Storing Certification Declaration in firmware

Certification Declaration (CD) is one of the documents obtained as a result of a successful Matter certification. It is a cryptographic document created by the CSA for each device type, used to confirm that a given type of device was certified. CD is used in the Matter Device Attestation procedure during commissioning, where it is provided to a device as an element of Device Attestation data.

CD can only be stored in parts of firmware that can be modified during the device lifetime. With each new software version, the device manufacturer must apply for Matter certification using one of the accepted paths. With an update to the device firmware, the new CD obtained as a result of the new certification process must replace the existing CD on the device.

The following sections describe where and how you can place CD in firmware and how you can test it before applying for certification.

Storing Certification Declaration

In the nRF Connect SDK implementation of Matter, you can configure CD by adding the CHIP_DEVICE_CONFIG_CERTIFICATION_DECLARATION define in the chip_project_config.h file. You can locate the array of bytes related to CD by running the search with the following condition:

cat CD.der | xxd -I

Storing Certification Declaration in Zephyr

Alternatively, you can opt for storing CD in Zephyr’s Settings subsystem, which allows for storing data even after the device has been programmed. For example, this lets you add CD to the subsystem through CLI, or use Zephyr’s API to store CD in the Settings subsystem within the code.

To enable this configuration method, set the CONFIG_CHIP_CERTIFICATION_DECLARATION_STORAGE Kconfig option in the prj.conf file instead of the define in chip_project_config.h.

Generating Certification Declaration for integration testing

To generate CD for integration testing, complete the following steps:

  1. Install the chip-cert tool.

  2. Run the following command pattern to generate CD:

    chip-cert gen-cd --key path_to_key --cert path_to_cert --out CD.der --format-version 1 --vendor-id VID --product-id PID --device-type-id device_type --certificate-id CD_serial_number --security-level 0 --security-info 0 --certification-type 1 --version-number DCL_entry_value

    In this command:

    • path_to_key corresponds to the path to the Chip-Test-CD-Signing-Key.pem file, which usually can be found under modules/lib/matter/credentials/test/certification-declaration/.

    • path_to_cert corresponds to the path to the Chip-Test-CD-Signing-Cert.pem file, which usually can be found under modules/lib/matter/credentials/test/certification-declaration/.

    • VID corresponds to your Vendor ID.

    • PID corresponds to your Product ID.

    • device_type corresponds to the device type identifier for the primary function of the device.

    • CD_serial_number corresponds to the serial number of CD, allocated by the CSA.

    • DCL_entry_value corresponds to the certification record associated with the product in the Distributed Compliance Ledger.

    For more information about some of these fields, see the section 6.3.1 of the Matter core specification. For example, the command can look like follows:

    chip-cert gen-cd --key credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem --cert credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem --out CD.der --format-version 1 --vendor-id 0xFFF1 --product-id 0x8006 --device-type-id 0xA --certificate-id ZIG20142ZB330003-24 --security-level 0 --security-info 0 --certification-type 1 --version-number 0x2694