The hierarchy to issue verifiable credentials is the following:
- Support Office issues a credential to register a Root Trusted Accreditation Organisations (RootTAO).
- A RootTAO is the root of a trusted chain and it can issue credentials to register new Trusted Accreditation Organizations (TAO).
- A TAO can issue credentials to register other Trusted Issuers.
Load the issuer
Load the keys of the Trusted Issuer:
==> using user ES256K did1 <ISSUER_PRIVATE_KEY_ES256K> <ISSUER_DID>
==> using user ES256 did1 <ISSUER_PRIVATE_KEY_ES256> <ISSUER_DID>
Before issuing the credential, run the following commands to set the user accreditation URL and accreditation ID.
==> set user.accreditationUrl ACCREDITATION_URL
ACCREDITATION_URL is the link (located in the Trusted Issuers Registry) to the credential that authorises the entity to issue other credentials.
Now connect the wallet with the pilot environment:
==> env pilot
Define VC payload
Create the reservedAttributeId
by computing a random ID:
==> reservedAttributeId: compute randomID
4ec090a8a660a4bd431cc6d5e50b229cf0812ea8b8f4f642c2f3ad69eb84375f
Now create create a JSON file with the payload of the verifiable credential and set the reservedAttributeId
there. The payload of the credential depends on its type. Here are the most typical cases:
- VerifiableAuthorisationForTrustChain: VC for RootTAOs
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": [
"VerifiableCredential",
"VerifiableAttestation",
"VerifiableAuthorisationForTrustChain"
],
"issuer": "did:ebsi:zZeKyEJfUTGwajhNyNX928z",
"credentialSubject": {
"id": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
"reservedAttributeId": "54bba7597eb82a28ea4e709ac0df2decae02a50a34fb8bb8e46ca87363f55daf"
},
"termsOfUse": {
"id": "https://api-pilot.ebsi.eu/trusted-issuers-registry/v5/issuers/did:ebsi:zZeKyEJfUTGwajhNyNX928z/14bd0d26f3b05d825b91cede8b31068f4d3a3dfda7673e7d36ecfe9f9d402509",
"type": "IssuanceCertificate"
},
"credentialSchema": {
"id": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v3/schemas/z3MgUFUkb722uq4x3dv5yAJmnNmzDFeK5UC8x83QoeLJM",
"type": "FullJsonSchemaValidator2021"
}
}
- VerifiableAccreditationToAccredit: VC for TAOs
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": [
"VerifiableCredential",
"VerifiableAttestation",
"VerifiableAccreditation",
"VerifiableAccreditationToAccredit"
],
"issuer": "did:ebsi:zZeKyEJfUTGwajhNyNX928z",
"credentialSubject": {
"id": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
"reservedAttributeId": "54bba7597eb82a28ea4e709ac0df2decae02a50a34fb8bb8e46ca87363f55daf"
"accreditedFor": [
{
"schemaId": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v3/schemas/z3MgUFUkb722uq4x3dv5yAJmnNmzDFeK5UC8x83QoeLJM",
"types": [
"VerifiableCredential",
"VerifiableAttestation",
"CTRevocable"
],
"limitJurisdiction": "https://publications.europa.eu/resource/authority/atu/FIN"
}
]
},
"termsOfUse": [
{
"id": "https://api-pilot.ebsi.eu/trusted-issuers-registry/v5/issuers/did:ebsi:zZeKyEJfUTGwajhNyNX928z/14bd0d26f3b05d825b91cede8b31068f4d3a3dfda7673e7d36ecfe9f9d402509",
"type": "IssuanceCertificate"
}
],
"credentialSchema": {
"id": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v3/schemas/zjVFNvbEBPAr3a724DttioZpgZmNr75BBtRzZqk7pkDe",
"type": "FullJsonSchemaValidator2021"
}
}
- VerifiableAccreditationToAttest: VC for TIs
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": [
"VerifiableCredential",
"VerifiableAttestation",
"VerifiableAccreditation",
"VerifiableAccreditationToAttest"
],
"issuer": "did:ebsi:zZeKyEJfUTGwajhNyNX928z",
"credentialSubject": {
