Learn how to set up a RICAL
Introduction
The purpose of a Reader Identity Certificate Authority List (RICAL) is to enable holder applications (wallets) in a digital ecosystem to verify the identity of relying parties (verifiers) from a single authoritative source. It is the counterpart to a VICAL: where a VICAL distributes trusted issuer roots, a RICAL distributes trusted verifier roots.
ISO/IEC 18013-5 uses the term reader for the entity that requests data from an mDoc. Throughout this documentation we use verifier or relying party for the same role. Certificate names defined by the standard (for example, Reader Root Certificate) keep their ISO terminology.
This guide will walk you through setting up a RICAL and publishing a list of trusted Reader Root Certificates. Each step can be completed either through the Portal or via the MATTR VII API. Select the tab that matches how you want to work.
Prerequisites
- Make sure you understand the concepts of a RICAL and how it relates to a Digital Trust Service (DTS).
- You need access to an existing MATTR VII tenant with either the
DTS ProviderorAdminrole. Refer to the Getting started with the Portal tutorial to learn how to create a tenant and assign roles. - To use the API, you also need to obtain a bearer access token
to include in the
Authorizationheader of each request.
Guide overview
Publishing a RICAL comprises the following steps:
- Create an Ecosystem: This is the overarching entity that holds participants together. Only required if you don't already have an ecosystem on your tenant.
- Create participants and add verifier certificates: These are the relying parties (verifiers) that will be part of the RICAL. Each participant includes a Reader Root Certificate that anchors its verifier requests.
- Set up the RICAL signing certificate chain: Establish the DTS root CA and RICAL Signer Certificate used to sign the RICAL, using either a 2-tier or 3-tier model.
- Manually publish a RICAL: Configure the RICAL provider, then generate and publish a RICAL that includes your trusted Reader Root Certificates.
- Configure RICAL auto-generation and publishing (optional): Set the RICAL to automatically generate and publish on a daily or weekly schedule.
- View previously published RICALs (optional): Review the history of previously published RICALs and download their files.
Create an Ecosystem
Creating an Ecosystem is a one-time step per tenant. It is only required if you don't already have an ecosystem on your tenant. If you already have an ecosystem (for example, because you created one when setting up a VICAL), you will not see the option to create a new one (in the Portal) and should skip directly to the next step. A single ecosystem is shared across both your VICAL and RICAL.
Perform the following steps to create an Ecosystem:
- Log in to the MATTR Portal.
- Navigate to the Ecosystem page under the Digital Trust Service section.
- Enter a name for your Ecosystem, such as "My Digital Trust Service".
- Select the Create button.
Make a request of the following structure to create an ecosystem:
POST /v1/ecosystems{
"name": "My Digital Trust Service"
}name: This required parameter is the name used to identify your ecosystem.
The response will include an id property, which is the unique identifier for the ecosystem. You
will use this ecosystemId in subsequent requests to reference this ecosystem.
Create participants and add verifier certificates
Participants in a RICAL are the relying parties (verifiers) whose Reader Root Certificates you want holders to trust. For each participant, you upload a Reader Root Certificate (referred to as a Verifier CA in MATTR VII) that anchors the chain used to sign that verifier's requests.
Unlike an issuer participant in a VICAL, a verifier participant in a RICAL does not declare
credential types (docTypes). A trusted Reader Root Certificate is treated as authoritative for the
ecosystem rather than scoped to specific credential types. Authorization of what a verifier may
request is conveyed separately through the verifier's signed request and the holder's consent flow.
Perform the following steps to create a participant and add its verifier certificate:
-
Select the Participants page under the Digital Trust Service section (this page is only visible if you have an existing ecosystem. If you don't have an ecosystem, you will need to return to step 1 above and create it first).
-
Select the Create new button.
The Create participant form appears, starting from Step 1 (Details). -
Insert a meaningful Name for the participant (e.g. "Montcliff Police").
-
Use the Country dropdown list to select the participant's country (optional). When selected, this value must match the Country value in the verifier certificate associated with this participant.
