Skip to main content
European CommissionEBSI European Blockchain
Get Help

Issue VC for Trusted Issuer

The hierarchy to issue verifiable credentials is the following:

  • Support Office issues a credential to register a Root Trusted Accreditation Organisations (RootTAO).
  • A RootTAO is the root of a trusted chain and it can issue credentials to register new Trusted Accreditation Organizations (TAO).
  • A TAO can issue credentials to register other Trusted Issuers.

Load the issuer

Load the keys of the Trusted Issuer:

==> using user ES256K did1 <ISSUER_PRIVATE_KEY_ES256K> <ISSUER_DID>
==> using user ES256 did1 <ISSUER_PRIVATE_KEY_ES256> <ISSUER_DID>

Now connect the wallet with the pilot environment:

==> env pilot

Define VC payload

Create the reservedAttributeId by computing a random ID:

==> reservedAttributeId: compute randomID
Value saved in 'reservedAttributeId':
b84fc4439b46ab5f2c9800e97b2edabfd1bdc83b4778ad1cec3cd92c7cc93bb4

Now create create a JSON file with the payload of the verifiable credential and set the reservedAttributeId there. The payload of the credential depends on its type. Here are the most typical cases:

VerifiableAuthorisationForTrustChain: VC for RootTAOs

{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "type": [
    "VerifiableCredential",
    "VerifiableAttestation",
    "VerifiableAuthorisationForTrustChain"
  ],
  "issuer": "did:ebsi:zZeKyEJfUTGwajhNyNX928z",
  "credentialSubject": {
    "id": "did:ebsi:zy8Psj9ez9wrsSZ7vrHE221",
    "reservedAttributeId": "b84fc4439b46ab5f2c9800e97b2edabfd1bdc83b4778ad1cec3cd92c7cc93bb4"
  },
  "termsOfUse": {
    "id": "https://api-pilot.ebsi.eu/trusted-issuers-registry/v5/issuers/did:ebsi:zZeKyEJfUTGwajhNyNX928z/cf89e47e260eda53bb199096ca97347790c84d2c8a5f2ce3f411eaba14d0003e",
    "type": "IssuanceCertificate"
  },
  "credentialSchema": {
    "id": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v3/schemas/z3MgUFUkb722uq4x3dv5yAJmnNmzDFeK5UC8x83QoeLJM",
    "type": "FullJsonSchemaValidator2021"
  }
}

VerifiableAccreditationToAccredit: VC for TAOs

{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "type": [
    "VerifiableCredential",
    "VerifiableAttestation",
    "VerifiableAccreditation",
    "VerifiableAccreditationToAccredit"
  ],
  "issuer": "did:ebsi:zZeKyEJfUTGwajhNyNX928z",
  "credentialSubject": {
    "id": "did:ebsi:zy8Psj9ez9wrsSZ7vrHE221",
    "reservedAttributeId": "b84fc4439b46ab5f2c9800e97b2edabfd1bdc83b4778ad1cec3cd92c7cc93bb4"
    "accreditedFor": [
      {
        "schemaId": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v3/schemas/z3MgUFUkb722uq4x3dv5yAJmnNmzDFeK5UC8x83QoeLJM",
        "types": [
          "VerifiableCredential",
          "VerifiableAttestation",
          "CTRevocable"
        ],
        "limitJurisdiction": "https://publications.europa.eu/resource/authority/atu/FIN"
      }
    ]
  },
  "termsOfUse": [
    {
      "id": "https://api-pilot.ebsi.eu/trusted-issuers-registry/v5/issuers/did:ebsi:zZeKyEJfUTGwajhNyNX928z/cf89e47e260eda53bb199096ca97347790c84d2c8a5f2ce3f411eaba14d0003e",
      "type": "IssuanceCertificate"
    }
  ],
  "credentialSchema": {
    "id": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v3/schemas/zjVFNvbEBPAr3a724DttioZpgZmNr75BBtRzZqk7pkDe",
    "type": "FullJsonSchemaValidator2021"
  }
}