"id": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
"reservedAttributeId": "54bba7597eb82a28ea4e709ac0df2decae02a50a34fb8bb8e46ca87363f55daf"
"accreditedFor": [
{
"schemaId": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v3/schemas/z3MgUFUkb722uq4x3dv5yAJmnNmzDFeK5UC8x83QoeLJM",
"types": [
"VerifiableCredential",
"VerifiableAttestation",
"CTRevocable"
],
"limitJurisdiction": "https://publications.europa.eu/resource/authority/atu/FIN"
}
]
},
"termsOfUse": [
{
"id": "https://api-pilot.ebsi.eu/trusted-issuers-registry/v5/issuers/did:ebsi:zZeKyEJfUTGwajhNyNX928z/14bd0d26f3b05d825b91cede8b31068f4d3a3dfda7673e7d36ecfe9f9d402509",
"type": "IssuanceCertificate"
}
],
"credentialSchema": {
"id": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v3/schemas/zjVFNvbEBPAr3a724DttioZpgZmNr75BBtRzZqk7pkDe",
"type": "FullJsonSchemaValidator2021"
}
}
Now import it in the CLI tool:
==> payloadVc: load path-to-file.json
Create and sign the VC
Use this payload to create and sign the VC:
==> vcIssuer: compute createVcJwt payloadVc {} ES256
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6I2tleXMtMiJ9.eyJpYXQiOjE3MDAyMjc0NjMsImp0aSI6InVybjp1dWlkOmQzNDQzMmFkLWQzZjgtNDhhYy05NjBkLTNjNTgzYzAwMDdiZSIsIm5iZiI6MTcwMDIyNzQ2MywiZXhwIjoxNzMxNzYzNDYzLCJzdWIiOiJkaWQ6ZWJzaTp6emNKSnVNNFo0QVVLZEw4a2RNRUtOdyIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sImlkIjoidXJuOnV1aWQ6ZDM0NDMyYWQtZDNmOC00OGFjLTk2MGQtM2M1ODNjMDAwN2JlIiwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIlZlcmlmaWFibGVBdHRlc3RhdGlvbiIsIlZlcmlmaWFibGVBY2NyZWRpdGF0aW9uIiwiVmVyaWZpYWJsZUFjY3JlZGl0YXRpb25Ub0F0dGVzdCJdLCJpc3N1ZXIiOiJkaWQ6ZWJzaTp6WmVLeUVKZlVUR3dhamhOeU5YOTI4eiIsImlzc3VhbmNlRGF0ZSI6IjIwMjMtMTEtMTdUMTM6MjQ6MjNaIiwiaXNzdWVkIjoiMjAyMy0xMS0xN1QxMzoyNDoyM1oiLCJ2YWxpZEZyb20iOiIyMDIzLTExLTE3VDEzOjI0OjIzWiIsImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMS0xNlQxMzoyNDoyM1oiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDplYnNpOnp6Y0pKdU00WjRBVUtkTDhrZE1FS053IiwiYWNjcmVkaXRlZEZvciI6W3sic2NoZW1hSWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92Mi9zY2hlbWFzL3ozTWdVRlVrYjcyMnVxNHgzZHY1eUFKbW5ObXpERmVLNVVDOHg4M1FvZUxKTSIsInR5cGVzIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiQ1RSZXZvY2FibGUiXSwibGltaXRKdXJpc2RpY3Rpb24iOiJodHRwczovL3B1YmxpY2F0aW9ucy5ldXJvcGEuZXUvcmVzb3VyY2UvYXV0aG9yaXR5L2F0dS9FVVIifV0sInJlc2VydmVkQXR0cmlidXRlSWQiOiI0ZWMwOTBhOGE2NjBhNGJkNDMxY2M2ZDVlNTBiMjI5Y2YwODEyZWE4YjhmNGY2NDJjMmYzYWQ2OWViODQzNzVmIn0sInRlcm1zT2ZVc2UiOnsiaWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtaXNzdWVycy1yZWdpc3RyeS92NC9pc3N1ZXJzL2RpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6L2F0dHJpYnV0ZXMvMTRiZDBkMjZmM2IwNWQ4MjViOTFjZWRlOGIzMTA2OGY0ZDNhM2RmZGE3NjczZTdkMzZlY2ZlOWY5ZDQwMjUwOSIsInR5cGUiOiJJc3N1YW5jZUNlcnRpZmljYXRlIn0sImNyZWRlbnRpYWxTY2hlbWEiOnsiaWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92Mi9zY2hlbWFzL3ozTWdVRlVrYjcyMnVxNHgzZHY1eUFKbW5ObXpERmVLNVVDOHg4M1FvZUxKTSIsInR5cGUiOiJGdWxsSnNvblNjaGVtYVZhbGlkYXRvcjIwMjEifX0sImlzcyI6ImRpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6In0.51wxF6sasQeNmWt-f8uDhek_To8V3qpzudnZX2COe5t6j8H07lMH6coYVWuQm5xqx09zSNJ0NVm-uSWeBcUCqA
By default, the tool defines the current date as issuance date and 5 years for expiration. If you want to set specific dates, override the payload of the JWT:
==> vcIssuer: compute createVcJwt payloadVc {"iat":1704392000, "exp":1705392000} ES256
Also note that these credentials are signed that these credentials are signed with the ES256 key (not the ES256K key), which is the key that should be used in all credentials.