-
If you select a country, a State or Province dropdown list is displayed. You can use it to select the participant's state or province (optional). When selected, this value must match the
stateOrProvinceNamevalue in the verifier certificate associated with this participant. -
Insert the participant's Address and Phone number (optional).
-
Use the Status radio button to set the participant as Active.
-
Select the Next button.
You are directed to Step 2 (Certificates). -
Select the Create button to create the participant.
-
Select the Verifier certificates tab.
-
Select the Add new button to add a verifier certificate for the participant.
The Add verifier certificate form appears. -
Paste/upload the PEM-encoded Reader Root Certificate into the Certificate PEM file field.
-
Use the Status radio button to set the certificate to Active.
-
(Optional) To maintain trust continuity when rotating a participant's Reader Root Certificate, expand the Link Certificate section and add this certificate as a successor to a previously uploaded certificate (refer to Linked certificates):
- Use the Predecessor certificate dropdown to select the previous certificate that this new one succeeds. The dropdown lists the participant's existing certificates because the predecessor must already exist on your tenant before you can link to it.
- Upload the link certificate into the Link Certificate PEM file field. The link certificate is the participant's proof that they own both the predecessor and the new certificate, which is what lets you accept the new one while preserving trust in the previous one.
This option is only available once at least one certificate has been added for the participant.
-
Select the Add button.
Repeat the above steps for each relying party (verifier) you want to include in your RICAL.
First, make a request of the following structure to create a participant and mark it as a verifier:
POST /v1/ecosystems/{ecosystemId}/participantsecosystemId: Replace with theidvalue obtained when you created the ecosystem.
{
"name": "Montcliff Police",
"status": "Active",
"isVerifier": true,
"country": "US",
"stateOrProvince": "US-XX",
"identifiers": {}
}name: This required parameter is a meaningful name used to identify the participant.status: Set this toActiveso the participant is included in the ecosystem policy and the RICAL. Only active participants are published.isVerifier: Set this totrueso the participant can act as a verifier in the ecosystem.country/stateOrProvince: Optional. When provided, must match the corresponding values in the verifier certificate uploaded for this participant.identifiers: This required parameter defines the participant's credential-format identifiers. For a verifier participant, pass an empty object ({}), as the Reader Root Certificate is added separately in the next request.
The response includes the participant id. Then, make a request of the following structure to
create a verifier certificate
for the participant. This is the Reader Root Certificate that will be included in the RICAL:
POST /v1/ecosystems/{ecosystemId}/participants/{participantId}/verifier-certificatesparticipantId: Replace with theidvalue obtained when you created the participant.
{
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIICTDCCAfKgAwIBAgIKeKcjIBGvXfS/sjAKBggqhkjOPQQDAjAwMQswCQYDVQQG\r\nEwJVUzEhMB8GA1UEAwwYRXhhbXBsZSBWZXJpZmllciByb290IENBMB4XDTI1MDgy\r\nNzIxMzMxNFoXDTMwMDgyNjIxMzMxNFowMDELMAkGA1UEBhMCVVMxITAfBgNVBAMM\r\nGEV4YW1wbGUgVmVyaWZpZXIgcm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEH\r\nA0IABNJHM5ZE+fpVn7b9WwjVBiOiZq9eNXq1JkNj/6ZLe+2GkaRY/WE2Xbg7yx++\r\nh3QEdX3sGKzGO7dygQALBe/4qEyjgfMwgfAwHQYDVR0OBBYEFK8ogqdUH2vZlC1y\r\nNf619a8fnx8KMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMHsG\r\nA1UdHwR0MHIwcKBuoGyGamh0dHBzOi8vbGVhcm4udmlpLmF1MDEubWF0dHIuZ2xv\r\nYmFsL3YyL3ByZXNlbnRhdGlvbnMvY2VydGlmaWNhdGVzL2Q3YzE3ODI4LThkMTgt\r\nNDYyZS1iNDk3LWNjNjI2NWM4ZmQxYi9jcmwwLgYDVR0SBCcwJYYjaHR0cHM6Ly9s\r\nZWFybi52aWkuYXUwMS5tYXR0ci5nbG9iYWwwCgYIKoZIzj0EAwIDSAAwRQIhAOqD\r\n0DF3rohBitl5jAj6x1164uGGj6yAhF/eE4aJeGc+AiAgaUYHzobzaPEWd+jZOh/A\r\nq8WgVJ+8sLx9WdJDs9/shQ==\r\n-----END CERTIFICATE-----\r\n",
"status": "Active"
}certificatePem: This required parameter contains the PEM-encoded Reader Root Certificate. It becomes immutable once the certificate is created.status: Set toActiveto include this certificate in the RICAL.
