diff --git a/x/machine/keeper/msg_server_attest_machine.go b/x/machine/keeper/msg_server_attest_machine.go
index 111fedd..86600b8 100644
--- a/x/machine/keeper/msg_server_attest_machine.go
+++ b/x/machine/keeper/msg_server_attest_machine.go
@@ -24,6 +24,14 @@ func (k msgServer) isNFTCreationRequest(machine *types.Machine) bool {
 func (k msgServer) AttestMachine(goCtx context.Context, msg *types.MsgAttestMachine) (*types.MsgAttestMachineResponse, error) {
 	ctx := sdk.UnwrapSDKContext(goCtx)
 
+	ta, activated, found := k.GetTrustAnchor(ctx, msg.Machine.MachineId)
+	if !found {
+		return nil, errors.New("no preregistered trust anchor found for machine id")
+	}
+	if activated {
+		return nil, errors.New("trust anchor has already been used for attestation")
+	}
+
 	isValidIssuerPlanetmint := validateExtendedPublicKey(msg.Machine.IssuerPlanetmint, config.PlmntNetParams)
 	if !isValidIssuerPlanetmint {
 		return nil, errors.New("invalid planetmint key")
@@ -45,6 +53,7 @@ func (k msgServer) AttestMachine(goCtx context.Context, msg *types.MsgAttestMach
 
 	k.StoreMachine(ctx, *msg.Machine)
 	k.StoreMachineIndex(ctx, *msg.Machine)
+	k.StoreTrustAnchor(ctx, ta, true)
 
 	return &types.MsgAttestMachineResponse{}, nil
 }
diff --git a/x/machine/keeper/msg_server_test.go b/x/machine/keeper/msg_server_test.go
index 2905824..b7d2ccd 100644
--- a/x/machine/keeper/msg_server_test.go
+++ b/x/machine/keeper/msg_server_test.go
@@ -28,9 +28,13 @@ func TestMsgServer(t *testing.T) {
 
 func TestMsgServerAttestMachine(t *testing.T) {
 	_, pk := sample.KeyPair()
-	machine := sample.Machine(pk, pk)
+	ta := sample.TrustAnchor()
+	taMsg := types.NewMsgRegisterTrustAnchor(pk, &ta)
+	machine := sample.Machine(pk, ta.Pubkey)
 	msg := types.NewMsgAttestMachine(pk, &machine)
 	msgServer, ctx := setupMsgServer(t)
+	_, err := msgServer.RegisterTrustAnchor(ctx, taMsg)
+	assert.NoError(t, err)
 	res, err := msgServer.AttestMachine(ctx, msg)
 	if assert.NoError(t, err) {
 		assert.Equal(t, &types.MsgAttestMachineResponse{}, res)
@@ -39,11 +43,15 @@ func TestMsgServerAttestMachine(t *testing.T) {
 
 func TestMsgServerAttestMachineInvalidLiquidKey(t *testing.T) {
 	_, pk := sample.KeyPair()
-	machine := sample.Machine(pk, pk)
+	ta := sample.TrustAnchor()
+	taMsg := types.NewMsgRegisterTrustAnchor(pk, &ta)
+	machine := sample.Machine(pk, ta.Pubkey)
 	machine.IssuerLiquid = "invalidkey"
 	msg := types.NewMsgAttestMachine(pk, &machine)
 	msgServer, ctx := setupMsgServer(t)
-	_, err := msgServer.AttestMachine(ctx, msg)
+	_, err := msgServer.RegisterTrustAnchor(ctx, taMsg)
+	assert.NoError(t, err)
+	_, err = msgServer.AttestMachine(ctx, msg)
 	assert.EqualError(t, err, "invalid liquid key")
 }