This guide presents the steps to onboard a new legal entity in EBSI, which consists in the registration of the DID Document in the DID Registry.
Setup your wallet
Create a new DID with 2 key pairs:
- The first key pair with the
ES256Kalgorithm. It will be used to write data in the blockchain. - The second key pair with the
ES256algorithm. It will be used to sign verifiable credentials and verifiable presentations.
==> using user ES256K
==> using user ES256
{
"keys": {
"ES256K": {
"id": "k0G8kZ0UxsxGLYiiAhRUgtLtFzu-ZpbvzFtpJIH63ZI",
"kid": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#k0G8kZ0UxsxGLYiiAhRUgtLtFzu-ZpbvzFtpJIH63ZI",
"privateKeyJwk": {
"kty": "EC",
"crv": "secp256k1",
"x": "gmT8xLpAGaGX2JnfxTnlOs5JUy7SXSQbIErwPNBbu68",
"y": "r9JVbckK24sbIw4Nyz16qoHaAZdhNmossxyO6a_Naxo",
"d": "O26b4UPVx_MMrzs8ibq0PCIHInEcHdouYy9mDcYcCk8"
},
"publicKeyJwk": {
"kty": "EC",
"crv": "secp256k1",
"x": "gmT8xLpAGaGX2JnfxTnlOs5JUy7SXSQbIErwPNBbu68",
"y": "r9JVbckK24sbIw4Nyz16qoHaAZdhNmossxyO6a_Naxo"
},
"privateKeyEncryptionJwk": {
"kty": "EC",
"crv": "secp256k1",
"x": "gmT8xLpAGaGX2JnfxTnlOs5JUy7SXSQbIErwPNBbu68",
"y": "r9JVbckK24sbIw4Nyz16qoHaAZdhNmossxyO6a_Naxo",
"d": "O26b4UPVx_MMrzs8ibq0PCIHInEcHdouYy9mDcYcCk8"
},
"publicKeyEncryptionJwk": {
"kty": "EC",
"crv": "secp256k1",
"x": "gmT8xLpAGaGX2JnfxTnlOs5JUy7SXSQbIErwPNBbu68",
"y": "r9JVbckK24sbIw4Nyz16qoHaAZdhNmossxyO6a_Naxo"
}
},
"ES256": {
"id": "eJYROV5PYyRZxjF7QABzsd7ooTw5bFNm2Ytt6bAxySQ",
"kid": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#eJYROV5PYyRZxjF7QABzsd7ooTw5bFNm2Ytt6bAxySQ",
"privateKeyJwk": {
"kty": "EC",
"crv": "P-256",
"x": "Vm7_Vhz07e9UoblDw1rmd29bV6ykcut4npLnqhhQlVk",
"y": "uISs1AK-TVo0duSg3AvFuBNgBPp7ex4dWmYvkFN8uRk",
"d": "O26b4UPVx_MMrzs8ibq0PCIHInEcHdouYy9mDcYcCk8"
},
"publicKeyJwk": {
"kty": "EC",
"crv": "P-256",
"x": "Vm7_Vhz07e9UoblDw1rmd29bV6ykcut4npLnqhhQlVk",
"y": "uISs1AK-TVo0duSg3AvFuBNgBPp7ex4dWmYvkFN8uRk"
},
"privateKeyEncryptionJwk": {
"kty": "EC",
"x": "ORK0V91Xg9IAFAMMcl73AxXv6n2ptYKEn5nBfiKCIm4",
"y": "yRMSUPrqVtF2-Q_HkCDYjhNcrvkJeaf9PZdY1BLs8Jc",
"crv": "P-256",
"d": "p4B-UL0hzwNTJFA4taL3N0a1jCmIjUMPgKiwSjO1ZjM"
},
"publicKeyEncryptionJwk": {
"kty": "EC",
"x": "ORK0V91Xg9IAFAMMcl73AxXv6n2ptYKEn5nBfiKCIm4",
"y": "yRMSUPrqVtF2-Q_HkCDYjhNcrvkJeaf9PZdY1BLs8Jc",
"crv": "P-256"
}
}
},
"privateKeyHex": "0x3b6e9be143d5c7f30caf3b3c89bab43c220722711c1dda2e632f660dc61c0a4f",
"publicKeyHex": "0x048264fcc4ba4019a197d899dfc539e53ace49532ed25d241b204af03cd05bbbafafd2556dc90adb8b1b230e0dcb3d7aaa81da019761366a2cb31c8ee9afcd6b1a",
"address": "0x8390f8b75Dfb727dD53C25a048DC4887CF482330",
"did": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
"didVersion": 1
}
Save the generated private keys in a safe place
Now connect the wallet with the pilot environment:
==> env pilot
Request a credential to onboard
For this step contact with the Trusted Issuer related to your use case and request a "Verifiable Authorisation To Onboard". This veriable credential should contain your DID in the credentialSubject field. To see your DID run:
==> view user.did
did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw
If there is no Trusted Issuer to contact and you are at the top level of the use case then contact with Support Office in order to get the "Verifiable Authorisation To Onboard".