VerifiableAccreditationToAttest: VC for TIs

{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "type": [
    "VerifiableCredential",
    "VerifiableAttestation",
    "VerifiableAccreditation",
    "VerifiableAccreditationToAttest"
  ],
  "issuer": "did:ebsi:zZeKyEJfUTGwajhNyNX928z",
  "credentialSubject": {
    "id": "did:ebsi:zy8Psj9ez9wrsSZ7vrHE221",
    "reservedAttributeId": "b84fc4439b46ab5f2c9800e97b2edabfd1bdc83b4778ad1cec3cd92c7cc93bb4"
    "accreditedFor": [
      {
        "schemaId": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v3/schemas/z3MgUFUkb722uq4x3dv5yAJmnNmzDFeK5UC8x83QoeLJM",
        "types": [
          "VerifiableCredential",
          "VerifiableAttestation",
          "CTRevocable"
        ],
        "limitJurisdiction": "https://publications.europa.eu/resource/authority/atu/FIN"
      }
    ]
  },
  "termsOfUse": [
    {
      "id": "https://api-pilot.ebsi.eu/trusted-issuers-registry/v5/issuers/did:ebsi:zZeKyEJfUTGwajhNyNX928z/cf89e47e260eda53bb199096ca97347790c84d2c8a5f2ce3f411eaba14d0003e",
      "type": "IssuanceCertificate"
    }
  ],
  "credentialSchema": {
    "id": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v3/schemas/zjVFNvbEBPAr3a724DttioZpgZmNr75BBtRzZqk7pkDe",
    "type": "FullJsonSchemaValidator2021"
  }
}

Now import it in the CLI tool:

==> payloadVc: load path-to-file.json

Create and sign the VC

Use this payload to create and sign the VC:

==> vcIssuer: compute createVcJwt payloadVc {} ES256

...

Value saved in 'vcIssuer':
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6I1NvMUhJUnQwS3FmMF9CU3dxdjRWTU5na2F4M21DRjlJamNRSndNbkIzYnMifQ.eyJpYXQiOjE3MDAyMjk5NDksImp0aSI6InVybjp1dWlkOjY2MDI3ZmY4LThmNGQtNGFhNi1iOGJjLTY1ZGQ5YmNlYTMxMSIsIm5iZiI6MTcwMDIyOTk0OSwiZXhwIjoxNzMxNzY1OTQ5LCJzdWIiOiJkaWQ6ZWJzaTp6eThQc2o5ZXo5d3JzU1o3dnJIRTIyMSIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sImlkIjoidXJuOnV1aWQ6NjYwMjdmZjgtOGY0ZC00YWE2LWI4YmMtNjVkZDliY2VhMzExIiwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIlZlcmlmaWFibGVBdHRlc3RhdGlvbiIsIlZlcmlmaWFibGVBY2NyZWRpdGF0aW9uIiwiVmVyaWZpYWJsZUFjY3JlZGl0YXRpb25Ub0F0dGVzdCJdLCJpc3N1ZXIiOiJkaWQ6ZWJzaTp6WmVLeUVKZlVUR3dhamhOeU5YOTI4eiIsImlzc3VhbmNlRGF0ZSI6IjIwMjMtMTEtMTdUMTQ6MDU6NDlaIiwiaXNzdWVkIjoiMjAyMy0xMS0xN1QxNDowNTo0OVoiLCJ2YWxpZEZyb20iOiIyMDIzLTExLTE3VDE0OjA1OjQ5WiIsImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMS0xNlQxNDowNTo0OVoiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDplYnNpOnp5OFBzajllejl3cnNTWjd2ckhFMjIxIiwiYWNjcmVkaXRlZEZvciI6W3sic2NoZW1hSWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92My9zY2hlbWFzL3ozTWdVRlVrYjcyMnVxNHgzZHY1eUFKbW5ObXpERmVLNVVDOHg4M1FvZUxKTSIsInR5cGVzIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiQ1RSZXZvY2FibGUiXSwibGltaXRKdXJpc2RpY3Rpb24iOiJodHRwczovL3B1YmxpY2F0aW9ucy5ldXJvcGEuZXUvcmVzb3VyY2UvYXV0aG9yaXR5L2F0dS9FVVIifV0sInJlc2VydmVkQXR0cmlidXRlSWQiOiJiODRmYzQ0MzliNDZhYjVmMmM5ODAwZTk3YjJlZGFiZmQxYmRjODNiNDc3OGFkMWNlYzNjZDkyYzdjYzkzYmI0In0sInRlcm1zT2ZVc2UiOnsiaWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtaXNzdWVycy1yZWdpc3RyeS92NS9pc3N1ZXJzL2RpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6L2F0dHJpYnV0ZXMvY2Y4OWU0N2UyNjBlZGE1M2JiMTk5MDk2Y2E5NzM0Nzc5MGM4NGQyYzhhNWYyY2UzZjQxMWVhYmExNGQwMDAzZSIsInR5cGUiOiJJc3N1YW5jZUNlcnRpZmljYXRlIn0sImNyZWRlbnRpYWxTY2hlbWEiOnsiaWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92My9zY2hlbWFzL3ozTWdVRlVrYjcyMnVxNHgzZHY1eUFKbW5ObXpERmVLNVVDOHg4M1FvZUxKTSIsInR5cGUiOiJGdWxsSnNvblNjaGVtYVZhbGlkYXRvcjIwMjEifX0sImlzcyI6ImRpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6In0.xx2750myIbG9ojkycuHEg9ZSHDCQ1ZJuYKFE59GdlxwD0Ehe75mtVA7z1FAiCpkxkjLBZ9RV_4RBlxyL0ij4OQ

