Learn how to set up a VICAL
Introduction
The purpose of a Verified Issuer Certificate Authority List (VICAL) is to enable different participants in a digital ecosystem to rely on a single trusted framework.
This guide will walk you through setting up a VICAL and publishing a policy that defines trusted participants and credential types. Each step can be completed either through the Portal or via the MATTR VII API. Select the tab that matches how you want to work.
Prerequisites
- Make sure you understand the concepts of a VICAL and how it relates to a Digital Trust Service (DTS).
- You need access to an existing MATTR VII tenant with either the
DTS ProviderorAdminrole. Refer to the Getting started with the Portal tutorial to learn how to create a tenant and assign roles. - To use the API, you also need to obtain a bearer access token
to include in the
Authorizationheader of each request.
Guide overview
Publishing a VICAL comprises the following steps:
- Create an Ecosystem: This is the overarching entity that holds participants and credential types together. Only required if you don't already have an ecosystem on your tenant.
- Create participants and add issuer certificates: These are the issuers that will be part of the VICAL. Each participant includes one or more IACA certificates and the credential types they are allowed to issue.
- Set up the VICAL signing certificate chain: Establish the DTS root CA and VICAL Signer Certificate used to sign the VICAL, using either a 2-tier or 3-tier model.
- Manually publish a VICAL: Configure the VICAL provider, then generate and publish a VICAL that includes your participants and their credential types.
- Configure VICAL auto-generation and publishing (optional): Set the VICAL to automatically generate and publish on a daily or weekly schedule.
- View previously published VICALs (optional): Review the history of previously published VICALs and download their policy files.
Create an Ecosystem
Creating an Ecosystem is a one-time step per tenant. It is only required if you don't already have an ecosystem on your tenant. If you already have an ecosystem (for example, because you created one when setting up a RICAL), you will not see the option to create a new one (in the Portal) and should skip directly to the next step. A single ecosystem is shared across both your VICAL and RICAL.
Perform the following steps to create an Ecosystem:
- Log in to the MATTR Portal.
- Navigate to the Ecosystem page under the Digital Trust Service section.
- Enter a name for your Ecosystem, such as "My Digital Trust Service".
- Select the Create button.
Make a request of the following structure to create an ecosystem:
POST /v1/ecosystems{
"name": "My Digital Trust Service"
}name: This required parameter is the name used to identify your ecosystem.
The response will include an id property, which is the unique identifier for the ecosystem. You
will use this ecosystemId in subsequent requests to reference this ecosystem.
Create participants and add issuer certificates
Participants are entities that represent issuers that will be included in the VICAL. For each participant, you will need to provide one or more IACA certificates that will be used as the trust anchor when signing mDocs, and define what credential types they are allowed to issue.
Perform the following steps to create a participant:
-
Select the Participants page under the Digital Trust Service section (this page is only visible if you have an existing ecosystem. If you don't have an ecosystem, you will need to return to step 1 above and create it first).
-
Select the Create new button.
The Create participant form appears, starting from Step 1 (Details). -
Insert a meaningful Name for the participant (e.g. "Montcliff DMV").
-
Use the Country dropdown list to select the Participant’s country (optional). Note that when selected, this value must match the Country value in the IACA certificate associated with this participant.
-
If you select a country, a State or Province dropdown list is displayed. You can use it to select the Participant’s state or province (optional). Note that when selected, this value must match the StateOrProvinceName value in the IACA certificate associated with this participant.
-
Insert the participant’s Address (optional).
-
Insert the participant’s Phone number (optional).
-
Use the Status radio button to set the participant as Active.
-
Click the Next button.
You are directed to Step 2 (Certificates). -
Click the Create button to create the participant.
-
Select the Issuer certificates tab.
-
Select the Add new button to add an issuer certificate for the participant.
The Add issuer certificate form appears. -
Upload the PEM file you want to use as this participant’s identifier for issuing mDocs (this must be a valid IACA certificate and match any values set for Country and State or Province above).
You should now see the certificate summary and details. -
Use the Credential types valid for field to select the credential types that this participant will be allowed to issue.
- You can insert as many credential types as you want.
- You can use the pre-populated options (
org.iso.18013.5.1.mDLand/ororg.iso.23220.photoid.1) or insert custom credential types that are relevant to your ecosystem. - The credential type is just a string value and does not need to match any values in the certificate. It is only used to link the participant to the credential types they are allowed to issue.
-
Scroll down and use the Status dropdown list to set the certificate as Active.
-
(Optional) To maintain trust continuity when rotating a participant's IACA certificate, expand the Link Certificate section and add this certificate as a successor to a previously uploaded certificate (refer to Linked certificates):
- Use the Predecessor certificate dropdown to select the previous certificate that this new one succeeds. The dropdown lists the participant's existing certificates because the predecessor must already exist on your tenant before you can link to it.
- Upload the link certificate into the Link Certificate PEM file field. The link certificate is the participant's proof that they own both the predecessor and the new certificate, which is what lets you accept the new one while preserving trust in the previous one.
This option is only available once at least one certificate has been added for the participant.
-
Click the Add button.
Repeat the above steps for each participant you want to include in your VICAL.
Make a request of the following structure to
create a participant in your
ecosystem. The participant's IACA certificate and its authorized credential types are provided as a
mobile identifier:
POST /v1/ecosystems/{ecosystemId}/participantsecosystemId: Replace with theidvalue obtained when you created the ecosystem.
{
"name": "Montcliff DMV",
"status": "Active",
"isIssuer": true,
"country": "US",
"stateOrProvince": "US-XX",
"identifiers": {
"mobile": [
{
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIIBwzCCAWigAwIBAgIKRGC+CqoTGJKkkTAKBggqhkjOPQQDAjAgMR4wCQYDVQQG\r\n...\r\n-----END CERTIFICATE-----\r\n",
"status": "Active",
"docTypes": ["org.iso.18013.5.1.mDL"]
}
]
}
}name: This required parameter is a meaningful name used to identify the participant.status: Set this toActiveso the participant is included in the ecosystem policy and the VICAL. Only active participants are published.isIssuer: Set this totrueso the participant can act as an issuer in the ecosystem.country: This optional parameter is the participant's Alpha 2 country code. When provided, it must match thecountryvalue in the IACA certificate.stateOrProvince: This optional parameter is the participant's ISO 3166-2 state or province. When provided, it must match thestateOrProvinceNamevalue in the IACA certificate.identifiers.mobile: An array containing the participant's mDoc identifier(s). Each entry includes:certificatePem: The PEM-encoded IACA certificate this participant uses as the trust anchor when signing mDocs. It must be a valid IACA as defined in Annex B of ISO/IEC 18013-5:2021.status: Set toActiveto include this certificate in the VICAL.docTypes: The credential types this participant is allowed to issue with this IACA. The value is a string and does not need to match any value in the certificate.
The response will include an id property identifying the participant. Repeat this request for each
participant you want to include in your VICAL.
Set up the VICAL signing certificate chain
Each VICAL must be signed by a VICAL Signer Certificate (VSC) that chains back to a DTS root CA via a chain of trust. This chain is what consuming relying parties use as the trust anchor to validate the authenticity and integrity of the VICAL.
If you already have an existing active DTS root CA that you want to use as the trust anchor for your VICAL, you can skip this step.
MATTR VII supports both managed and unmanaged (external) DTS certificates. Select the option that matches how you want to manage your certificate infrastructure.
With managed DTS certificates, MATTR VII provisions and maintains the DTS root CA and the signer certificates for you. You create and activate the DTS root CA, and MATTR VII automatically creates a signer (and its certificate) and uses it to sign trust lists as required. Managed DTS certificates always use the 2-tier model.
- Navigate to the Certificates page under the Platform Management section.
- Select the Create new button.
The New certificate form appears. - Use the Type dropdown list to select DTS CA.
- Use the Management method radio button to select MATTR managed.
- Enter a meaningful name in the Organization field to identify the organization operating the DTS.
- Use the Country dropdown list to select the country where the organization is located.
- Select the Create button.
The DTS root CA is created in an inactive state. - Scroll down and use the Status radio button to select Active.
- Select the Update button to activate the DTS root CA.
Make a request of the following structure to create a managed DTS root CA:
POST /v1/ecosystems/certificates/ca{
"organisationName": "Example Inc.",
"commonName": "Example DTS CA",
"country": "US"
}organisationName: This required parameter indicates the organization associated with the DTS root CA certificate.commonName: This optional parameter indicates the common name of the DTS root CA certificate. If not provided and a custom domain is configured and verified, the custom domain is used followed by the wordsDTS CA. If no custom domain is configured, the tenant subdomain is used instead.country: This optional parameter indicates the DTS provider's country. If not provided, a country is selected based on the region of the tenant subdomain cloud host. When specified, the value must be a valid Alpha 2 country code as per ISO 3166-1.
The response will include an id property identifying the managed DTS root CA. Make a request of the
following structure to
update the managed DTS root CA
and activate it:
PUT /v1/ecosystems/certificates/ca/{dtsCaCertificateId}dtsCaCertificateId: Replace with theidvalue obtained when you created the managed DTS root CA.
{
"active": true
}Once a managed DTS root CA is activated, MATTR VII automatically creates and uses a signer to sign trust lists as required.
With unmanaged (external) DTS certificates, you supply and maintain the full certificate chain. You generate the DTS root CA, issue and sign the VICAL Signer Certificates (VSCs), upload the root and each VSC to MATTR VII, and handle renewal and revocation.
Select the tab for the certificate model you want to configure. For guidance on choosing a model, see certificate models: 2-tier and 3-tier.
In the 2-tier model, the DTS root CA certificate directly signs the VICAL Signer Certificate (VSC).
Generate a self-signed root certificate (DTS root CA)
Use your preferred cryptographic library or tool to generate a self-signed root certificate (DTS root CA). In the 2-tier model, this certificate directly signs the signer certificate. Ensure it meets the requirements specified in ISO/IEC 18013-5:2021 and in the certificate requirements section.
When using unmanaged (external) certificates, the DTS provider assumes full responsibility for the secure management of the uploaded root certificates and all subordinate certificates. This includes ensuring the protection, proper issuance, and timely revocation of certificates under the uploaded root, as MATTR VII does not manage or monitor these certificates on the DTS provider's behalf.
Register the external DTS root CA certificate with MATTR VII
-
Expand the Platform Management menu in the navigation panel on the left-hand side.
-
Click on Certificates.
-
Select Create new.
-
Use the Type dropdown to select DTS CA.
-
Use the Management method dropdown to select Externally managed.
-
Paste/upload the PEM-encoded DTS root CA certificate into the Certificate PEM file field.
The certificate must meet the following requirements:- Valid
- Not expired
- Compliant with ISO/IEC 18013-5:2021
-
Select Create to register the unmanaged DTS root CA certificate.
The newly created unmanaged DTS root CA is created in an inactive state. You can only activate it after you create at least one signer associated with this DTS root CA.
Make a request of the following structure to create an unmanaged DTS root CA:
POST /v1/ecosystems/certificates/ca{
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIICDjCCAbSgAwIBAgIKdeZsA5NPKimuAzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\n...\r\n-----END CERTIFICATE-----\r\n"
}certificatePem: This required parameter contains the PEM-encoded DTS root CA certificate. The certificate must meet the following requirements:- Valid
- Not expired
- Compliant with ISO/IEC 18013-5:2021
The response will include an id property, which is a unique identifier for the unmanaged DTS root
CA. This identifier will be used in subsequent operations to reference this unmanaged DTS root CA.
Create a VICAL Signer
Create a VICAL Signer under the DTS root CA. In the 2-tier model, the VICAL Signer references the DTS root CA directly.
- On the detail page of the DTS root CA you just registered, scroll down to the VSC – VICAL Signer Certificate section and select Add new.
- Select the Create button.
MATTR VII creates a VICAL Signer in a pending state and generates a Certificate Signing Request (CSR) for it.
Make a request of the following structure to create a VICAL Signer that references the unmanaged DTS root CA:
POST /v1/ecosystems/certificates/vical-signers{
"caId": "080c670a-2e90-4023-b79f-b706e55e9bc6"
}caId: Replace with theidvalue obtained when you created the unmanaged DTS root CA in the previous step. Attempts to provide a managed DTS root CA identifier for manual VICAL Signer creation will result in an error.
The response will include two properties which you will use later in this guide:
id: The unique identifier for the VICAL Signer. This identifier will be used in subsequent operations to reference this VICAL Signer.csrPem: The X.509 Certificate Signing Request (CSR) in PEM format. You will use this CSR to generate a valid VICAL Signer Certificate (VSC) in the next step.
Generate and sign the VICAL Signer Certificate (VSC)
- Use the Download or Copy buttons in the Step 1. Download the VSC Certificate Signing Request (CSR) section of the VICAL Signer detail page to obtain the CSR.
- Using your preferred cryptographic library or tool, generate and sign a VICAL Signer Certificate (VSC) using the CSR from the previous step. In the 2-tier model, the VSC must be signed by the DTS root CA's private key. Refer to the VSC specific requirements section for details on how to structure a valid VSC.
Associate the VSC with the VICAL Signer
Upload the signed VSC to the VICAL Signer and activate it.
- On the VICAL Signer detail page, under Step 2. Upload signed VSC, paste/upload the PEM-encoded VSC into the Certificate PEM file field.
- Use the Status radio button to set the VICAL Signer to Active.
- Select Update to associate the VSC and activate the VICAL Signer.
Make a request of the following structure to update the VICAL Signer to activate and associate it with the generated VSC:
PUT /v1/ecosystems/certificates/vical-signers/{vicalSignerId}vicalSignerId: Replace with theidvalue obtained when you created the VICAL Signer in the previous step.
{
"active": true,
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIICbzCCAhSgAwIBAgIKfS7sskyJEh+DOzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\n...\r\n-----END CERTIFICATE-----\r\n"
}active: This required boolean indicates whether the VICAL Signer is active or not. Can only be set totruewhen acertificatePemis provided. Only active VICAL Signers can be used to sign VICALs.certificatePem: This required parameter contains the PEM-encoded VSC created in the previous step.
Activate the DTS root CA
- Navigate back to the Certificates page in the MATTR Portal.
- Select the DTS root CA you created in the first step.
- Use the Status radio button to set the DTS root CA to Active.
- Select Update to activate the DTS root CA.
Make a request of the following structure to update the unmanaged DTS root CA and activate it:
PUT /v1/ecosystems/certificates/ca/{dtsCaCertificateId}dtsCaCertificateId: Replace with theidvalue obtained when you registered the unmanaged DTS root CA.
{
"active": true
}In the 3-tier model, a DTS intermediate CA certificate sits between the DTS root CA and the VICAL Signer Certificate (VSC). The DTS root CA signs the intermediate CA, and the intermediate CA signs the VSC.
Generate a self-signed root certificate (DTS root CA)
Use your preferred cryptographic library or tool to generate a self-signed root certificate (DTS root CA). In the 3-tier model, this certificate will be used to sign the DTS intermediate CA certificate (rather than signing the signer certificate directly). Ensure it meets the requirements specified in ISO/IEC 18013-5:2021 and in the DTS root CA specific requirements section.
When using unmanaged (external) certificates, the DTS provider assumes full responsibility for the secure management of the uploaded root certificates and all subordinate certificates. This includes ensuring the protection, proper issuance, and timely revocation of certificates under the uploaded root, as MATTR VII does not manage or monitor these certificates on the DTS provider's behalf.
Register the external DTS root CA certificate with MATTR VII
Register the DTS root CA and enable the 3-tier model so it requires an intermediate CA in its chain of trust.
-
Expand the Platform Management menu in the navigation panel on the left-hand side.
-
Click on Certificates.
-
Select Create new.
-
Use the Type dropdown to select DTS CA.
-
Use the Management method dropdown to select Externally managed.
-
Paste/upload the PEM-encoded DTS root CA certificate into the Certificate PEM file field.
The certificate must meet the following requirements:- Valid
- Not expired
- Compliant with ISO/IEC 18013-5:2021
-
Under Certificate chain, select Three-tier with Intermediate CAs. This configures the DTS root CA to sign an intermediate CA rather than signing the signer certificate directly.
-
Select Create to register the unmanaged DTS root CA certificate.
The newly created unmanaged DTS root CA is created in an inactive state. You can only activate it after you create a DTS intermediate CA and at least one signer associated with it.
Make a request of the following structure to
create an unmanaged DTS root CA.
To enable the 3-tier model, set useIntermediateCa to true:
POST /v1/ecosystems/certificates/ca{
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIICDjCCAbSgAwIBAgIKdeZsA5NPKimuAzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\n...\r\n-----END CERTIFICATE-----\r\n",
"useIntermediateCa": true
}certificatePem: This required parameter contains the PEM-encoded DTS root CA certificate. The certificate must meet the following requirements:- Valid
- Not expired
- Compliant with ISO/IEC 18013-5:2021
useIntermediateCa: Set this totrueto require and use intermediate CA certificates as part of this DTS root CA's chain of trust. This field can only be set for unmanaged (external) DTS root CA certificates. Changing this value later requires deleting all subordinate certificates.
The response will include an id property, which is a unique identifier for the unmanaged DTS root
CA. This identifier will be used in subsequent operations to reference this unmanaged DTS root CA.
Generate and sign the DTS intermediate CA certificate
Use your preferred cryptographic library or tool to generate a DTS intermediate CA certificate and sign it with the DTS root CA private key. Ensure it meets the DTS intermediate CA specific requirements, including matching the country of the DTS root CA and remaining within the DTS root CA's validity period.
Unlike the signer certificate, MATTR VII does not issue a Certificate Signing Request (CSR) for the intermediate CA. You generate the intermediate CA's key pair and sign its certificate entirely within your own PKI, then upload the finished certificate in the next step.
Register the DTS intermediate CA certificate with MATTR VII
Register the signed intermediate CA certificate under the DTS root CA you created in the previous step.
-
Scroll down to the Child certificates section.
-
In the Intermediate CA section, select Add new.
-
Paste/upload the PEM-encoded DTS intermediate CA certificate into the Certificate PEM file field.
-
Under Allowed child certificates, select the signer types this intermediate CA is allowed to sign:
- VSC (VICAL Signer Certificate) to sign a VICAL Signer.
- RSC (RICAL Signer Certificate) to sign a RICAL Signer.
Select both if the intermediate CA will sign both signer types.
-
Select Create to register the DTS intermediate CA certificate.
Make a request of the following structure to create a DTS intermediate CA certificate under the DTS root CA:
POST /v1/ecosystems/certificates/ca/{dtsCaCertificateId}/intermediatedtsCaCertificateId: Replace with theidvalue obtained when you registered the unmanaged DTS root CA in the previous step.
{
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIICDjCCAbSgAwIBAgIKdeZsA5NPKimuAzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\n...\r\n-----END CERTIFICATE-----\r\n",
"usages": ["VICAL", "RICAL"]
}certificatePem: This required parameter contains the PEM-encoded DTS intermediate CA certificate, signed by the DTS root CA.usages: This required parameter specifies the intended usages for this intermediate CA. It must contain at least one value (VICAL,RICAL). Include the list type whose signer will chain to this intermediate CA (useVICALfor a VICAL Signer,RICALfor a RICAL Signer, or both if the intermediate CA will sign both).
The response will include an id property, which is the unique identifier for the DTS intermediate
CA certificate. You will use this identifier when creating the signer.
Create a VICAL Signer
Create a VICAL Signer under the DTS intermediate CA. In the 3-tier model, the VICAL Signer references the intermediate CA rather than the DTS root CA.
- Navigate to the Certificates page and select the DTS root CA, then select the DTS intermediate CA you registered in the previous step.
- In the VSC – VICAL Signer Certificate section, select Add new.
MATTR VII creates a VICAL Signer in a pending state and generates a Certificate Signing Request (CSR) for it.
Make a request of the following structure to create a VICAL Signer that references the DTS intermediate CA certificate:
POST /v1/ecosystems/certificates/vical-signers{
"intermediateCaId": "080c670a-2e90-4023-b79f-b706e55e9bc6"
}intermediateCaId: Replace with theidvalue obtained when you registered the DTS intermediate CA certificate. In the 3-tier model, the VICAL Signer references the intermediate CA rather than the DTS root CA.
The response will include two properties which you will use later in this guide:
id: The unique identifier for the VICAL Signer. This identifier will be used in subsequent operations to reference this VICAL Signer.csrPem: The X.509 Certificate Signing Request (CSR) in PEM format. You will use this CSR to generate a valid VICAL Signer Certificate (VSC) in the next step.
Generate and sign the VICAL Signer Certificate (VSC)
- Use the Download or Copy buttons in the Step 1. Download the VSC Certificate Signing Request (CSR) section of the VICAL Signer detail page to obtain the CSR.
- Using your preferred cryptographic library or tool, generate and sign a VICAL Signer Certificate (VSC) using the CSR from the previous step. In the 3-tier model, the VSC must be signed by the DTS intermediate CA's private key. Refer to the VSC specific requirements section for details on how to structure a valid VSC.
Associate the VSC with the VICAL Signer
Upload the signed VSC to the VICAL Signer and activate it.
- On the VICAL Signer detail page, under Step 2. Upload signed VSC, paste/upload the PEM-encoded VSC into the Certificate PEM file field.
- Use the Status radio button to set the VICAL Signer to Active.
- Select Update to associate the VSC and activate the VICAL Signer.
Make a request of the following structure to update the VICAL Signer to activate and associate it with the generated VSC:
PUT /v1/ecosystems/certificates/vical-signers/{vicalSignerId}vicalSignerId: Replace with theidvalue obtained when you created the VICAL Signer in the previous step.
{
"active": true,
"certificatePem": "-----BEGIN CERTIFICATE-----\r\nMIICbzCCAhSgAwIBAgIKfS7sskyJEh+DOzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\n...\r\n-----END CERTIFICATE-----\r\n"
}active: This required boolean indicates whether the VICAL Signer is active or not. Can only be set totruewhen acertificatePemis provided. Only active VICAL Signers can be used to sign VICALs.certificatePem: This required parameter contains the PEM-encoded VSC created in the previous step.
Activate the DTS root CA
- Navigate back to the Certificates page in the MATTR Portal.
- Select the DTS root CA you created in the first step.
- Use the Status radio button to set the DTS root CA to Active.
- Select Update to activate the DTS root CA.
Make a request of the following structure to update the unmanaged DTS root CA and activate it:
PUT /v1/ecosystems/certificates/ca/{dtsCaCertificateId}dtsCaCertificateId: Replace with theidvalue obtained when you registered the unmanaged DTS root CA.
{
"active": true
}Manually Publish a VICAL
After you have set up the signing certificate chain, you can publish a VICAL that includes your participants and their associated credential types. When you publish the VICAL, the MATTR VII platform will sign a VICAL that includes the information you provided for each participant, along with the PEM-encoded IACA certificate.
- Navigate to the Trust lists page under the Digital Trust Service section.
- Select the VICAL (Trusted issuers) tab.