Request an "invite" access token
In this step you will request an access token to the authorisation API with the scope didr_invite. For this you have to present the authorisation to onboard obtained in the previous step:
==> resAuthDIDRInvite: authorisation auth didr_invite_presentation ES256 <VC_TO_ONBOARD>
{
"access_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6Inh6bzBsZmQ2TXpJbWRTNGVHbWtDY2hCUVBGbDh5emU1ZjREZFNGWTlxSFEiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MDAyMjYyNTcsImV4cCI6MTcwMDIzMzQ1Nywic3ViIjoiZGlkOmVic2k6enpjSkp1TTRaNEFVS2RMOGtkTUVLTnciLCJhdWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L2F1dGhvcmlzYXRpb24vdjMiLCJzY3AiOiJvcGVuaWQgZGlkcl9pbnZpdGUiLCJqdGkiOiI3NDUzNTNkYS00ODZkLTQyNjYtODQ5MS03ZTI4MjgyZmUwODkiLCJpc3MiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L2F1dGhvcmlzYXRpb24vdjMifQ.U9wctwpyQFMD4L2B2fRuhhyJoQzcSlok1dDQCgNlNnCaIXMBqymPmQVWvRMAFr7RAbMWj9AeXJec0QIr12XyNA",
"token_type": "Bearer",
"expires_in": 7200,
"scope": "openid didr_invite",
"id_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6Inh6bzBsZmQ2TXpJbWRTNGVHbWtDY2hCUVBGbDh5emU1ZjREZFNGWTlxSFEiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MDAyMjYyNTcsImV4cCI6MTcwMDIzMzQ1Nywic3ViIjoiZGlkOmVic2k6enpjSkp1TTRaNEFVS2RMOGtkTUVLTnciLCJhdWQiOiJkaWQ6ZWJzaTp6emNKSnVNNFo0QVVLZEw4a2RNRUtOdyIsImp0aSI6IjE1N2NiYzJjLTg1ZTItNDI2Zi1iYWRjLTI3NTUyMjk2ZjljMiIsIm5vbmNlIjoiM2JiZTQxOTktN2ZkZS00MzcyLTk1YzMtMGFiMDkzN2JkMWE3IiwiaXNzIjoiaHR0cHM6Ly9hcGktcGlsb3QuZWJzaS5ldS9hdXRob3Jpc2F0aW9uL3YzIn0._-4F6nAA65PTzwJLRbsd6SyoHD6KrlsDOzoj0Qxyz4iWLUi9pIIPyJ83Tm-8o8UnH9lQKEde2gCq956p3JxpaA"
}
Now load the access token:
==> using token resAuthDIDRInvite.access_token
Register first part of the DID Document
To register the first part of the DID Document run:
==> did insertDidDocument
This command will interact with the DID Registry and insert the ES256K key with the relationships "authentication" and "capabilityInvocation". At this point your DID document should be like this:
==> did get /identifiers/ user.did
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/jws-2020/v1"
],
"id": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
"controller": ["did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw"],
"verificationMethod": [
{
"id": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#DcKbRyDwj-vgt4smUt5dlgwoN1tTvH1x98dc2ydTQ3A",
"type": "JsonWebKey2020",
"controller": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
"publicKeyJwk": {
"kty": "EC",
"crv": "secp256k1",
"x": "4ZaWhy-1tbVSoEr-AMvPPnurkH2_wQrEr2O823fTETU",
"y": "O0mebx46dePZr_jrIeORSCAqKLhj5GpY8PU6npBstCQ"
}
}
],
"authentication": [
"did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#DcKbRyDwj-vgt4smUt5dlgwoN1tTvH1x98dc2ydTQ3A"
],
"capabilityInvocation": [
"did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#DcKbRyDwj-vgt4smUt5dlgwoN1tTvH1x98dc2ydTQ3A"
]
}
Request a "write" access token
Now request an access token to the authorisation API with the scope didr_write. In this case there is no need to present the veriable authorisation to onboard because the DID is already in the registry:
==> resAuthDIDRWrite: authorisation auth didr_write_presentation ES256K
{
"access_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6Inh6bzBsZmQ2TXpJbWRTNGVHbWtDY2hCUVBGbDh5emU1ZjREZFNGWTlxSFEiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MDAyMjYyNjcsImV4cCI6MTcwMDIzMzQ2Nywic3ViIjoiZGlkOmVic2k6enpjSkp1TTRaNEFVS2RMOGtkTUVLTnciLCJhdWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L2F1dGhvcmlzYXRpb24vdjMiLCJzY3AiOiJvcGVuaWQgZGlkcl93cml0ZSIsImp0aSI6ImIyOGY2MGFjLTJlMGYtNGFiMi04OTg5LTFiN2VlYmY5MjVlYSIsImlzcyI6Imh0dHBzOi8vYXBpLXBpbG90LmVic2kuZXUvYXV0aG9yaXNhdGlvbi92MyJ9.OikkjrWO4kI3O_PkqsNGcVZ0inZa9Vx9cwqHQ2G6B_p9WhlskNS62xsPHOzjn37bbAYfG8skxEX5MUni2SVpKQ",
