Skip to main content
European CommissionEBSI European Blockchain
Get Help

Issue Self-Attestation for Support Office

This guide explains how to issue a self-attestation credential for the Support Office. This process is performed by the Support Office itself, acting as both the issuer and the subject of the credential.

EBSI deployment

The Support Office self-attestation is automatically performed during the bootstrap process in the EBSI Deployment. This tutorial is useful when you need to issue a new credential, update an existing one, or perform the process manually outside of the bootstrap script.

Prerequisites

Before starting this process, ensure you have:

  1. Support Office credentials with appropriate permissions
  2. TIR:setAttributeMetadata attribute defined in the Trusted Policies Registry
  3. DID registration completed in the DID Registry
  4. Node.js v22 installed on your system
  5. Hardware wallet setup (recommended for security) - see Hardware Wallet Setup
note

This process uses proxyledger commands to interact directly with the Besu blockchain, bypassing the authorisation API and Trusted Issuers Registry API. This is a special privilege available only to Support Office. For more information about proxyledger commands, see Ledger API.

Step 1: Load the Support Office Wallet

Load the keys of the Support Office:

Command
==> using user ES256K did1 <SUPPORT_OFFICE_PRIVATE_KEY_ES256K> <SUPPORT_OFFICE_DID>
==> using user ES256 did1 <SUPPORT_OFFICE_PRIVATE_KEY_ES256> <SUPPORT_OFFICE_DID>

Now connect the wallet with the pilot environment:

Command
==> env pilot

Step 2: Load the VC Payload

Load the predefined payload for the Support Office self-attestation credential:

Command
==> payloadVc: load assets/CredentialToAttestVerifiableAuthorisationForTrustChain.json
==> reservedAttributeId: compute randomID
==> set payloadVc.issuer user.did
==> set payloadVc.credentialSubject.id user.did
==> set payloadVc.credentialSubject.accreditedFor[0].schemaId tsrUrl /schemas/zH74MKkYTbQ6ZfTxufi6A3Aw8giS4piGm8dpgxFmkJjmu
==> set payloadVc.credentialSchema.id tsrUrl /schemas/zH74MKkYTbQ6ZfTxufi6A3Aw8giS4piGm8dpgxFmkJjmu
==> set payloadVc.credentialSubject.reservedAttributeId reservedAttributeId

This payload contains an attestation to authorise the issuance of VerifiableAuthorisationForTrustChain credentials, that is, to authorise new Root TAOs to onboard in EBSI.

Step 3: Issue the VC

Create and sign the verifiable credential:

