Skip to main content

Create a DSC

Sovrin API uses Document Signer Certificates (DSCs) to digitally sign Mobile Security Objects (MSO) in Mobile Credentials. The DSC itself must be issued and signed by the root certificate, which is the Issuing Authority Certificate Authority (IACA). Refer to chain of trust for more information.

A single Sovrin API tenant can have multiple DSCs, signed by the same IACA. Different DSCs can have the same or different validity and activation status.

To sign Mobile Credentials, a valid and active DSC must be used. If there are multiple valid and active DSCs on the tenant and one isn’t explicitly specified in the sign request, the most recently created or modified is used to sign the Mobile Credential by default.

Request

Make the following request to create a new document signer:

POST /v2/credentials/mobile/documentsigners
{
  "active": true,
  "commonName": "Sovrin DSC"
}

  • active: This required parameter defines the status of the created DSC. Only active DSCs can be used to sign Mobile Credentials.

  • commonName: This optional parameter indicates the common name of the DSC certificate. When specified, the value must be a valid PrintableString. If not provided and a custom domain is configured and verified, the custom domain is used. If no custom domain is configured, the tenant subdomain is used.

Response

{
    "id": "e7ffdcb3-be6b-4476-a1a9-bbb92db1bc0f",
    "publicKeyJwk": {
        "kty": "EC",
        "crv": "P-256",
        "x": "3roTNEegJH4Y3QNRDCfBe8K0_rBYL8FoYvyJEaDSYWI",
        "y": "ZXvaLVjQIHJHAUcWR5jPcYBLkdQPum4h5i0EJ1iYxx4"
    },
    "certificatePem": "-----BEGIN CERTIFICATE-----\\r\\nMIIB7zCCAZWgAwIBAgIKVvisuUgAu633uzAKBggqhkjOPQQDAjAgMR4wCQYDVQQG\\r\\nEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwHhcNMjMwODA4MDAwOTIxWhcNMjQwODAy\\r\\nMDAwOTIxWjAfMR0wCQYDVQQGEwJOWjAQBgNVBAMTCU1BVFRSIERTQzBZMBMGByqG\\r\\nSM49AgEGCCqGSM49AwEHA0IABN66EzRHoCR+GN0DUQwnwXvCtP6wWC/BaGL8iRGg\\r\\n0mFiZXvaLVjQIHJHAUcWR5jPcYBLkdQPum4h5i0EJ1iYxx6jgbcwgbQwEgYDVR0T\\r\\nAQH/BAgwBgEB/wIBAzAdBgNVHQ4EFgQU1fqFUtZavQ4hgjh8AyjJpJeEWuswHwYD\\r\\nVR0jBBgwFoAUjjXBxoeCHztXWKK0abLha7Pn/EgwDgYDVR0PAQH/BAQDAgCAMBwG\\r\\nA1UdEQQVMBOBEWluZm9AbWF0dHIuZ2xvYmFsMBwGA1UdEgQVMBOBEWluZm9AbWF0\\r\\ndHIuZ2xvYmFsMBIGA1UdJQQLMAkGByiBjF0FAQIwCgYIKoZIzj0EAwIDSAAwRQIg\\r\\nKwQAsGozvv4zzNN8nbDI7aCfWA14e9JxsbveD5nRgTMCIQCE7h9AxvYAMpP+iyS/\\r\\nX9cZo87CcUTOJSU7Am2Y7WEDfg==\\r\\n-----END CERTIFICATE-----\\r\\n",
    "certificateFingerprint": "f6cad6e579d70b3973efa60624af731a580d1a11a7579e70f2f10f059dc86172",
    "certificateData": {
        "notAfter": "2024-08-02T00:09:21.000Z",
        "notBefore": "2023-08-08T00:09:21.000Z",
        "commonName": "Sovrin DSC",
        "country": "NZ"
    }
}

  • id: Each DSC created on Sovrin API will have a unique identifier which must be provided when using this DSC to sign a Mobile Credential.

  • publicKeyJwk: JWK format of the DSC public key.

  • certificatePEM: Certificate PEM format.

  • certificateFingerprint: DSC Hash that includes all certificate data and its signature.

  • certificateData: Key details of the created DSC:

  • notAfter: DSC expiry date. Cannot be later than the notAfter of the IACA used to sign the DSC.

  • notBefore: DSC creation date. Cannot be earlier than the notBefore date of the IACA used to issue the DSC.

  • commonName: DSC name, as set in the request above.

  • country: Country of the IACA’s issuer.

What's Next?

Now that you have an IACA and a DSC, you must create a new Mobile Credential Configuration before you can issue Mobile Credentials. Refer to Create a Mobile Credential Configuration for step-by-step instructions.