Device & Machine Trust

Device & Machine Trust

Every device on your network should prove it belongs there

 

Explore solutions Talk to an expert

Two ways to establish device identity

Matter Certificates

Certified device identity for the smart home and IoT ecosystem. SSL.com is a CSA-authorized Product Attestation Authority (PAA) issuing Matter-compliant Device Attestation Certificates (DAC) and Product Attestation Intermediate (PAI) certificates: required for device certification on Apple Home, Google Home, and Amazon Alexa.
Explore Matter Certificates

Client Authentication Certificates

Certificate-based access control for devices, machines, users, and service-to-service communications. Replaces password authentication with mutual TLS (mTLS) that is far more resistant to credential theft, phishing, and brute-force attacks. Issued under SSL.com’s public or private CA infrastructure with full REST API for automation.
Explore Client Authentication

Devices and machines are the fastest-growing attack surface

As IoT devices proliferate and networks grow more complex, cryptographic device identity is no longer optional. SSL.com provides Matter DAC and PAI certificates for smart home and IoT device manufacturers, and Client Authentication certificates for securing machine-to-machine and user-to-network access, from a CSA-authorized, WebTrust-audited CA.

Billions of IoT devices are deployed with weak or no cryptographic identity. The Matter standard, ETSI EN 303 645, the EU Cyber Resilience Act, and NIST guidelines are all pushing towards mandatory cryptographic device identity.

SSL.com’s Device & Machine Trust products address two distinct scenarios: Matter DAC & PAI for smart home and IoT device manufacturers, and Client Authentication Certificates for enterprises securing machine-to-machine communications.

Which solution do you need?

Device manufacturer seeking Matter certification

Matter DAC and/or Matter PAI: SSL.com is CSA-authorized. DACs are required for every individual device unit.

Securing machine-to-machine or network access

Client Authentication Certificates: certificate-based identity for devices, services, and users accessing enterprise networks.

Compliance & standards

Matter (CSA)

Matter Device Attestation Certificates are mandatory for Matter-certified products under Connectivity Standards Alliance policy. SSL.com is an authorized PAA, enabling manufacturers to issue per-device DAC certificates that satisfy Matter certification requirements for Apple Home, Google Home, and Alexa compatibility.

ETSI EN 303 645

European consumer IoT security baseline standard. Provision 5.1-1 requires unique device identities: SSL.com PKI provides the cryptographic device identity certificates that satisfy this baseline requirement for connected consumer products sold in the EU.

EU Cyber Resilience Act

Security-by-design requirements under the EU Cyber Resilience Act (applicable in phases through December 2027) mandate cryptographic device identity, secure update mechanisms, and vulnerability management. SSL.com Matter DAC, Client Authentication, and OV Code Signing together address CRA Annex I conformity.

IEC 62443

The IEC 62443 industrial automation and control systems security framework requires certificate-based device authentication across Security Levels 2-4. SSL.com Client Authentication certificates and Managed PKI meet these requirements for SCADA, DCS, and industrial IoT environments.

Why SSL.com

CSA-authorized Matter PAA

SSL.com is an authorized Product Attestation Authority under the Connectivity Standards Alliance: the required path for Matter-certified device launch. One of a limited number of PAAs worldwide.

High-volume API-driven issuance

SWS REST API supports automated, manufacturing-line certificate issuance at scale. Optimized for batch ordering, programmatic DAC provisioning, and multi-million-unit production programs. Proven at device-scale.

WebTrust for CA (BDO)

Annual BDO audits cover CA operations, Baseline Requirements SSL, S/MIME BR, Code Signing BR, and Network Security: continuous assurance under every public trust program.

In operation since 2002

Over two decades of continuous public CA operations through every major browser root program evolution: proven infrastructure for large-scale device programs.

Frequently asked questions

A Matter Device Attestation Certificate (DAC) is a per-device X.509 certificate that provides cryptographic identity for products certified under the Matter smart home standard. One DAC is issued per manufactured unit, enabling unique device identity that Matter controllers (Apple Home, Google Home, Amazon Alexa, Samsung SmartThings) verify during commissioning. DACs are mandatory for Matter certification, the Connectivity Standards Alliance (CSA) requires them for every Matter-certified product launch. SSL.com is a CSA-authorized Product Attestation Authority (PAA) issuing Matter-compliant DACs via SWS REST API at manufacturing-line scale.
DAC (Device Attestation Certificate) is the per-device certificate, one per manufactured unit. PAI (Product Attestation Intermediate) is your own branded intermediate CA that sits between SSL.com's PAA root and your DACs. With a PAI, your organization name appears in the issuer chain for every DAC you issue under it. Most manufacturers shipping a single product line use SSL.com's own PAA to issue DACs directly. Multi-product manufacturers, OEM programs, and organizations that need their brand in the certificate chain opt for a dedicated PAI.
A Client Authentication certificate is an X.509 certificate with the clientAuth extended key usage flag. When a client (user, device, service) presents this certificate during a TLS handshake, the server cryptographically verifies the client's identity before granting access. This is the foundation of zero-trust network architectures, mutual TLS (mTLS), where both sides of a connection prove their identity before any data is exchanged. Typical uses: replacing password-based access with certificate authentication, machine-to-machine service authentication, VPN client authentication, and device admission control in industrial IoT environments.
Yes. SSL.com is a Product Attestation Authority (PAA) authorized by the Connectivity Standards Alliance (CSA), the required credential path for Matter-certified device launch. SSL.com is one of a limited number of PAAs worldwide. Being an authorized PAA means SSL.com can issue both DACs directly and PAIs for manufacturers operating their own intermediate CAs. Private keys are generated and stored in FIPS 140-2 Level 3 validated HSMs per CSA attestation policy.
Yes. Beyond consumer IoT (Matter), SSL.com provides Client Authentication certificates and Managed PKI for industrial IoT, OT (operational technology), automotive ECUs, medical devices, and critical infrastructure device identity. SSL.com's offerings align with IEC 62443 industrial automation security, ETSI EN 303 645 consumer IoT baseline, NIST SP 800-213 IoT device cybersecurity, and the EU Cyber Resilience Act (applicable in phases through December 2027). High-volume manufacturing-line issuance is supported via the SWS REST API.

Secure your devices with cryptographic identity

Matter DAC/PAI for IoT manufacturers: Client Authentication for enterprise networks
Explore solutions

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read our Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance