Skip to main content

Issuing QEAA using Sign8

This guide covers issuing a Qualified Electronic Attestation of Attributes (QEAA) using Sign8 as the qualified trust service provider (QTSP). It walks through onboarding with Sign8, configuring the SIGN8 key storage provider, and the one-time identifier and credential schema setup required before you can issue.

Onboarding with Sign8

Account and client

  • Account ID — your global customer ID with Sign8.
  • Client — generate a new client to get a client ID, client secret, and redirect URI.
note

The redirect URI is documented as optional, but Sign8 currently requires a value to be set. The value itself doesn't matter, but whatever you put here must also be set in the Procivis One config.

Authentication certificate

  1. Generate an ECDSA key and CSR:

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -out certificate.csr -keyout private.key

  1. In Sign8, go to 2FA Settings > Authentication Certificate and create a new one.

  2. Under Credentials, select your pre-provisioned credential (you may need to add the CN / Common Name).

  3. Paste your CSR and download the resulting authentication certificate.

By the end of onboarding, you should have:

  • Account ID
  • Client ID, client secret, redirect URI
  • Authentication certificate (PEM)
  • Credential ID — found in the SAN of the authentication certificate, for example, URI:credid:<credential-id>
  • The private key generated above

Configuration

Configure the SIGN8 key storage provider with the values from onboarding, and the EAA_CATEGORY datatype:

keyStorage:
  SIGN8:
    type: SIGN8
    display: "keyStorage.sign8"
    enabled: true
    params:
      private:
        cscBaseUrl: "https://api.uat.sign8.eu"
        oauthUrl: "https://auth.uat.sign8.eu"
        accountId: ""
        clientId: ""
        clientSecret: ""
        redirectUrl: ""
        certificate: ""
        privateKey: ""
datatype:
  EAA_CATEGORY:
    display: "datatype.eaaCategory"
    type: "ENUM"
    order: 500
    params:
      public:
        values:
          - value: urn:etsi:esi:eaa:eu:pub
            display: "datatype.category.public"
          - value: urn:etsi:esi:eaa:eu:qualified
            display: "datatype.category.qualified"
info

SIGN8 and EAA_CATEGORY are instance names here, you can rename them. The type values (SIGN8 and ENUM) and the urn:etsi:esi:eaa:eu:qualified enum value are fixed and must stay as shown.

One-time identifier setup

Create an ECDSA key using the SIGN8 key storage provider, with your Sign8 credential ID in storageParams:

POST /api/key/v1
Content-Type: application/json
Accept: application/json
Authorization: Bearer <TOKEN>
{
  "keyParams": {},
  "keyType": "ECDSA",
  "name": "My QEAA key",
  "organisationId": "{{ORG-UUID}}",
  "storageParams": {
    "credentialId": "{{CREDID-FROM-AUTH-CERT}}"
  },
  "storageType": "SIGN8"
}

Then create a certificate identifier using that key and the PEM certificate from Sign8, not the TLS certificate from the config. In the Sign8 UI this is called the "Qualified Seal" certificate.

caution

Sign8's UI doesn't currently support downloading this certificate directly. You'll need to request it from Sign8.

POST /api/identifier/v1
Content-Type: application/json
Accept: application/json
Authorization: Bearer <TOKEN>
{
  "name": "My QEAA Certificate Identifier",
  "organisationId": "{{ORG-UUID}}",
  "certificates": [
    {
      "chain": "-----BEGIN CERTIFICATE-----\nMIIDo.....\n-----END CERTIFICATE-----",
      "keyId": "{{KEY-UUID}}",
      "name": "Certificate name"
    }
  ]
}

One-time credential schema setup

Create a schema for the credential you want to issue. Include a claim with datatype EAA_CATEGORY alongside your other claims:

POST /api/credential-schema/v2
Content-Type: application/json
Accept: application/json
Authorization: Bearer <TOKEN>
{
  "layoutType": "CARD",
  "name": "My QEAA Credential",
  "claims": [
    {
      "array": false,
      "datatype": "STRING",
      "key": "Name",
      "mappings": [
        {
          "format": "SD_JWT_VC",
          "technicalKey": "name"
        }
      ],
      "required": true
    },
    {
      "datatype": "EAA_CATEGORY",
      "key": "Type of EAA",
      "mappings": [
        {
          "format": "SD_JWT_VC",
          "technicalKey": "type_of_eaa"
        }
      ],
      "required": true
    }
  ],
  "formats": [
    {
      "format": "SD_JWT_VC"
    }
  ]
}

Issuing QEAA

Using the schema above, create and share the credential as you normally would:

  • Use the certificate identifier created above.
  • For the EAA_CATEGORY claim, use urn:etsi:esi:eaa:eu:qualified.

When the credential is issued, Procivis One calls Sign8 to get it signed and sealed.