- Enter a meaningful Provider name to identify the provider of the VICAL. This will be included in the VICAL metadata and used by relying parties to identify the source of the VICAL.
- Select the Create button.
- Review the preview area where you can see all participants and credential types included in the VICAL.
- Select Generate & Publish when you are ready.
The VICAL is now generated and published, and a modal is displayed where you can:- Use the Download button to download the VICAL policy file.
- Use the Copy button to copy a link to the public endpoint where relying parties can access the policy.
First, make a request of the following structure to update the VICAL configuration and set the VICAL provider name. A VICAL configuration is required before a VICAL can be created:
PUT /v1/ecosystems/{ecosystemId}/vicals/configurationecosystemId: Replace with theidvalue of your ecosystem.
{
"vicalProvider": "Example Provider"
}vicalProvider: This required parameter is the provider name included in the VICAL metadata and used by relying parties to identify the source of the VICAL.
Then, make a request of the following structure to create (generate and publish) a VICAL based on your ecosystem policy:
POST /v1/ecosystems/{ecosystemId}/vicalsThe response includes the vicalIssueID and issuance date of the published VICAL. Relying parties
can retrieve it from the public
Retrieve latest VICAL
endpoint:
curl -o vical-latest.cbor \
https://your-tenant.vii.au01.mattr.global/v1/ecosystems/{ecosystemId}/vicals/public/latestConfigure VICAL auto-generation and publishing (optional)
You can optionally set up auto-generation of your VICAL so it is generated and published on a schedule.
- Return to the Trust lists page under the Digital Trust Service section.
- Select the VICAL (Trusted issuers) tab.
- Expand the VICAL configuration panel.
- Use the Generation method radio button to select Auto generate.
- Use the Auto generate frequency dropdown list to select how often you want the VICAL to be automatically generated and published (daily/weekly).
- Select the Update button.
- Review the preview area where you can see all participants and credential types included in the VICAL.
Note that the VICAL is not generated and published yet. It will only be generated and published automatically based on the frequency you selected in step 5 above. If you want to generate and publish the VICAL immediately, you can select the Generate & Publish button.
Make a request of the following structure to update the VICAL configuration and enable scheduled auto-publishing:
PUT /v1/ecosystems/{ecosystemId}/vicals/configuration{
"vicalProvider": "Example Provider",
"autoPublish": {
"enabled": true,
"frequency": "Daily"
}
}autoPublish.enabled: Set totrueto enable scheduled automatic generation and publishing of the VICAL.autoPublish.frequency: Required whenenabledistrue. How often the VICAL is automatically generated and published. One ofDailyorWeekly.
When auto-publishing is enabled, the VICAL is generated and published automatically on the schedule you set. You can still generate and publish a VICAL immediately at any time by calling the Create a VICAL endpoint.
View Previously Published VICALs (optional)
- Return to the Trust lists page under the Digital Trust Service section.
- Select the VICAL (Trusted issuers) tab.
- Scroll down and select the View Previously Published button to see all previously published VICALs.
- Use the Download button to download the policy file for any previously published VICAL displayed.
Make a request of the following structure to retrieve all VICALs published in your ecosystem. This endpoint is public and does not require authentication:
GET /v1/ecosystems/{ecosystemId}/vicals/publicThe response is a JSON list of the published VICALs with their vicalIssueID, issuance date, and
filename. To download a specific VICAL policy file (a CBOR-encoded file), call the
Retrieve a VICAL
endpoint with the relevant vicalIssueId:
curl -o vical.cbor \
https://your-tenant.vii.au01.mattr.global/v1/ecosystems/{ecosystemId}/vicals/public/{vicalIssueId}Next steps
Now that you have published your VICAL, you can share the public endpoint with relying parties so they can consume the VICAL and establish trust in the issuers and credential types included in it. You can also refer to the VICAL consumption guide to learn how relying parties can consume, validate and use a VICAL.
How would you rate this page?
Last updated on