Note that this credential is signed with the ES256 key (not the ES256K key), which is the key that should be used in all credentials.

Request an access token

Request an access token to the authorisation API with the scope tir_write:

==> resAuthTIR: authorisation-new auth tir_write_presentation ES256

...

Value saved in 'resAuthTIR':
{
  "access_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6IldqQVB6c0RyYmtWQU0xYkhpdVh5dDlPRmdQZVRSRGpLVjNncGg1RURWUGMiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MDAyMjk5NTAsImV4cCI6MTcwMDIzNzE1MCwic3ViIjoiZGlkOmVic2k6elplS3lFSmZVVEd3YWpoTnlOWDkyOHoiLCJhdWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L2F1dGhvcmlzYXRpb24vdjQiLCJzY3AiOiJvcGVuaWQgdGlyX3dyaXRlIiwianRpIjoiOGYwNzcwMDEtNzIyNi00OTQ3LWIwNTYtN2FmNWQzZTdlZjM1IiwiaXNzIjoiaHR0cHM6Ly9hcGktcGlsb3QuZWJzaS5ldS9hdXRob3Jpc2F0aW9uL3Y0In0.Ay6aNPHCNucsqIIZJ1FUIyP7tNTGXYeFiH7BHk-caLmMCrdJY5OKnsbVfy-CGnVvUkDoxoz1CHCaXhG9-8gNzQ",
  "token_type": "Bearer",
  "expires_in": 7200,
  "scope": "openid tir_write",
  "id_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6IldqQVB6c0RyYmtWQU0xYkhpdVh5dDlPRmdQZVRSRGpLVjNncGg1RURWUGMiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MDAyMjk5NTAsImV4cCI6MTcwMDIzNzE1MCwic3ViIjoiZGlkOmVic2k6elplS3lFSmZVVEd3YWpoTnlOWDkyOHoiLCJhdWQiOiJkaWQ6ZWJzaTp6WmVLeUVKZlVUR3dhamhOeU5YOTI4eiIsImp0aSI6ImVjNGUyZmI2LTQwMjQtNDRmMy1iMDYyLTRiYWRkM2JlN2JmOSIsIm5vbmNlIjoiMTYwZGU1NDctYjM3NC00ZjkxLTk2NzQtYTFjM2UyZTk5YTNlIiwiaXNzIjoiaHR0cHM6Ly9hcGktcGlsb3QuZWJzaS5ldS9hdXRob3Jpc2F0aW9uL3Y0In0.4AHlaJHpGsQuViKnfpItuxF5fcXZwVbW3KcoUkCbCU0wOaIo6A22N74Q8mD2ndu_qkHYoRDX3ardzDpQuDsqfQ"
}

Now load the access token:

using token resAuthTIR.access_token

Pre-register the VC

Now make the preregistration of the credential in the Trusted Issuers Registry:

tir-new setAttributeMetadata <NEW_ISSUER_DID> reservedAttributeId <ISSUER_TYPE> user.did <USER_ATTRIBUTE_ID>

...

Issuer did:ebsi:zy8Psj9ez9wrsSZ7vrHE221
{
  "attributeId": "b84fc4439b46ab5f2c9800e97b2edabfd1bdc83b4778ad1cec3cd92c7cc93bb4",
  "issuerType": "ti"
}

where NEW_ISSUER_DID is the DID of the new issuer, ISSUER_TYPE must be roottao, tao, or ti depending on the case, and USER_ATTRIBUTE_ID is your attribute ID that accredits you to issue this type of credentials.

Congratulations!

You have issued and preregister a new credential for a trusted issuer. Now share the credential with the issuer so he can register it.