Matter PAI

Your own branded intermediate CA — under SSL.com's Matter-accredited root

A Matter Product Attestation Intermediate (PAI) gives device manufacturers their own intermediate Certificate Authority under SSL.com's CSA-authorized PAA root. Every DAC issued from your PAI carries your organization's identity in the certificate chain.

Contact us for PAI issuance Or get individual DACs

Your own intermediate CA for Matter device certificates

The Matter security model uses a three-level certificate chain: PAA (root CA, operated by CSA-authorized entities like SSL.com) → PAI (intermediate CA, per manufacturer) → DAC (unique per-device leaf certificate).

When SSL.com issues you a PAI, your organization becomes the intermediate CA for your product line. Your company name appears in every device's certificate chain.

DAC only (no PAI)

SSL.com PAA → SSL.com PAI → Device DAC

Your own PAI

SSL.com PAA → Your PAI → Device DAC

A PAI is the right choice when…

Scale matters

You manufacture at sufficient scale that your own intermediate CA is strategically important.

Brand identity

Your brand in the certificate chain matters — for enterprise customers or regulatory contexts.

Multiple product lines

You have multiple product lines that should be separated in the PKI hierarchy.

Direct control

You want to control DAC issuance directly via your own systems using the REST API.

Shipping a smaller volume? Matter DAC certificates issued directly from SSL.com's PAI are the faster, simpler path.

Key benefits

Your brand in the chain

Your organization name appears in every DAC issued for your devices.

Multiple product lines

Issue separate PAIs for different product lines or brands.

Manufacturing integration

Use SSL.com's REST API to issue DACs from your PAI at any scale.

Key custody options

SSL.com can manage the PAI key in a cloud HSM, or work on custom custody.

Request Matter PAI issuance

PAI issuance is an enterprise engagement. Contact our IoT certificate team to discuss your device volumes, product-line structure, key custody requirements, and manufacturing-line integration approach.

How it works

1

Organization validation

SSL.com validates your organization and confirms eligibility.

2

PAI issuance

SSL.com issues your PAI signed by SSL.com's CSA-authorized PAA root.

3

Key custody

PAI private key stored in a cloud HSM managed by SSL.com.

4

DAC issuance

Use the REST API to issue DACs from your PAI for each device.

5

Matter certification

Devices carrying DACs from your PAI are valid for Matter certification.

Frequently asked questions

Yes — organizations can have multiple PAIs, for example one per product line or brand.
SSL.com can revoke your PAI and issue a new one. Key custody in SSL.com's HSM mitigates this risk.
Yes — once your PAI is issued, you can use SSL.com's REST API to issue DACs automatically.
With SSL.com's shared PAI, SSL.com's name appears in the chain. With your own PAI, your organization's name appears instead.

Related products

Matter DAC

Individual device certificates — simpler and faster for most manufacturers.

Learn more

Client Authentication

Machine-to-machine network access control for IoT devices.

Learn more

OV Code Signing

Sign device firmware and OTA update packages.

Learn more

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read our Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance