#KEYMASTER: Why PKI Matters for the Matter IoT Standard

In this episode of #KEYMASTER, Sven Rajala, International PKI Man of Mystery, explores the rapidly growing Matter standard with Guillaume Crinon, Director of IoT Business Strategy, and discusses why its security model represents a fundamental shift for smart home and smart building ecosystems.

Matter is more than just another connectivity protocol. It is an industry-wide effort to harmonize communication between connected devices and establish trust.

Watch video on YouTube

What Is Matter?

Matter is an open standard for smart homes and smart buildings that aims to unify how devices communicate, regardless of brand or ecosystem. It defines a common application layer and protocol that runs over modern IP-based networking technologies such as IPv6, Thread, and 6LoWPAN.

The goal is:

• One shared language for connected devices
• Interoperability across vendors
• Fewer proprietary gateways and apps
• A better, more secure user experience

In many ways, Matter can be seen as the next generation beyond Zigbee and Z-Wave, but with a crucial difference.

From Symmetric Keys to PKI

Traditional smart home protocols like Zigbee and Z-Wave rely primarily on symmetric keys. While effective in constrained environments, symmetric-key systems are difficult to scale securely and are poorly suited for open, interoperable ecosystems.

Matter takes a different approach. Its cybersecurity model is built on PKI and certificates, using asymmetric cryptography throughout the entire manufacturing process, from production to device operation. This makes Matter particularly interesting and important, from a security and identity perspective.

Device Trust Starts at Manufacturing

Every Matter-compliant device is provisioned during manufacturing with a device attestation certificate and a full certificate chain. This chain anchors trust in a Product Attestation Authority (PAA), which is owned and operated by the device manufacturer. For each product family, manufacturers issue certificates via Product Attestation Intermediates (PAIs), which in turn sign the Device Attestation Certificates (DACs) embedded in each device.

These manufacturer PKIs are registered in a shared Distributed Compliance Ledger (DCL), operated by the Connectivity Standards Alliance (CSA). This ledger acts as a global trust reference for Matter.

Secure Commissioning and Validation

When a user brings a new Matter device into their home or building, a commissioner (typically a mobile app, home hub, or service provider system) initiates the onboarding process.

During commissioning:

• The device presents its certificate chain
• The commissioner validates cryptographic signatures
• The chain is checked against the Distributed Compliance Ledger
• Certification results from accredited test labs are verified

This ensures that the device is genuine, certified, and compliant before it is allowed to join the network. Trust is not assumed, it is cryptographically proven.

Operational PKI Inside the Home (and Beyond)

Once a device is commissioned, it joins a Matter fabric, a logical group of trusted devices. At this stage, the commissioner issues Node Operational Certificates (NOCs) to devices, enabling them to authenticate and communicate securely.

These operational certificates are:

• Short-lived
• Used for mutual TLS (mTLS)
• Required for secure, end-to-end encrypted communication

Interestingly, the Matter fabric does not require physical confinement to a single home. It can be distributed, enabling secure communication with external services while maintaining strong identity and trust boundaries.

Who Operates the Operational PKI?

Matter is flexible by design. In some cases, large players (ISPs, telecom operators, home assistant platforms) may operate centralized, highly protected PKI services. Home gateways or hubs may act as proxies to these services. In other cases, smaller deployments or advanced users may run local PKI engines directly in a commissioner device

The security of the entire fabric depends heavily on the quality and protection of the operational PKI, making PKI design and lifecycle management a critical consideration.

Why This Matters (Beyond Smart Homes)

Matter demonstrates something bigger than smart home interoperability. It shows that:

• PKI can scale to consumer environments
• Asymmetric cryptography is becoming the default
• Device identity is foundational, not optional
• Security can be built in without sacrificing usability

By eliminating shared symmetric secrets and enforcing certificate-based trust, Matter sets a new baseline for secure-by-design IoT ecosystems.

Key Takeaways

• Matter is a unifying standard for smart home and smart building devices
• Unlike earlier protocols, Matter is PKI-native
• Device identity is established at manufacturing and verified at onboarding
• Trust is validated using certificate chains and a distributed compliance ledger
• Secure communication relies on mTLS and short-lived operational certificates
• Matter raises the bar for IoT security, interoperability, and trust

Matter doesn’t just connect devices, it connects them securely. By placing PKI at the core of the ecosystem, it points the way forward for the future of connected products.

Learn more

• IoT Solution areas
• IoT How-to guides