"token_type": "Bearer",
"expires_in": 7200,
"scope": "openid didr_write",
"id_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6Inh6bzBsZmQ2TXpJbWRTNGVHbWtDY2hCUVBGbDh5emU1ZjREZFNGWTlxSFEiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MDAyMjYyNjcsImV4cCI6MTcwMDIzMzQ2Nywic3ViIjoiZGlkOmVic2k6enpjSkp1TTRaNEFVS2RMOGtkTUVLTnciLCJhdWQiOiJkaWQ6ZWJzaTp6emNKSnVNNFo0QVVLZEw4a2RNRUtOdyIsImp0aSI6ImI2MmFiMDE5LWNhNTYtNGE2Yi1iODcwLTQxNzdhMzQ2M2ZiOCIsIm5vbmNlIjoiYjVmN2Y5NjQtODcyMC00ZDU2LWFmYzMtYzg0ZTRkMTE1NjI2IiwiaXNzIjoiaHR0cHM6Ly9hcGktcGlsb3QuZWJzaS5ldS9hdXRob3Jpc2F0aW9uL3YzIn0.vY1-ENX-KIm6UfW-JTTv2IxHfdPjg6149KwXkbJUZtw9ygluLjHLPuWuvMUlhDkkHGF_Nmh14Q59uQw8MnvmUg"
}
Please note that the command is using the ES256K key for the authentication because this the key registered in the DID registry.
Now load the access token:
==> using token resAuthDIDRWrite.access_token
Register the second part of the DID Document
The following steps will complete the registration of the DID Document. First register the ES256 key as verification method:
==> did addVerificationMethod user.did ES256
Now create the relationship "authentication" with this verification method:
==> did addVerificationRelationship user.did authentication ES256
Finally, do the same for the relationship "assertionMethod":
==> did addVerificationRelationship user.did assertionMethod ES256
At this point your DID document should be like this:
==> did get /identifiers/ user.did
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/jws-2020/v1"
],
"id": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
"controller": ["did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw"],
"verificationMethod": [
{
"id": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#DcKbRyDwj-vgt4smUt5dlgwoN1tTvH1x98dc2ydTQ3A",
"type": "JsonWebKey2020",
"controller": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
"publicKeyJwk": {
"kty": "EC",
"crv": "secp256k1",
"x": "4ZaWhy-1tbVSoEr-AMvPPnurkH2_wQrEr2O823fTETU",
"y": "O0mebx46dePZr_jrIeORSCAqKLhj5GpY8PU6npBstCQ"
}
},
{
"id": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#TI3gGIhSOygydZ8gJnseuFZ2G237LYDE6tVaOtb-6Is",
"type": "JsonWebKey2020",
"controller": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
"publicKeyJwk": {
"kty": "EC",
"crv": "P-256",
"x": "iBv6wrPNeSitje8yfFK4rsoc8fbE8Rngp85KFDMLjgw",
"y": "Dv8BryEQCUqQe9bRawFdKlhfGDN9o1r2OyIeFLlsqH4"
}
}
],
"authentication": [
"did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#DcKbRyDwj-vgt4smUt5dlgwoN1tTvH1x98dc2ydTQ3A",
"did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#TI3gGIhSOygydZ8gJnseuFZ2G237LYDE6tVaOtb-6Is"
],
"assertionMethod": [
"did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#TI3gGIhSOygydZ8gJnseuFZ2G237LYDE6tVaOtb-6Is"
],
"capabilityInvocation": [
"did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#DcKbRyDwj-vgt4smUt5dlgwoN1tTvH1x98dc2ydTQ3A"
]
}
You have registered a new Legal Entity in the DID Registry
Script to register a Legal Entity
The CLI tool is equipped with a script to simplify the process of registering a new Legal Entity. First, setup your wallet and request a verifiable authorisation to onboard. Then run:
==> run registerDidDocument_ES256K_ES256 <VC_TO_ONBOARD>