Storing Certification Declaration in firmware
Certification Declaration (CD) is one of the documents obtained as a result of a successful Matter certification. It is a cryptographic document created by the CSA for each device type, used to confirm that a given type of device was certified. CD is used in the Matter Device Attestation procedure during commissioning, where it is provided to a device as an element of Device Attestation data.
CD can only be stored in parts of firmware that can be modified during the device lifetime. With each new software version, the device manufacturer must apply for Matter certification using one of the accepted paths. With an update to the device firmware, the new CD obtained as a result of the new certification process must replace the existing CD on the device.
The following sections describe where and how you can place CD in firmware and how you can test it before applying for certification.
In the nRF Connect SDK implementation of Matter, you can configure CD by adding the
CHIP_DEVICE_CONFIG_CERTIFICATION_DECLARATION define in the
You can locate the array of bytes related to CD by running the search with the following condition:
cat CD.der | xxd -I
Alternatively, you can opt for storing CD in Zephyr’s Settings subsystem, which allows for storing data even after the device has been programmed. For example, this lets you add CD to the subsystem through CLI, or use Zephyr’s API to store CD in the Settings subsystem within the code.
To enable this configuration method, set the
CONFIG_CHIP_CERTIFICATION_DECLARATION_STORAGE Kconfig option in the
prj.conf file instead of the define in
To generate CD for integration testing, complete the following steps:
Run the following command pattern to generate CD:
chip-cert gen-cd --key path_to_key --cert path_to_cert --out CD.der --format-version 1 --vendor-id VID --product-id PID --device-type-id device_type --certificate-id CD_serial_number --security-level 0 --security-info 0 --certification-type 1 --version-number DCL_entry_value
In this command:
path_to_key corresponds to the path to the
Chip-Test-CD-Signing-Key.pemfile, which usually can be found under
path_to_cert corresponds to the path to the
Chip-Test-CD-Signing-Cert.pemfile, which usually can be found under
VID corresponds to your Vendor ID.
PID corresponds to your Product ID.
device_type corresponds to the device type identifier for the primary function of the device.
CD_serial_number corresponds to the serial number of CD, allocated by the CSA.
DCL_entry_value corresponds to the certification record associated with the product in the Distributed Compliance Ledger.
For more information about some of these fields, see the section 6.3.1 of the Matter core specification. For example, the command can look like follows:
chip-cert gen-cd --key credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem --cert credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem --out CD.der --format-version 1 --vendor-id 0xFFF1 --product-id 0x8006 --device-type-id 0xA --certificate-id ZIG20142ZB330003-24 --security-level 0 --security-info 0 --certification-type 1 --version-number 0x2694