY7gRg4ItsjAKBggqhkjOPQQDAjBTMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xKzApBgNVBAMTIkRp Z2lDZXJ0IFJvb3QgQ0EgZm9yIE1BVFRFUiBQS0kgRzEwIBcNMjIwODI0MDAwMDAw WhgPOTk5OTEyMzEyMzU5NTlaMFMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdp Q2VydCwgSW5jLjErMCkGA1UEAxMiRGlnaUNlcnQgUm9vdCBDQSBmb3IgTUFUVEVS IFBLSSBHMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAVbq6wD9zzDXbEObnSN OMNLrGyLBok/Le7bYMzRBn8G4aNSEDw1ClO4gAbrZqpDJy5QSmF9VpKPx9FOsvmV bZujZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMB0GA1Ud DgQWBBQyUEUZM0RZm0Zl1Fn9OhXxwRbMvTAfBgNVHSMEGDAWgBQyUEUZM0RZm0Zl 1Fn9OhXxwRbMvTAKBggqhkjOPQQDAgNJADBGAiEAh88I/wwZ6/x4wrLLZeEZZEQi KqmgvTeRD3kPQ1LoCFgCIQCKVfavo16G+mSmMEFD2O/vsx15c2U1SS0rTK/ogRAP 4g== -----END CERTIFICATE-----
    4. DataURL: http://crl.one.digicert.com/.crl. For example, If the common name of the PAI certificate is Contoso PAI, then the DataURL is http://crl.one.digicert.com/ContosoPAI.crl

    5. Revocation Type: 1

  8. Submit the form.

  9. After the CSA has accepted and published the CRL to the DCL, anyone can view the CRL without the need to log in. You can navigate to https://webui.dcl.csa-iot.org/ , select PKI from the navigation bar, and search for the CRL.

    Note

    The CRL URL is not included in the DAC because it increases the size of the DAC.

Once you set up your account and publish the PAI CRL to the Distributed Compliance Ledger, you can request and receive Matter certificates using Device Trust Manager.

Note

When creating a CSR for a Matter DAC, ensure the VID and PID values are 16-bit identifiers in capitalized hexadecimal format.

You can request a certificate using any method supported by the Device Trust Manager, such as:

Follow these instructions if you encounter problems using the Matter Test Harness or the chip-tool from GitHub.

  • Set up the Test Matter DCL

    You must set up the Test Matter DCL for your product. Without this, you can’t commission your device on ecosystems like Apple Home if you’re using other certificates outside the default Matter SDK test set).

  • Chip-tool and PAA Root certificates

    By default, the chip-tool doesn’t check for PAA Root certificates (other than the ones it creates itself). To make it check, you must pass a parameter.

    Below is an example command:

    sudo ./chip-tool interactive start --paa-trust-store-path /var/paa-root-certs

    Replace the /var/paa-root-certs with the path to the folder that holds the PAA certificates you want it to use.

  • Test Harness and PAA Root certificates

    In the Test Harness, you must enable a setting so it reads PAA Root certificates.

    Open your project configuration and set the below parameter:

    "chip_use_paa_certs": true