Note that, unlike an issuer certificate in a VICAL, a verifier certificate does not take a docTypes
array. Repeat this request for each relying party (verifier) you want to include in your RICAL.
Set up the RICAL signing certificate chain
Each RICAL must be signed by a RICAL Signer Certificate (RSC) that chains back to a DTS root CA via a chain of trust. This chain is what consuming wallets use as the trust anchor to validate the authenticity and integrity of the RICAL.
If you already have an existing active DTS root CA that you want to use as the trust anchor for your RICAL, you can skip this step.
MATTR VII supports both managed and unmanaged (external) DTS certificates. Select the option that matches how you want to manage your certificate infrastructure.
With managed DTS certificates, MATTR VII provisions and maintains the DTS root CA and the signer certificates for you. You create and activate the DTS root CA, and MATTR VII automatically creates a signer (and its certificate) and uses it to sign trust lists as required. Managed DTS certificates always use the 2-tier model.
- Navigate to the Certificates page under the Platform Management section.
- Select the Create new button.
The New certificate form appears. - Use the Type dropdown list to select DTS CA.
- Use the Management method radio button to select MATTR managed.
- Enter a meaningful name in the Organization field to identify the organization operating the DTS.
- Use the Country dropdown list to select the country where the organization is located.
- Select the Create button.
The DTS root CA is created in an inactive state. - Scroll down and use the Status radio button to select Active.
- Select the Update button to activate the DTS root CA.
Make a request of the following structure to create a managed DTS root CA:
POST /v1/ecosystems/certificates/ca{
"organisationName": "Example Inc.",
"commonName": "Example DTS CA",
"country": "US"
}organisationName: This required parameter indicates the organization associated with the DTS root CA certificate.commonName: This optional parameter indicates the common name of the DTS root CA certificate. If not provided and a custom domain is configured and verified, the custom domain is used followed by the wordsDTS CA. If no custom domain is configured, the tenant subdomain is used instead.country: This optional parameter indicates the DTS provider's country. If not provided, a country is selected based on the region of the tenant subdomain cloud host. When specified, the value must be a valid Alpha 2 country code as per ISO 3166-1.
The response will include an id property identifying the managed DTS root CA. Make a request of the
following structure to
update the managed DTS root CA
and activate it:
PUT /v1/ecosystems/certificates/ca/{dtsCaCertificateId}dtsCaCertificateId: Replace with theidvalue obtained when you created the managed DTS root CA.
{
"active": true
}Once a managed DTS root CA is activated, MATTR VII automatically creates and uses a signer to sign trust lists as required.
With unmanaged (external) DTS certificates, you supply and maintain the full certificate chain. You generate the DTS root CA, issue and sign the RICAL Signer Certificates (RSCs), upload the root and each RSC to MATTR VII, and handle renewal and revocation.
Select the tab for the certificate model you want to configure. For guidance on choosing a model, see certificate models: 2-tier and 3-tier.
In the 2-tier model, the DTS root CA directly signs the RICAL Signer Certificate (RSC).
Generate a self-signed root certificate (DTS root CA)
Use your preferred cryptographic library or tool to generate a self-signed root certificate (DTS root CA). In the 2-tier model, this certificate directly signs the signer certificate. Ensure it meets the requirements specified in ISO/IEC 18013-5:2021 and in the certificate requirements section.
