5. Register a Trusted Issuer

Role: New Entity

This step is performed by the New Entity using the trusted issuer credential received from a Trusted Issuer or Support Office in Step 4.

Prerequisites

Before starting this step, ensure you have:

Completed Steps 1-3: Your wallet is set up and DID document is registered
Received trusted issuer credential: From a Trusted Issuer or Support Office (Step 4)
Valid VC for trusted issuer: The credential should contain your DID and reservedAttributeId in the credentialSubject field
Pre-registration completed: The issuer should have pre-registered you in the Trusted Issuers Registry

Load the Legal Entity

Load the keys of the new issuer:

Command
==> using user ES256K did1 <ISSUER_PRIVATE_KEY_ES256K> <ISSUER_DID>
==> using user ES256 did1 <ISSUER_PRIVATE_KEY_ES256> <ISSUER_DID>

Now connect the wallet with the pilot environment:

Command
==> env pilot

Verify your trusted issuer credential

You should have already received a trusted issuer credential from a Trusted Issuer or Support Office in Step 4. The verifiable credential should contain your DID and a reservedAttributeId in the credentialSubject.

The Trusted Issuer or Support Office should have also made the pre-registration of your issuer status in the Trusted Issuers Registry. To verify the pre-registration, run the following command - you should see an empty attribute:

==> tir get /issuers/ user.did

Output
{
  "did": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
  "attributes": [
    {
      "hash": "4ec090a8a660a4bd431cc6d5e50b229cf0812ea8b8f4f642c2f3ad69eb84375f",
      "body": "",
      "issuerType": "TI",
      "tao": "did:ebsi:zZeKyEJfUTGwajhNyNX928z",
      "rootTao": "did:ebsi:zZeKyEJfUTGwajhNyNX928z"
    }
  ]
}

Request an access token

In this step you will request an access token to the authorisation API. If this is the first time you register a Trusted Issuer request an access token with scope tir_invite and present the credential. If the issuer already exists then request an access token with scope tir_write (in this case there is no need to present a credential):

Command
# For first time
==> resAuthTIR: authorisation auth tir_invite_presentation ES256 <VC_ISSUER>

# For existing issuers
==> resAuthTIR: authorisation auth tir_write_presentation ES256

Now load the access token:

==> using token resAuthTIR.access_token

Register the credential

To register the credential run:

Command
==> tir setAttributeData user.did <RESERVED_ATTRIBUTE_ID> <VC_ISSUER>

You can get the reserved attribute ID from the verifiable credential.

Finally, verify that the credential is registered:

Command
==> tir get /issuers/ user.did

Output
{
  "did": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
  "attributes": [
    {
      "hash": "06bcfc35a6c342bd12d9975df3de5a2659e70318f208999341bc634006e32233",
      "body": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6I2tleXMtMiJ9.eyJpYXQiOjE3MDAyMjc0NjMsImp0aSI6InVybjp1dWlkOmQzNDQzMmFkLWQzZjgtNDhhYy05NjBkLTNjNTgzYzAwMDdiZSIsIm5iZiI6MTcwMDIyNzQ2MywiZXhwIjoxNzMxNzYzNDYzLCJzdWIiOiJkaWQ6ZWJzaTp6emNKSnVNNFo0QVVLZEw4a2RNRUtOdyIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sImlkIjoidXJuOnV1aWQ6ZDM0NDMyYWQtZDNmOC00OGFjLTk2MGQtM2M1ODNjMDAwN2JlIiwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIlZlcmlmaWFibGVBdHRlc3RhdGlvbiIsIlZlcmlmaWFibGVBY2NyZWRpdGF0aW9uIiwiVmVyaWZpYWJsZUFjY3JlZGl0YXRpb25Ub0F0dGVzdCJdLCJpc3N1ZXIiOiJkaWQ6ZWJzaTp6WmVLeUVKZlVUR3dhamhOeU5YOTI4eiIsImlzc3VhbmNlRGF0ZSI6IjIwMjMtMTEtMTdUMTM6MjQ6MjNaIiwiaXNzdWVkIjoiMjAyMy0xMS0xN1QxMzoyNDoyM1oiLCJ2YWxpZEZyb20iOiIyMDIzLTExLTE3VDEzOjI0OjIzWiIsImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMS0xNlQxMzoyNDoyM1oiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDplYnNpOnp6Y0pKdU00WjRBVUtkTDhrZE1FS053IiwiYWNjcmVkaXRlZEZvciI6W3sic2NoZW1hSWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92Mi9zY2hlbWFzL3ozTWdVRlVrYjcyMnVxNHgzZHY1eUFKbW5ObXpERmVLNVVDOHg4M1FvZUxKTSIsInR5cGVzIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiQ1RSZXZvY2FibGUiXSwibGltaXRKdXJpc2RpY3Rpb24iOiJodHRwczovL3B1YmxpY2F0aW9ucy5ldXJvcGEuZXUvcmVzb3VyY2UvYXV0aG9yaXR5L2F0dS9FVVIifV0sInJlc2VydmVkQXR0cmlidXRlSWQiOiI0ZWMwOTBhOGE2NjBhNGJkNDMxY2M2ZDVlNTBiMjI5Y2YwODEyZWE4YjhmNGY2NDJjMmYzYWQ2OWViODQzNzVmIn0sInRlcm1zT2ZVc2UiOnsiaWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtaXNzdWVycy1yZWdpc3RyeS92NC9pc3N1ZXJzL2RpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6L2F0dHJpYnV0ZXMvMTRiZDBkMjZmM2IwNWQ4MjViOTFjZWRlOGIzMTA2OGY0ZDNhM2RmZGE3NjczZTdkMzZlY2ZlOWY5ZDQwMjUwOSIsInR5cGUiOiJJc3N1YW5jZUNlcnRpZmljYXRlIn0sImNyZWRlbnRpYWxTY2hlbWEiOnsiaWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92Mi9zY2hlbWFzL3ozTWdVRlVrYjcyMnVxNHgzZHY1eUFKbW5ObXpERmVLNVVDOHg4M1FvZUxKTSIsInR5cGUiOiJGdWxsSnNvblNjaGVtYVZhbGlkYXRvcjIwMjEifX0sImlzcyI6ImRpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6In0.51wxF6sasQeNmWt-f8uDhek_To8V3qpzudnZX2COe5t6j8H07lMH6coYVWuQm5xqx09zSNJ0NVm-uSWeBcUCqA",
      "issuerType": "TI",
      "tao": "did:ebsi:zZeKyEJfUTGwajhNyNX928z",
      "rootTao": "did:ebsi:zZeKyEJfUTGwajhNyNX928z"
    }
  ]
}

Congratulations!

You have successfully registered as a Trusted Issuer in the Trusted Issuers Registry. You can now proceed to Step 6 (Register Issuer Proxy) to complete your onboarding.

Script to register a credential

The CLI tool is equipped with a script to simplify the process to register a verifiable credential. First, setup your wallet and then run:

Command
==> run registerIssuer VERIFIABLE_CREDENTIAL

Prerequisites​

Load the Legal Entity​

Verify your trusted issuer credential​

Request an access token​

Register the credential​

Script to register a credential​