Generated using:

./alchemy zap --attribute="in-progress" --sdkRoot=[] --specRoot=[] 'TLSCertificateManagement.adoc'

With manual edits adding description

.github/workflows/tests.yaml

@@ -195,6 +195,7 @@ jobs:
                       src/app/zap-templates/zcl/data-model/chip/time-format-localization-cluster.xml \
                       src/app/zap-templates/zcl/data-model/chip/time-synchronization-cluster.xml \
                       src/app/zap-templates/zcl/data-model/chip/timer-cluster.xml \
+                      src/app/zap-templates/zcl/data-model/chip/tls-certificate-management-cluster.xml \
                       src/app/zap-templates/zcl/data-model/chip/user-label-cluster.xml \
                       src/app/zap-templates/zcl/data-model/chip/unit-localization-cluster.xml \
                       src/app/zap-templates/zcl/data-model/chip/wake-on-lan-cluster.xml \

scripts/rules.matterlint

@@ -103,6 +103,7 @@ load "../src/app/zap-templates/zcl/data-model/chip/thread-network-directory-clus
 load "../src/app/zap-templates/zcl/data-model/chip/time-format-localization-cluster.xml";
 load "../src/app/zap-templates/zcl/data-model/chip/time-synchronization-cluster.xml";
 load "../src/app/zap-templates/zcl/data-model/chip/timer-cluster.xml";
+load "../src/app/zap-templates/zcl/data-model/chip/tls-certificate-management-cluster.xml";
 load "../src/app/zap-templates/zcl/data-model/chip/unit-localization-cluster.xml";
 load "../src/app/zap-templates/zcl/data-model/chip/user-label-cluster.xml";
 load "../src/app/zap-templates/zcl/data-model/chip/wake-on-lan-cluster.xml";

src/app/zap-templates/zcl/data-model/chip/tls-certificate-management-cluster.xml

@@ -0,0 +1,142 @@
+<?xml version="1.0"?>
+<!--
+Copyright (c) 2024 Project CHIP Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<!--
+XML generated by Alchemy; DO NOT EDIT.
+Source: src/tls/TLSCertificateManagement.adoc
+Parameters: in-progress 
+Git: 1.4-282-gad46b0990
+-->
+<configurator xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="../../zcl.xsd">
+  <domain name="General"/>
+  <struct name="TLSCertStruct" apiMaturity="provisional">
+    <cluster code="0x0801"/>
+    <item fieldId="0" name="CAID" type="int16u"/>
+    <item fieldId="1" name="Certificate" type="long_octet_string" length="3000"/>
+  </struct>
+
+  <struct name="TLSClientCertificateDetailStruct" apiMaturity="provisional">
+    <cluster code="0x0801"/>
+    <item fieldId="0" name="CCDID" type="int16u"/>
+    <item fieldId="1" name="ClientCertificate" type="long_octet_string" length="3000"/>
+    <item fieldId="2" name="IntermediateCerts" array="true" type="octet_string"/>
+  </struct>
+
+  <cluster>
+    <domain name="General"/>
+    <name>TLS Certificate Management</name>
+    <code>0x0801</code>
+    <define>TLS_CERTIFICATE_MANAGEMENT_CLUSTER</define>
+    <description>This Cluster is used to manage TLS Client Certificates and to provision
+      TLS endpoints with enough information to facilitate subsequent connection.</description>
+    <client init="false" tick="false">true</client>
+    <server init="false" tick="false">true</server>
+    <globalAttribute code="0xFFFD" side="either" value="1"/>
+    <attribute code="0x0000" side="server" define="MAX_ROOT_CERTIFICATES" type="int8u">MaxRootCertificates</attribute>
+    <attribute code="0x0001" side="server" define="CURRENT_ROOT_CERTIFICATES" type="int8u">CurrentRootCertificates</attribute>
+    <attribute code="0x0002" side="server" define="MAX_CLIENT_CERTIFICATES" type="int8u">MaxClientCertificates</attribute>
+    <attribute code="0x0003" side="server" define="CURRENT_CLIENT_CERTIFICATES" type="int8u">CurrentClientCertificates</attribute>
+    <command code="0x00" source="client" name="ProvisionRootCertificate" optional="false" response="ProvisionRootCertificateResponse">
+      <description>This command SHALL provision the provided certificate for the passed in CAID.</description>
+      <access op="invoke" privilege="administer"/>
+      <arg id="0" name="Certificate" type="long_octet_string" length="3000"/>
+      <arg id="1" name="CAID" type="int16u" optional="true" isNullable="true"/>
+    </command>
+
+    <command code="0x01" source="server" name="ProvisionRootCertificateResponse" optional="false" disableDefaultResponse="true">
+      <description>This command SHALL be generated in response to a ProvisionRootCertificate command.</description>
+      <arg id="0" name="CAID" type="int16u"/>
+    </command>
+
+    <command code="0x02" source="client" name="FindRootCertificate" optional="false" response="FindRootCertificateResponse">
+      <description>This command SHALL return the TLSCertStruct for the passed in CAID.</description>
+      <arg id="0" name="CAID" type="int16u" optional="true" isNullable="true"/>
+    </command>
+
+    <command code="0x03" source="server" name="FindRootCertificateResponse" optional="false" disableDefaultResponse="true">
+      <description>This command SHALL be generated in response to a FindRootCertificate command.</description>
+      <arg id="0" name="CertificateDetails" array="true" type="TLSCertStruct"/>
+    </command>
+
+    <command code="0x04" source="client" name="LookupRootCertificate" optional="false" response="LookupRootCertificateResponse">
+      <description>This command SHALL return the CAID for the passed in fingerprint.</description>
+      <arg id="0" name="Fingerprint" type="octet_string" length="64"/>
+    </command>
+
+    <command code="0x05" source="server" name="LookupRootCertificateResponse" optional="false" disableDefaultResponse="true">
+      <description>This command SHALL be generated in response to a LookupRootCertificate command.</description>
+      <arg id="0" name="CAID" type="int16u"/>
+    </command>
+
+    <command code="0x06" source="client" name="RemoveRootCertificate" optional="false">
+      <description>This command SHALL be generated to request the server removes the certificate provisioned to the provided Certificate Authority ID.</description>
+      <access op="invoke" privilege="administer"/>
+      <arg id="0" name="CAID" type="int16u"/>
+    </command>
+
+    <command code="0x07" source="client" name="TLSClientCSR" optional="false" response="TLSClientCSRResponse">
+      <description>This command SHALL be generated to request the Node generates a Certificate Signing Request.</description>
+      <access op="invoke" privilege="administer"/>
+      <arg id="1" name="Nonce" type="octet_string"/>
+    </command>
+
+    <command code="0x08" source="server" name="TLSClientCSRResponse" optional="false" disableDefaultResponse="true">
+      <description>This command SHALL be generated in response to a TLSClientCSR command.</description>
+      <arg id="0" name="CCDID" type="int16u"/>
+      <arg id="1" name="CSR" type="octet_string"/>
+      <arg id="2" name="Nonce" type="octet_string"/>
+    </command>
+
+    <command code="0x09" source="client" name="ProvisionClientCertificate" optional="false" response="ProvisionClientCertificateResponse">
+      <description>This command SHALL be generated to request the Node provisions the provided Client Certificate Details.</description>
+      <access op="invoke" privilege="administer"/>
+      <arg id="0" name="CCDID" type="int16u"/>
+      <arg id="1" name="ClientCertificateDetails" type="TLSClientCertificateDetailStruct"/>
+    </command>
+
+    <command code="0x0A" source="server" name="ProvisionClientCertificateResponse" optional="false" disableDefaultResponse="true">
+      <description>This command SHALL be generated in response to a ProvisionClientCertificate command.</description>
+      <arg id="0" name="CCDID" type="int16u"/>
+    </command>
+
+    <command code="0x0B" source="client" name="FindClientCertificate" optional="false" response="FindClientCertificateResponse">
+      <description>This command SHALL return the TLSClientCertificateDetailStruct for the passed in CCDID.</description>
+      <arg id="0" name="CCDID" type="int16u"/>
+    </command>
+
+    <command code="0x0C" source="server" name="FindClientCertificateResponse" optional="false" disableDefaultResponse="true">
+      <description>This command SHALL be generated in response to a FindClientCertificate command.</description>
+      <arg id="0" name="CertificateDetails" array="true" type="TLSClientCertificateDetailStruct"/>
+    </command>
+
+    <command code="0x0D" source="client" name="LookupClientCertificate" optional="false" response="LookupClientCertificateResponse">
+      <description>This command SHALL return the CCDID for the passed in Fingerprint.</description>
+      <arg id="0" name="Fingerprint" type="octet_string" length="64"/>
+    </command>
+
+    <command code="0x0E" source="server" name="LookupClientCertificateResponse" optional="false" disableDefaultResponse="true">
+      <description>This command SHALL be generated in response to a LookupClientCertificate command.</description>
+      <arg id="0" name="CCDID" type="int16u"/>
+    </command>
+
+    <command code="0x0F" source="client" name="RemoveClientCertificate" optional="false">
+      <description>This command SHALL be generated to request the Node removes the certificate provisioned to the provided Client Certificate Details ID.</description>
+      <access op="invoke" privilege="administer"/>
+      <arg id="0" name="CCDID" type="int16u"/>
+    </command>
+
+  </cluster>
+</configurator>