When using unmanaged (external) certificates, the DTS provider assumes full responsibility for the secure management of the uploaded root certificates and all subordinate certificates. This includes ensuring the protection, proper issuance, and timely revocation of certificates under the uploaded root, as MATTR VII does not manage or monitor these certificates on the DTS provider's behalf.
Register the external DTS root CA certificate with MATTR VII
-
Expand the Platform Management menu in the navigation panel on the left-hand side.
-
Click on Certificates.
-
Select Create new.
-
Use the Type dropdown to select DTS CA.
-
Use the Management method dropdown to select Externally managed.
-
Paste/upload the PEM-encoded DTS root CA certificate into the Certificate PEM file field.
The certificate must meet the following requirements:- Valid
- Not expired
- Compliant with ISO/IEC 18013-5:2021
-
Select Create to register the unmanaged DTS root CA certificate.
The newly created unmanaged DTS root CA is created in an inactive state. You can only activate it after you create at least one signer associated with this DTS root CA.
Make a request of the following structure to create an unmanaged DTS root CA:
POST /v1/ecosystems/certificates/ca{
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIICDjCCAbSgAwIBAgIKdeZsA5NPKimuAzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\n...\r\n-----END CERTIFICATE-----\r\n"
}certificatePem: This required parameter contains the PEM-encoded DTS root CA certificate. The certificate must meet the following requirements:- Valid
- Not expired
- Compliant with ISO/IEC 18013-5:2021
The response will include an id property, which is a unique identifier for the unmanaged DTS root
CA. This identifier will be used in subsequent operations to reference this unmanaged DTS root CA.
Create a RICAL Signer
Create a RICAL Signer under the DTS root CA. In the 2-tier model, the RICAL Signer references the DTS root CA directly.
- On the detail page of the DTS root CA you just registered, scroll down to the RSC - RICAL Signer Certificate section and select Add new.
- Select the Create button.
MATTR VII creates a RICAL Signer in a pending state and generates a Certificate Signing Request (CSR) for it.
Make a request of the following structure to create a RICAL signer that references the unmanaged DTS root CA:
POST /v1/ecosystems/certificates/rical-signers{
"caId": "080c670a-2e90-4023-b79f-b706e55e9bc6"
}caId: Replace with theidof the unmanaged DTS root CA. The response includes the RICAL signeridand acsrPem(the Certificate Signing Request).
Generate and sign the RICAL Signer Certificate (RSC)
- Use the Download or Copy buttons in the Step 1. Download the RSC Certificate Signing Request (CSR) section of the RICAL Signer detail page to obtain the CSR.
- Using your preferred cryptographic tool, generate and sign the RSC using the CSR from the previous step. In the 2-tier model, the RSC must be signed by the DTS root CA's private key.
Associate the RSC with the RICAL Signer
Upload the signed RSC to the RICAL Signer and activate it.
- On the RICAL Signer detail page, under Step 2. Upload signed RSC, paste/upload the PEM-encoded RSC into the Certificate PEM file field.
- Use the Status radio button to set the RICAL Signer to Active.
- Select Update to associate the RSC and activate the RICAL Signer.
Make a request of the following structure to update the RICAL signer to associate the signed RSC and activate it:
PUT /v1/ecosystems/certificates/rical-signers/{ricalSignerId}ricalSignerId: Replace with the RICAL signeridfrom the previous step.
{
"active": true,
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIIDXTCCAkWgAwIBAgIJAL5...\r\n-----END CERTIFICATE-----\r\n"
}active: Set totrue. A RICAL signer can only be activated once a validcertificatePemis provided.certificatePem: The PEM-encoded RSC generated from the CSR.
Activate the DTS root CA
- Navigate back to the Certificates page in the MATTR Portal.
- Select the DTS root CA you created in the first step.
- Use the Status radio button to set the DTS root CA to Active.
- Select Update to activate the DTS root CA.
Make a request of the following structure to update the unmanaged DTS root CA and activate it:
PUT /v1/ecosystems/certificates/ca/{dtsCaCertificateId}dtsCaCertificateId: Replace with theidvalue obtained when you registered the unmanaged DTS root CA.
