Matter PAI

Matter PAI

Your own branded intermediate CA, under SSL.com's Matter-accredited root

A Matter Product Attestation Intermediate (PAI) gives device manufacturers their own intermediate Certificate Authority under SSL.com's CSA-authorized PAA root. Every DAC issued from your PAI carries your organization's identity in the certificate chain.

Contact us for PAI issuance Or get individual DACs

Your own intermediate CA for Matter device certificates

The Matter security model uses a three-level certificate chain: PAA (root CA, operated by CSA-authorized entities like SSL.com) → PAI (intermediate CA, per manufacturer) → DAC (unique per-device leaf certificate).

When SSL.com issues you a PAI, your organization becomes the intermediate CA for your product line. Your company name appears in every device's certificate chain.

DAC only (no PAI)

SSL.com PAA → SSL.com PAI → Device DAC

Your own PAI

SSL.com PAA → Your PAI → Device DAC

A PAI is the right choice when…

Scale matters

You manufacture at sufficient scale that your own intermediate CA is strategically important.

Brand identity

Your brand in the certificate chain matters, for enterprise customers or regulatory contexts.

Multiple product lines

You have multiple product lines that should be separated in the PKI hierarchy.

Direct control

You want to control DAC issuance directly via your own systems using the REST API.

Shipping a smaller volume? Matter DAC certificates issued directly from SSL.com's PAI are the faster, simpler path.

Key benefits

Your brand in the chain

Your organization name appears in the issuer field of every DAC issued under your PAI. Ecosystem controllers show your brand during device commissioning: Apple Home, Google Home, and Alexa apps display the verified manufacturer identity.

Multiple product lines

Issue separate PAIs for different product lines, sub-brands, or OEM partnerships. One enterprise engagement covers the entire portfolio with independent revocation authority per product line.

Manufacturing integration

Use SSL.com’s SWS REST API to issue DACs from your PAI at manufacturing-line scale. Integration optimized for high-volume programs: millions of devices per year, sub-second issuance latency.

Key custody options

SSL.com can manage the PAI private key in a FIPS 140-2 Level 3 cloud HSM, or arrange custom key custody arrangements for manufacturers with specific sovereignty, operational, or security requirements.

Request Matter PAI issuance

PAI issuance is an enterprise engagement. Contact our IoT certificate team to discuss your device volumes, product-line structure, key custody requirements, and manufacturing-line integration approach.

How it works

1

Organization validation

SSL.com validates your organization and confirms eligibility.

2

PAI issuance

SSL.com issues your PAI signed by SSL.com's CSA-authorized PAA root.

3

Key custody

PAI private key stored in a cloud HSM managed by SSL.com.

4

DAC issuance

Use the REST API to issue DACs from your PAI for each device.

5

Matter certification

Devices carrying DACs from your PAI are valid for Matter certification.

Frequently asked questions

Yes: organizations can have multiple PAIs, for example one per product line or brand.
SSL.com can revoke your PAI and issue a new one. Key custody in SSL.com's HSM mitigates this risk.
Yes: once your PAI is issued, you can use SSL.com's REST API to issue DACs automatically.
With SSL.com's shared PAI, SSL.com's name appears in the chain. With your own PAI, your organization's name appears instead.

Related products

Matter DAC

Individual Device Attestation Certificates: one per manufactured unit. Simpler and faster for most manufacturers shipping a single product line under SSL.com’s own PAA without dedicated intermediate CA infrastructure.
Learn more

Client Authentication

X.509 client authentication certificates for machine-to-machine network access control in IoT deployments. Enables mutual TLS between devices and cloud backends, device-to-gateway mTLS, and zero-trust device admission.
Learn more

OV Code Signing

Organization Validated code signing certificates for signing device firmware, bootloaders, and OTA update packages. Devices verify signatures before applying updates: cryptographic integrity for the full device software lifecycle.
Learn more

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read our Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details
Powered by  GDPR Cookie Compliance