Request an access token
Request an access token to the authorisation API with the scope tir_write
:
==> resAuthTIR: authorisation auth tir_write_presentation ES256
{
"access_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6Inh6bzBsZmQ2TXpJbWRTNGVHbWtDY2hCUVBGbDh5emU1ZjREZFNGWTlxSFEiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MDAyMjc0NjcsImV4cCI6MTcwMDIzNDY2Nywic3ViIjoiZGlkOmVic2k6elplS3lFSmZVVEd3YWpoTnlOWDkyOHoiLCJhdWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L2F1dGhvcmlzYXRpb24vdjMiLCJzY3AiOiJvcGVuaWQgdGlyX3dyaXRlIiwianRpIjoiYjQyMDdjNGItZDg3Zi00NTk2LWEwNWItZmM2NjRjMjJlNDJiIiwiaXNzIjoiaHR0cHM6Ly9hcGktcGlsb3QuZWJzaS5ldS9hdXRob3Jpc2F0aW9uL3YzIn0.KuX_SUVlrlzh0j_d3Lh0-GGjkjCI4MtRRrDunRu5K-qoD-rimgW90YTvl_x2E2nnXpzWVeL2JrJX6vRx4URVuA",
"token_type": "Bearer",
"expires_in": 7200,
"scope": "openid tir_write",
"id_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6Inh6bzBsZmQ2TXpJbWRTNGVHbWtDY2hCUVBGbDh5emU1ZjREZFNGWTlxSFEiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MDAyMjc0NjcsImV4cCI6MTcwMDIzNDY2Nywic3ViIjoiZGlkOmVic2k6elplS3lFSmZVVEd3YWpoTnlOWDkyOHoiLCJhdWQiOiJkaWQ6ZWJzaTp6WmVLeUVKZlVUR3dhamhOeU5YOTI4eiIsImp0aSI6IjlhZmYwOTlhLTRmZDMtNDI3Yi04ZmE4LTc3ZjFmOWUzYzQ0NCIsIm5vbmNlIjoiZjkzZmIwZmItN2Q5NS00ZDg1LWJhOTUtMTlmY2E1NTk1ZGZhIiwiaXNzIjoiaHR0cHM6Ly9hcGktcGlsb3QuZWJzaS5ldS9hdXRob3Jpc2F0aW9uL3YzIn0.OBv2Jii94F4PlYPuA5LR0_EXCcrdU3lMmbYBnmHwiVJJluRTVkjJ24nfSBRXVPbwmgcSQN1lkyKxza4Z-mIsbA"
}
Now load the access token:
==> using token resAuthTIR.access_token
Pre-register the VC
Now make the preregistration of the credential in the Trusted Issuers Registry:
==> tir setAttributeMetadata <NEW_ISSUER_DID> reservedAttributeId <ISSUER_TYPE> user.did <USER_ATTRIBUTE_ID>
Issuer did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw
{
"attributeId": "4ec090a8a660a4bd431cc6d5e50b229cf0812ea8b8f4f642c2f3ad69eb84375f",
"issuerType": "ti"
}
where NEW_ISSUER_DID
is the DID of the new issuer, ISSUER_TYPE
must be roottao
, tao
, or ti
depending on the case, and USER_ATTRIBUTE_ID
is your attribute ID that accredits you to issue this type of credentials.
You have issued and preregister a new credential for a Trusted Issuer. Now share the credential with the issuer so he can register it.
Script to issue a VC for a Trusted Issuer
The CLI tool is equipped with a script to simplify the process to issue and preregister a VC for a Trusted Issuer. First, setup your wallet and run:
For Root TAO:
==> vcRootTAO: run issueVcRootTAO DID_SUBJECT
==> run preregisterIssuer DID_SUBJECT roottao vcRootTAO
For TAO:
==> vcTAO: run issueVcTAO DID_SUBJECT
==> run preregisterIssuer DID_SUBJECT tao vcTAO
For TI:
==> vcTI: run issueVcTI DID_SUBJECT
==> run preregisterIssuer DID_SUBJECT ti vcTI