{
"active": true
}In the 3-tier model, a DTS intermediate CA sits between the DTS root CA and the RICAL Signer Certificate (RSC). The DTS root CA signs the intermediate CA, and the intermediate CA signs the RSC.
Generate a self-signed root certificate (DTS root CA)
Use your preferred cryptographic library or tool to generate a self-signed root certificate (DTS root CA). In the 3-tier model, this certificate will be used to sign the DTS intermediate CA certificate (rather than signing the signer certificate directly). Ensure it meets the requirements specified in ISO/IEC 18013-5:2021 and in the DTS root CA specific requirements section.
When using unmanaged (external) certificates, the DTS provider assumes full responsibility for the secure management of the uploaded root certificates and all subordinate certificates. This includes ensuring the protection, proper issuance, and timely revocation of certificates under the uploaded root, as MATTR VII does not manage or monitor these certificates on the DTS provider's behalf.
Register the external DTS root CA certificate with MATTR VII
Register the DTS root CA and enable the 3-tier model so it requires an intermediate CA in its chain of trust.
-
Expand the Platform Management menu in the navigation panel on the left-hand side.
-
Click on Certificates.
-
Select Create new.
-
Use the Type dropdown to select DTS CA.
-
Use the Management method dropdown to select Externally managed.
-
Paste/upload the PEM-encoded DTS root CA certificate into the Certificate PEM file field.
The certificate must meet the following requirements:- Valid
- Not expired
- Compliant with ISO/IEC 18013-5:2021
-
Under Certificate chain, select Three-tier with Intermediate CAs. This configures the DTS root CA to sign an intermediate CA rather than signing the signer certificate directly.
-
Select Create to register the unmanaged DTS root CA certificate.
The newly created unmanaged DTS root CA is created in an inactive state. You can only activate it after you create a DTS intermediate CA and at least one signer associated with it.
Make a request of the following structure to
create an unmanaged DTS root CA.
To enable the 3-tier model, set useIntermediateCa to true:
POST /v1/ecosystems/certificates/ca{
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIICDjCCAbSgAwIBAgIKdeZsA5NPKimuAzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\n...\r\n-----END CERTIFICATE-----\r\n",
"useIntermediateCa": true
}certificatePem: This required parameter contains the PEM-encoded DTS root CA certificate. The certificate must meet the following requirements:- Valid
- Not expired
- Compliant with ISO/IEC 18013-5:2021
useIntermediateCa: Set this totrueto require and use intermediate CA certificates as part of this DTS root CA's chain of trust. This field can only be set for unmanaged (external) DTS root CA certificates. Changing this value later requires deleting all subordinate certificates.
The response will include an id property, which is a unique identifier for the unmanaged DTS root
CA. This identifier will be used in subsequent operations to reference this unmanaged DTS root CA.
Generate and sign the DTS intermediate CA certificate
Use your preferred cryptographic library or tool to generate a DTS intermediate CA certificate and sign it with the DTS root CA private key. Ensure it meets the DTS intermediate CA specific requirements, including matching the country of the DTS root CA and remaining within the DTS root CA's validity period.
Unlike the signer certificate, MATTR VII does not issue a Certificate Signing Request (CSR) for the intermediate CA. You generate the intermediate CA's key pair and sign its certificate entirely within your own PKI, then upload the finished certificate in the next step.
Register the DTS intermediate CA certificate with MATTR VII
Register the signed intermediate CA certificate under the DTS root CA you created in the previous step.
-
Scroll down to the Child certificates section.
-
In the Intermediate CA section, select Add new.
-
Paste/upload the PEM-encoded DTS intermediate CA certificate into the Certificate PEM file field.
-
Under Allowed child certificates, select the signer types this intermediate CA is allowed to sign:
- VSC (VICAL Signer Certificate) to sign a VICAL Signer.
- RSC (RICAL Signer Certificate) to sign a RICAL Signer.
Select both if the intermediate CA will sign both signer types.
-
Select Create to register the DTS intermediate CA certificate.
