This step is performed by the New Entity that wants to become a trusted issuer in the EBSI ecosystem.
This guide presents the steps to set up your wallet in the EBSI CLI. The wallet will contain your cryptographic keys and DID (Decentralized Identifier) that will be used throughout the onboarding process.
Prerequisites
Before starting, ensure you have:
- Node.js v22 installed on your system
- EBSI CLI installed (
npx @cef-ebsi/cli) - Access to EBSI environment (test, pilot, or production)
- Secure storage for your private keys
Start the CLI
Launch the EBSI CLI:
npx @cef-ebsi/cli
Set your environment
Choose the appropriate EBSI environment:
# For testing
env test
# For pilot environment
env pilot
# For production (when available)
env production
Generate ES256K key pair
The ES256K key pair is used for blockchain operations and DID document management:
using user ES256K
This command will generate a new ES256K key pair and display the generated information:
{
"keys": {
"ES256K": {
"id": "k0G8kZ0UxsxGLYiiAhRUgtLtFzu-ZpbvzFtpJIH63ZI",
"kid": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#k0G8kZ0UxsxGLYiiAhRUgtLtFzu-ZpbvzFtpJIH63ZI",
"privateKeyJwk": {
"kty": "EC",
"crv": "secp256k1",
"x": "gmT8xLpAGaGX2JnfxTnlOs5JUy7SXSQbIErwPNBbu68",
"y": "r9JVbckK24sbIw4Nyz16qoHaAZdhNmossxyO6a_Naxo",
"d": "O26b4UPVx_MMrzs8ibq0PCIHInEcHdouYy9mDcYcCk8"
},
"publicKeyJwk": {
"kty": "EC",
"crv": "secp256k1",
"x": "gmT8xLpAGaGX2JnfxTnlOs5JUy7SXSQbIErwPNBbu68",
"y": "r9JVbckK24sbIw4Nyz16qoHaAZdhNmossxyO6a_Naxo"
}
}
},
"did": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
"didVersion": 1
}
Generate ES256 key pair
The ES256 key pair is used for signing verifiable credentials and presentations:
using user ES256
This will add the ES256 key pair to your existing wallet:
{
"keys": {
"ES256K": {
// ... ES256K key details
},
"ES256": {
"id": "eJYROV5PYyRZxjF7QABzsd7ooTw5bFNm2Ytt6bAxySQ",
"kid": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw#eJYROV5PYyRZxjF7QABzsd7ooTw5bFNm2Ytt6bAxySQ",
"privateKeyJwk": {
"kty": "EC",
"crv": "P-256",
"x": "Vm7_Vhz07e9UoblDw1rmd29bV6ykcut4npLnqhhQlVk",
"y": "uISs1AK-TVo0duSg3AvFuBNgBPp7ex4dWmYvkFN8uRk",
"d": "O26b4UPVx_MMrzs8ibq0PCIHInEcHdouYy9mDcYcCk8"
},
"publicKeyJwk": {
"kty": "EC",
"crv": "P-256",
"x": "Vm7_Vhz07e9UoblDw1rmd29bV6ykcut4npLnqhhQlVk",
"y": "uISs1AK-TVo0duSg3AvFuBNgBPp7ex4dWmYvkFN8uRk"
}
}
},
"did": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
"didVersion": 1
}
Save your private keys securely
IMPORTANT: Save your private keys in a secure location immediately after generation. These keys are required for all future operations and cannot be recovered if lost.
Your private keys are displayed in the output above. Make sure to:
- Save the private key values (JWK or hex string) securely
- Store them in encrypted storage or a hardware security module
- Never share private keys with anyone
- Keep backups in multiple secure locations
You can view your current wallet information at any time:
# View your DID
view user.did
# View your wallet details
view user
Verify your setup
Confirm that your wallet is properly configured:
# Check your DID
view user.did
# Output: did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw
# Check your environment
env
# Output: pilot (or your selected environment)
# Verify both key pairs are loaded
view user.keys.ES256K.id
view user.keys.ES256.id
You have successfully set up your wallet with both ES256K and ES256 key pairs. Your DID is now ready for the onboarding process.
Next Step: Contact a Trusted Issuer or Support Office to obtain a "Verifiable Authorisation To Onboard" credential (Step 2).
Key Information for Next Steps
Before proceeding to Step 2, you'll need to share the following information with your Trusted Issuer or Support Office:
- Your DID:
did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw(useview user.didto get your actual DID) - Your use case: What type of trusted issuer you want to become (Root TAO, TAO, or TI)
The Trusted Issuer or Support Office will use this information to issue the appropriate onboarding credential for you.