nRF5340+nRF7002: Matter-over-WiFi Commissioning failed with our own generated CD, PAA, PAI, DAC and factory data

Hi, starting with a bullet list with items that might resolve the issue before we dive deeper into the root case. Could you let me know about the results from any of the suggested items below?

1. in matter commisioing command, we appended the flag --paa-trust-store-path /var/paa-root-certs/ and we copied the PAA certificate to /var/paa-root-certs but from the error logs " Unable to find PAA," and "CA certificate not found", what might be the reason why is this?

note: when using --bypass-attestation-verifier true, the matter commissioning is successful 

The error message indicates the commissioner cannot find a PAA certificate matching the PAI's Authority Key Identifier (AKID). Based on the knowledge sources and similar cases, here are the most likely causes:

1. The PAA certificate file format in /var/paa-root-certs/: The chip-tool's --paa-trust-store-path flag looks for a PAA certificate that matches the PAI and DAC certificates programmed on the device. See CHIP Tool guide. A common issue is that the directory must contain the PAA in the correct format (typically .der or .pem). Make sure you have copied the PAA certificate (e.g., Chip-PAA-Cert.der or Chip-PAA-Cert.pem) to /var/paa-root-certs/ — not the key file.
2. CD signed with test key vs. custom PAA: Looking at your CD generation command, you are signing the CD with the test CD signing key (credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem), but your PAA/PAI/DAC chain uses your own custom certificates. The commissioner validates the entire attestation chain: the CD signature, the DAC, the PAI, and the PAA. If the CD is signed with the test key but the PAA is a custom one (not in the built-in trust store), the attestation verifier may fail to reconcile the chain. See CHIP Tool guide
   
   Potential fix: You can also use the --cd-trust-store-path flag to point to the directory containing the public key used to validate your CD signature, and --only-allow-trusted-cd-keys true if you want to enforce only your custom CD key. See CHIP Tool guide
   
   
3. A user who resolved a very similar issue noted: "if the certificate is supplied by a third party, the chip-cert tool needs to specify the certificate source using dac-origin-xx-id and declare our own information using xx-id." See this DevZone thread
4. Also, double-check that the AKID in the PAI certificate correctly matches the Subject Key Identifier (SKID) of the PAA certificate you placed in /var/paa-root-certs/. The error explicitly references the PAI's AKID (60:98:39:11:8F:E4:03:6E:D3:BD:78:46:F3:0C:9B:D6:A9:1E:36:27), meaning the commissioner is looking for a PAA whose SKID matches this value but cannot find it in the provided directory.

2. Is the way we write the CD to chip_project_config.h correct? and also how is CD being used in the application? there is not much documentaion related to this and the examples such as matter_weather_station  

Your approach of converting the CD to a byte array and placing it in chip_project_config.h using CHIP_DEVICE_CONFIG_CERTIFICATION_DECLARATION is the correct method described in the nRF Connect SDK documentation: "In the nRF Connect SDK implementation of Matter, you can configure CD by adding the CHIP_DEVICE_CONFIG_CERTIFICATION_DECLARATION define in the chip_project_config.h file. You can locate the array of bytes related to CD by running the search with the following condition:"

See Storing CD in firmware

The CD is included in the attestation information packet sent by the device (commissionee) during the Device Attestation procedure. It is a cryptographic document that confirms the device type was certified, and it contains Vendor ID, Certificate ID, certification type, and other fields. Importantly, CD is stored in the application firmware (not in factory data), because it must be updated with each new software version/recertification. See Device Attestation overview

An alternative to embedding it in chip_project_config.h is to store it in Zephyr's Settings subsystem by enabling CONFIG_CHIP_CERTIFICATION_DECLARATION_STORAGE in prj.conf, which allows updating the CD after programming. See Storing CD in firmware

Note: Since you are using the test CD signing key, the commissioner's built-in test CD public key will be used to validate it. If you intend to use a production CD key, you must provide the corresponding public key via --cd-trust-store-path.