Make a request of the following structure to create a DTS intermediate CA certificate under the DTS root CA:
POST /v1/ecosystems/certificates/ca/{dtsCaCertificateId}/intermediatedtsCaCertificateId: Replace with theidvalue obtained when you registered the unmanaged DTS root CA in the previous step.
{
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIICDjCCAbSgAwIBAgIKdeZsA5NPKimuAzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\n...\r\n-----END CERTIFICATE-----\r\n",
"usages": ["VICAL", "RICAL"]
}certificatePem: This required parameter contains the PEM-encoded DTS intermediate CA certificate, signed by the DTS root CA.usages: This required parameter specifies the intended usages for this intermediate CA. It must contain at least one value (VICAL,RICAL). Include the list type whose signer will chain to this intermediate CA (useVICALfor a VICAL Signer,RICALfor a RICAL Signer, or both if the intermediate CA will sign both).
The response will include an id property, which is the unique identifier for the DTS intermediate
CA certificate. You will use this identifier when creating the signer.
Create a RICAL Signer
Create a RICAL Signer under the DTS intermediate CA. In the 3-tier model, the RICAL Signer references the intermediate CA rather than the DTS root CA.
- Navigate to the Certificates page and select the DTS root CA, then select the DTS intermediate CA you registered in the previous step.
- In the RSC – RICAL Signer Certificate section, select Add new.
MATTR VII creates a RICAL Signer in a pending state and generates a Certificate Signing Request (CSR) for it.
Make a request of the following structure to create a RICAL signer that references the DTS intermediate CA:
POST /v1/ecosystems/certificates/rical-signers{
"intermediateCaId": "c1bbe671-21f8-5358-9537-eed4669b43f3"
}intermediateCaId: Replace with theidof the DTS intermediate CA. In the 3-tier model, the RICAL signer references the intermediate CA rather than the DTS root CA. The response includes the RICAL signeridand acsrPem.
Generate and sign the RICAL Signer Certificate (RSC)
- Use the Download or Copy buttons in the Step 1. Download the RSC Certificate Signing Request (CSR) section of the RICAL Signer detail page to obtain the CSR.
- Using your preferred cryptographic tool, generate and sign the RSC using the CSR from the previous step. In the 3-tier model, the RSC must be signed by the DTS intermediate CA's private key.
Associate the RSC with the RICAL Signer
Upload the signed RSC to the RICAL Signer and activate it.
- On the RICAL Signer detail page, under Step 2. Upload signed RSC, paste/upload the PEM-encoded RSC into the Certificate PEM file field.
- Use the Status radio button to set the RICAL Signer to Active.
- Select Update to associate the RSC and activate the RICAL Signer.
Make a request of the following structure to update the RICAL signer to associate the signed RSC and activate it:
PUT /v1/ecosystems/certificates/rical-signers/{ricalSignerId}ricalSignerId: Replace with the RICAL signeridfrom the previous step.
{
"active": true,
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIIDXTCCAkWgAwIBAgIJAL5...\r\n-----END CERTIFICATE-----\r\n"
}active: Set totrue. A RICAL signer can only be activated once a validcertificatePemis provided.certificatePem: The PEM-encoded RSC generated from the CSR.
Activate the DTS root CA
- Navigate back to the Certificates page in the MATTR Portal.
- Select the DTS root CA you created in the first step.
- Use the Status radio button to set the DTS root CA to Active.
- Select Update to activate the DTS root CA.
Make a request of the following structure to update the unmanaged DTS root CA and activate it:
PUT /v1/ecosystems/certificates/ca/{dtsCaCertificateId}dtsCaCertificateId: Replace with theidvalue obtained when you registered the unmanaged DTS root CA.
{
"active": true
}Manually Publish a RICAL
After you have created your participants and set up the signing certificate chain, you can publish a RICAL that includes the trusted Reader Root Certificates. When you publish the RICAL, MATTR VII signs a list that includes the information you provided for each Reader Root Certificate.
- Navigate to the Trust lists page under the Digital Trust Service section.
- Select the RICAL (Trusted verifiers) tab.
