Skip to content

Using Registrar Certificates in Presentation Requests

Audience: Relying Parties building OpenID4VP / HAIP presentation requests for the German EUDI Wallet Ecosystem.

This page explains how to use the two registrar certificates in your presentation request: the Access Certificate in the request header and the Registration Certificate in verifier_info.

1. Which certificate belongs in which part of the request?

The Sandbox Registrar provides two distinct certificates:

  • Access Certificate: identifies the RP or EAA Provider to the wallet and establishes verifier trust in the presentation request. This certificate is delivered in the x5c header of the presentation request.
  • Registration Certificate: contains verifier metadata used by the wallet to determine additional information such as the requested presentation purpose and user-facing context. This certificate is carried in verifier_info.

2. What the registrar actually provides

  • The Access Certificate is provided as a .crt file.
  • The Registration Certificate is provided as a registration-certificate.json file containing a JWT.

Because the naming is confusing, remember:

  • .crt → Access Certificate → x5c
  • registration-certificate.json → Registration Certificate (JWT) → verifier_info

3. Include the Access Certificate in x5c

Your signed request object should include the Access Certificate in its JOSE header, using the x5c header array.

Preparing the Access Certificate

The Access Certificate is downloaded as a .crt file. Before including it in the x5c header, you must:

  1. Convert the .crt file to DER format: 

    openssl x509 -in access-certificate.crt -outform der -out access-certificate.der

  2. Base64 encode the DER file: 

    base64 access-certificate.der > access-certificate.b64

  3. Include the Base64 encoded certificate in the x5c header array.

Example header fragment:

{
  "alg": "ES256",
  "typ": "JWT",
  "x5c": [ "MIID..." ]
}

Only include the access certificate and not any other additional certificate in the header!

The wallet uses this certificate to identify your verifier and validate the request signature or certificate binding.

4. Include the Registration Certificate in verifier_info

The Registration Certificate is conveyed in the request body using verifier_info. The registration-certificate.json file contains a JWT that can be used directly.

Example:

"verifier_info": {
  "format": "registration_cert",
  "data": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Simply extract the JWT string from the registration-certificate.json file and place it in the verifier_info.data field. The wallet reads this JWT to obtain metadata such as the purpose of the presentation and other verifier-specific context.

5. How these pieces work together

  • The Access Certificate in x5c proves who is making the request.
  • The Registration Certificate in verifier_info tells the wallet why the request is being made and how it should be presented to the user.

6. Validation guidance

  • Confirm the .crt file you received is the Access Certificate and that it has been converted to DER and Base64URL encoded before appearing in the request header x5c.
  • Confirm the registration-certificate.json file contains the Registration Certificate JWT and that the JWT appears in verifier_info.data.
  • Do not swap these two certificates.

7. Common issues

  • Wallet rejects the request: make sure the Access Certificate is present in x5c and the signed request object uses it consistently.
  • If the Access Certificate is missing, the wallet often reports: Validation Error: Could not trust certificate chain.
  • Wallet does not show the presentation purpose: ensure the Registration Certificate JWT is present in verifier_info and contains the required metadata.