src/app/zap-templates/zcl/zcl-with-test-extensions.json

@@ -125,6 +125,7 @@
         "time-format-localization-cluster.xml",
         "time-synchronization-cluster.xml",
         "timer-cluster.xml",
+        "tls-certificate-management-cluster.xml",
         "user-label-cluster.xml",
         "unit-localization-cluster.xml",
         "valve-configuration-and-control-cluster.xml",
@@ -291,8 +292,7 @@
             "ActiveModeThreshold",
             "RegisteredClients",
             "ICDCounter",
-            "ClientsSupportedPerFabric",
-            "MaximumCheckInBackOff"
+            "ClientsSupportedPerFabric"
         ],
         "Occupancy Sensing": ["HoldTimeLimits", "HoldTime", "FeatureMap"],
         "Operational Credentials": [

src/app/zap-templates/zcl/zcl.json

@@ -119,6 +119,7 @@
         "time-format-localization-cluster.xml",
         "time-synchronization-cluster.xml",
         "timer-cluster.xml",
+        "tls-certificate-management-cluster.xml",
         "user-label-cluster.xml",
         "unit-localization-cluster.xml",
         "valve-configuration-and-control-cluster.xml",
@@ -285,8 +286,7 @@
             "ActiveModeThreshold",
             "RegisteredClients",
             "ICDCounter",
-            "ClientsSupportedPerFabric",
-            "MaximumCheckInBackOff"
+            "ClientsSupportedPerFabric"
         ],
         "Occupancy Sensing": ["HoldTimeLimits", "HoldTime", "FeatureMap"],
         "Operational Credentials": [

src/app/zap_cluster_list.json

@@ -121,6 +121,7 @@
         "TIME_FORMAT_LOCALIZATION_CLUSTER": [],
         "TIME_SYNCHRONIZATION_CLUSTER": [],
         "TIMER_CLUSTER": [],
+        "TLS_CERTIFICATE_MANAGEMENT_CLUSTER": [],
         "TRUSTED_ROOT_CERTIFICATES_CLUSTER": [],
         "UNIT_LOCALIZATION_CLUSTER": [],
         "UNIT_TESTING_CLUSTER": [],
@@ -303,6 +304,7 @@
         "TIME_FORMAT_LOCALIZATION_CLUSTER": ["time-format-localization-server"],
         "TIME_SYNCHRONIZATION_CLUSTER": ["time-synchronization-server"],
         "TIMER_CLUSTER": ["timer-server"],
+        "TLS_CERTIFICATE_MANAGEMENT_CLUSTER": [],
         "TVOC_CONCENTRATION_MEASUREMENT_CLUSTER": [
             "concentration-measurement-server"
         ],