Let me know about these items if they are able to help you resolve the problem your phasing or not and I will get back to you

Kind regards,
Andreas

Hi, starting with a bullet list with items that might resolve the issue before we dive deeper into the root case. Could you let me know about the results from any of the suggested items below?

1. in matter commisioing command, we appended the flag --paa-trust-store-path /var/paa-root-certs/ and we copied the PAA certificate to /var/paa-root-certs but from the error logs " Unable to find PAA," and "CA certificate not found", what might be the reason why is this?

note: when using --bypass-attestation-verifier true, the matter commissioning is successful 

The error message indicates the commissioner cannot find a PAA certificate matching the PAI's Authority Key Identifier (AKID). Based on the knowledge sources and similar cases, here are the most likely causes:

1. The PAA certificate file format in /var/paa-root-certs/: The chip-tool's --paa-trust-store-path flag looks for a PAA certificate that matches the PAI and DAC certificates programmed on the device. See CHIP Tool guide. A common issue is that the directory must contain the PAA in the correct format (typically .der or .pem). Make sure you have copied the PAA certificate (e.g., Chip-PAA-Cert.der or Chip-PAA-Cert.pem) to /var/paa-root-certs/ — not the key file.
2. CD signed with test key vs. custom PAA: Looking at your CD generation command, you are signing the CD with the test CD signing key (credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem), but your PAA/PAI/DAC chain uses your own custom certificates. The commissioner validates the entire attestation chain: the CD signature, the DAC, the PAI, and the PAA. If the CD is signed with the test key but the PAA is a custom one (not in the built-in trust store), the attestation verifier may fail to reconcile the chain. See CHIP Tool guide
   
   Potential fix: You can also use the --cd-trust-store-path flag to point to the directory containing the public key used to validate your CD signature, and --only-allow-trusted-cd-keys true if you want to enforce only your custom CD key. See CHIP Tool guide
   
   
3. A user who resolved a very similar issue noted: "if the certificate is supplied by a third party, the chip-cert tool needs to specify the certificate source using dac-origin-xx-id and declare our own information using xx-id." See this DevZone thread
4. Also, double-check that the AKID in the PAI certificate correctly matches the Subject Key Identifier (SKID) of the PAA certificate you placed in /var/paa-root-certs/. The error explicitly references the PAI's AKID (60:98:39:11:8F:E4:03:6E:D3:BD:78:46:F3:0C:9B:D6:A9:1E:36:27), meaning the commissioner is looking for a PAA whose SKID matches this value but cannot find it in the provided directory.

2. Is the way we write the CD to chip_project_config.h correct? and also how is CD being used in the application? there is not much documentaion related to this and the examples such as matter_weather_station  

Your approach of converting the CD to a byte array and placing it in chip_project_config.h using CHIP_DEVICE_CONFIG_CERTIFICATION_DECLARATION is the correct method described in the nRF Connect SDK documentation: "In the nRF Connect SDK implementation of Matter, you can configure CD by adding the CHIP_DEVICE_CONFIG_CERTIFICATION_DECLARATION define in the chip_project_config.h file. You can locate the array of bytes related to CD by running the search with the following condition:"

See Storing CD in firmware

The CD is included in the attestation information packet sent by the device (commissionee) during the Device Attestation procedure. It is a cryptographic document that confirms the device type was certified, and it contains Vendor ID, Certificate ID, certification type, and other fields. Importantly, CD is stored in the application firmware (not in factory data), because it must be updated with each new software version/recertification. See Device Attestation overview

An alternative to embedding it in chip_project_config.h is to store it in Zephyr's Settings subsystem by enabling CONFIG_CHIP_CERTIFICATION_DECLARATION_STORAGE in prj.conf, which allows updating the CD after programming. See Storing CD in firmware

Note: Since you are using the test CD signing key, the commissioner's built-in test CD public key will be used to validate it. If you intend to use a production CD key, you must provide the corresponding public key via --cd-trust-store-path.

Let me know about these items if they are able to help you resolve the problem your phasing or not and I will get back to you

Kind regards,
Andreas