Get started with certificates for Matter IoT

For OEMs and product developers, in general, interested in exploring Public Key Infrastructure (PKI) and Certificate Authority (CA) solutions for implementing support for Matter IoT-compliant certificates, EJBCA will offer a hassle-free option to initiate the journey.

Keyfactor is a member of the Connectivity Standards Alliance

In the Matter IoT specification, certificates are used to implement unique identities to ensure that only authenticated and certified devices can join the network.

With EJBCA PKI, you can issue Matter IoT-compliant certificates for your smart home products. We provide EJBCA Community and free Enterprise trials that offer a solid foundation for you to begin your certificate journey for Matter IoT devices. Remember to keep up with the latest PKI Certificate policy to maintain compliance and stay up to date.

How to get started

As an engineer, you can use our how-to guide and tutorial video to start testing EJBCA PKI for your Matter IoT devices today and configure EJBCA PKI for issuing certificates at various levels within the hierarchy. Follow our step-by-step instructions, and you will have an EJBCA instance and Matter IoT certificates for your test devices in no time.

In this tutorial, we will show you how to create a complete Matter IoT PKI and issue a certificate for the device:

Root CA - Product Attestation Authority (PAA): Root CA that signs the certificates of the Product Attestation Intermediate (PAI).
Sub CA - Product Attestation Intermediate (PAI): Sub CA that issues Device Attestation Certificates (DACs).
End Entity - Device Attestation Certificate (DAC): Matter standardized certificates issued for the IoT devices.

Prerequisites

Before you begin, you need the following:

Docker running in the background.
Additionally, OpenSSL is required to generate a key pair and a CSR.

Please note: We have opted for SoftHSM in this environment for testing purposes and convenience. However, it is crucial to underscore that when moving to a production deployment, a Hardware Security Module (HSM) becomes imperative for securing the PAA and PAI signing keys. For additional details, please see the Connectivity Standard Alliance PKI Certificate Policy.

Documentation

Tutorials/documentation

Documentation

Check out the supplementary documentation that goes hand-in-hand with our tutorial video.

Documentation

Docker Hub

Get your hands on the EJBCA Docker container by downloading it now from Docker Hub.

Docker Hub

YouTube

Take a peek at our tutorial video on YouTube, and browse through some of our other videos as well.

YouTube tutorials

Discuss

You can ask your questions and learn from PKI specialists in the EJBCA forum on GitHub Discussions.

Engage with us on GitHub

What's the next step in this journey?

After successful experimentation, here is where you can learn more about Keyfactor's approach to Identity-first security for Consumer IoT and Smart Home Security.

Go to keyfactor.com

Related open-source projects

Open-source signing software

Try SignServer for digital signing for code, documents, timestamps, and more. SignServer is a digital signing engine, making it easy for teams to automate signing workflows and support all of their signing formats and use cases.

Open-source cryptographic APIs

Bouncy Castle is one of the most widely used FIPS-certified open-source cryptographic APIs for Java and C#, allowing developers to integrate PKI security into their applications easily.