- Enter a meaningful Provider name to identify the provider of the RICAL. This is included in the RICAL metadata and used by wallets to identify the source of the RICAL.
- Select the Create button.
- Review the preview area where you can see all Reader Root Certificates included in the RICAL.
- Select Generate & Publish when you are ready.
The RICAL is now generated and published, and a modal is displayed where you can:- Use the Download button to download the RICAL file (CBOR).
- Use the Copy button to copy a link to the public endpoint where wallets can access the RICAL.
First, make a request of the following structure to update the RICAL configuration and set the RICAL provider name. A RICAL configuration is required before a RICAL can be created:
PUT /v1/ecosystems/{ecosystemId}/ricals/configurationecosystemId: Replace with theidvalue of your ecosystem.
{
"ricalProvider": "Example Provider"
}ricalProvider: This required parameter is the provider name included in the RICAL metadata and used by wallets to identify the source of the RICAL.
Then, make a request of the following structure to create (generate and publish) a RICAL based on your ecosystem policy:
POST /v1/ecosystems/{ecosystemId}/ricalsThe response includes the ricalIssueID and issuance date of the published RICAL. Wallets can
retrieve it from the public
Retrieve latest RICAL endpoint:
curl -o rical-latest.cbor \
https://your-tenant.vii.au01.mattr.global/v1/ecosystems/{ecosystemId}/ricals/public/latestConfigure RICAL auto-generation and publishing (optional)
You can optionally set up auto-generation of your RICAL so it is generated and published on a schedule.
- Return to the Trust lists page under the Digital Trust Service section.
- Select the RICAL (Trusted verifiers) tab.
- Expand the RICAL configuration panel.
- Use the Generation method radio button to select Auto generate.
- Use the Auto generate frequency dropdown list to select how often you want the RICAL to be automatically generated and published (daily/weekly).
- Select the Update button.
- Review the preview area where you can see all Reader Root Certificates included in the RICAL.
Note that the RICAL is not generated and published yet. It will only be generated and published automatically based on the frequency you selected in step 5 above. If you want to generate and publish the RICAL immediately, you can select the Generate & Publish button.
Make a request of the following structure to update the RICAL configuration and enable scheduled auto-publishing:
PUT /v1/ecosystems/{ecosystemId}/ricals/configuration{
"ricalProvider": "Example Provider",
"autoPublish": {
"enabled": true,
"frequency": "Daily"
}
}autoPublish.enabled: Set totrueto enable scheduled automatic generation and publishing of the RICAL.autoPublish.frequency: Required whenenabledistrue. How often the RICAL is automatically generated and published. One ofDailyorWeekly.
When auto-publishing is enabled, the RICAL is generated and published automatically on the schedule you set. You can still generate and publish a RICAL immediately at any time by calling the Create a RICAL endpoint.
View Previously Published RICALs (optional)
- Return to the Trust lists page under the Digital Trust Service section.
- Select the RICAL (Trusted verifiers) tab.
- Scroll down and select the View Previously Published button to open the Previously generated RICAL view, which lists each RICAL with its Issue ID, Generated at time, File name, Trigger method, and Status.
- Use the Download button to download any previously published RICAL.
Make a request of the following structure to retrieve all RICALs published in your ecosystem. This endpoint is public and does not require authentication:
GET /v1/ecosystems/{ecosystemId}/ricals/publicThe response is a JSON list of the published RICALs with their ricalIssueID, issuance date, and
filename. To download a specific RICAL file (a CBOR-encoded file), call the
Retrieve specific RICAL endpoint with the relevant
ricalIssueId:
curl -o rical.cbor \
https://your-tenant.vii.au01.mattr.global/v1/ecosystems/{ecosystemId}/ricals/public/{ricalIssueId}Next steps
Now that you have published your RICAL, you can share the public endpoint with wallet providers so they can consume the RICAL and establish trust in the verifiers included in it. Refer to the RICAL consumption guide to learn how wallets can retrieve, validate and use a RICAL.
How would you rate this page?
Last updated on