The following introduces the process of creating Certificate Authorities (CAs) for the following Matter IoT use cases:

  • Matter Vendor PKI: Used by device manufacturers, Vendor PKI establishes device trustworthiness by issuing Device Attestation Certificates (DACs) during manufacturing. These DACs authenticate a device’s origin, enabling secure onboarding into a Matter network.

  • Matter Operational PKI: Used by network operators, Operational PKI enables secure device interactions within an operational Matter network, or "Fabric." Through Node Operational Certificates (NOCs), devices gain a unique identity within the Fabric, supporting secure communications and network-wide authentication.

Each PKI framework plays a distinct role: Vendor PKI ensures device authenticity, while Operational PKI supports ongoing secure interactions between devices within a Fabric.

Review the following guides to learn how to configure CAs for Vendor and Operational PKIs, ensuring the integrity and security of your Matter IoT environment.

  • Create CAs for Matter Vendor PKIThis guide provides instructions for creating and managing Vendor PKI CAs, including Product Attestation Authorities (PAAs) and Product Attestation Intermediates (PAIs). It covers Matter-compliant Device Attestation Certificate (DAC) issuance and the configuration of profiles in EJBCA to secure devices during manufacturing.
  • Create CAs for Matter Operational PKIThis guide details the process of creating Operational PKI CAs, including Root and Intermediate CAs, to issue Node Operational Certificates (NOCs) for Matter devices. The guide also includes examples for configuring NOCs with attributes like node ID and fabric ID, supporting secure device interaction within a Matter Fabric.