The Matter IoT standard specifies a PKI hierarchy for usage by device vendors to issue devices with initial certificates during manufacturing. These initial certificates authenticate and authorize devices to be connected to an operational network when deployed.
There are three types of certificates involved in the vendor PKI:
- Product Attestation Authority (PAA) - A root CA and the Matter root identity of a Vendor. Must be registered into the Distributed Compliance Ledger (DCL).
- Product Attestation Intermediate (PAI) - A subordinate CA and the Matter identity of a specific product reference manufactured by a Vendor. PAI certificates are issued by the PAA.
- Device Attestation Certificate (DAC) - An end-entity X.509 certificate and the Matter unique identity of a device manufactured by a Vendor. DAC certificates are issued by a PAI and injected into the device at manufacturing and associated with a ProductID.
Matter Specific Fields
Matter certificates issued by the CA are X.509 certificates, conformant with RFC5280. The Matter Core Specification lists the fields that must be included, those that must not be included, and those that are optional.
The are two DN attributes that are specific to Matter and that are not used by other use cases: Vendor ID (VID) and Product ID (PID):
- The VID is optional in the PAA for shared PAAs
- The VID is mandatory in the PAI
- The PID is optional in the PAI for shared PAIs
- The VID and PID are mandatory in DACs
Sample PAA and PAI certificates in the Matter Core Specification have a subject DN with CN and VID.
Sample DAC certificates in the Matter Core Specification have a subject DN with CN, VID, and PID.
Create Matter CAs in EJBCA
With EJBCA you can create Product Attestation Authorities (PAAs) and Product Attestation Intermediates (PAIs), and issue Device Attestation Certificates (DACs).
To create a PAA or PAI, create a CA in the normal process of EJBCA and ensure that the profiles are configured to be compliant with the Matter Core Specification. For instructions on how to create CAs in EJBCA, you can follow the Tutorial - Issue Matter IoT-compliant certificates with EJBCA.
- The following shows an example of CA Certificate Data for a PAA:
Note that the PAA is typically an offline CA, while the PAI is an online issuing CA and the PAI must therefore be signed by an External CA.
- The following shows an example of CA Certificate Data for a PAI, signed by an External CA:
To create end entities in order to issue DAC certificates., the VID and PID fields can easily be added to an end entity profile.
- The following shows an example of Subject DN Attributes for an End Entity Profile:
Couple the end entity profile with a corresponding certificate profile, ensuring that the certificate contents follow the Matter specification.
You can issue DACs as standard end entity certificates using manual methods or any of the APIs such as CMP, EST, REST, WS, etc. To improve policy enforcement, you can set a non-modifiable value for the VID for a profile used for a specific product line, and add Validation to the PID field to prevent a product line from issuing malformed PIDs. For more information on creating end entity profiles, see Create end entity profile.
The Matter Core Specification does not mandate any specific validity times.
The Certificate Validity Period (i.e., Certificate operational period and key pair usage period) SHALL be set to the time limits appropriate to the ecosystem, expected device lifetimes, and to cryptographic expectations for protection based on key size, algorithm, and available computational processing.