Command
==> vcSupportOffice: compute createVcJwt payloadVc {} ES256
Output - value saved in 'vcSupportOffice'
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDplYnNpOnppeWJiUkNxTHFieEp3NEh5NVFTRUtRI3NqN29tTm5ycjhLWVlhQmtaWFpnTWZNYk90WGxPOGw3cUU5TVRadmdYbEkifQ.eyJpYXQiOjE3NTcwNjUxMTcsImp0aSI6InVybjp1dWlkOjkwNTMzNTkyLTRhYzQtNDhjYi04YzE1LTc1YWUzNDRmYzE4MCIsIm5iZiI6MTc1NzA2NTExNywiZXhwIjoxOTE0NzQ1MTE3LCJzdWIiOiJkaWQ6ZWJzaTp6aXliYlJDcUxxYnhKdzRIeTVRU0VLUSIsImlzcyI6ImRpZDplYnNpOnppeWJiUkNxTHFieEp3NEh5NVFTRUtRIiwidmMiOnsiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiXSwiaWQiOiJ1cm46dXVpZDo5MDUzMzU5Mi00YWM0LTQ4Y2ItOGMxNS03NWFlMzQ0ZmMxODAiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiVmVyaWZpYWJsZUFjY3JlZGl0YXRpb24iLCJWZXJpZmlhYmxlQWNjcmVkaXRhdGlvblRvQXR0ZXN0Il0sImlzc3VlciI6ImRpZDplYnNpOnppeWJiUkNxTHFieEp3NEh5NVFTRUtRIiwiaXNzdWFuY2VEYXRlIjoiMjAyNS0wOS0wNVQwOTozODozN1oiLCJpc3N1ZWQiOiIyMDI1LTA5LTA1VDA5OjM4OjM3WiIsInZhbGlkRnJvbSI6IjIwMjUtMDktMDVUMDk6Mzg6MzdaIiwiZXhwaXJhdGlvbkRhdGUiOiIyMDMwLTA5LTA0VDA5OjM4OjM3WiIsImNyZWRlbnRpYWxTdWJqZWN0Ijp7ImlkIjoiZGlkOmVic2k6eml5YmJSQ3FMcWJ4Snc0SHk1UVNFS1EiLCJhY2NyZWRpdGVkRm9yIjpbeyJzY2hlbWFJZCI6Imh0dHBzOi8vYXBpLXBpbG90LmVic2kuZXUvdHJ1c3RlZC1zY2hlbWFzLXJlZ2lzdHJ5L3YzL3NjaGVtYXMvekg3NE1La1lUYlE2WmZUeHVmaTZBM0F3OGdpUzRwaUdtOGRwZ3hGbWtKam11IiwidHlwZXMiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJWZXJpZmlhYmxlQXR0ZXN0YXRpb24iLCJWZXJpZmlhYmxlQXV0aG9yaXNhdGlvbkZvclRydXN0Q2hhaW4iXX1dLCJyZXNlcnZlZEF0dHJpYnV0ZUlkIjoiYzNlNDI3MDFlMmY3MjAxNTI4ZmU4YWU4YmY1YzIwN2I1MTVhMTRkY2IwNGZjN2Q1NTE4ZmNhZDE0MjlkOWMwYiJ9LCJjcmVkZW50aWFsU2NoZW1hIjp7ImlkIjoiaHR0cHM6Ly9hcGktcGlsb3QuZWJzaS5ldS90cnVzdGVkLXNjaGVtYXMtcmVnaXN0cnkvdjMvc2NoZW1hcy96SDc0TUtrWVRiUTZaZlR4dWZpNkEzQXc4Z2lTNHBpR204ZHBneEZta0pqbXUiLCJ0eXBlIjoiRnVsbEpzb25TY2hlbWFWYWxpZGF0b3IyMDIxIn19fQ.lQDrkgwa67uHt3MopUDPo_XpQd9iEPTUD_nNOlZ9ecKm0DISG1nalVh3jisUd4uKqhjaBLjOBK7KIZDWRguXxg

Step 4: Pre-register the VC

Pre-register the credential in the Trusted Issuers Registry using proxyledger to interact directly with the blockchain:

Command
==> proxyledger tir setAttributeMetadata user.did reservedAttributeId roottao
note

The CLI will automatically use the values from the loaded variables:

  • user.did: The DID of the currently loaded user (Support Office)
  • reservedAttributeId: The random ID generated in Step 2
Output
Issuer did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw
{
  "attributeId": "c3e42701e2f7201528fe8ae8bf5c207b515a14dcb04fc7d5518fcad1429d9c0b",
  "issuerType": "roottao"
}

Step 5: Register the VC

Register the credential data in the Trusted Issuers Registry using proxyledger:

Command
==> proxyledger tir setAttributeData user.did reservedAttributeId vcSupportOffice
note

The CLI will automatically use the values from the loaded variables:

  • user.did: The DID of the currently loaded user (Support Office)
  • reservedAttributeId: The random ID generated in Step 2
  • vcSupportOffice: The verifiable credential created in Step 3

This command registers the actual verifiable credential in the registry, completing the self-attestation process.

Verify the Registration

To verify that the Support Office self-attestation has been properly registered:

Command
==> tir get /issuers/ user.did
Output
{
  "did": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
  "attributes": [
    {
      "hash": "06bcfc35a6c342bd12d9975df3de5a2659e70318f208999341bc634006e32233",
      "body": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6I2tleXMtMiJ9...",
      "issuerType": "ROOTTAO",
      "tao": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw",
      "rootTao": "did:ebsi:zzcJJuM4Z4AUKdL8kdMEKNw"
    }
  ]
}
Congratulations!

You have successfully issued and registered a self-attestation credential for the Support Office. The Support Office is now properly registered in the EBSI ecosystem.

Key Differences from Standard Onboarding

This process differs from the standard onboarding tutorial in several important ways:

  1. Single Actor: Only the Support Office is involved (both issuer and subject)
  2. Direct Blockchain Access: Uses proxyledger commands instead of authorisation API
  3. No Access Tokens: Bypasses the authorisation API entirely
  4. No Proxy Registration: Support Office doesn't need to register an issuer proxy