light-mode-image
Learn

Learn how to set up a VICAL

Introduction

The purpose of a Verified Issuer Certificate Authority List (VICAL) is to enable different participants in a digital ecosystem to rely on a single trusted framework.

This guide will walk you through using the Portal to set up a VICAL and publish a policy that defines trusted participants and credential types.

Prerequisites

Guide overview

Publishing a VICAL comprises the following steps:

  1. Create an Ecosystem: This is the overarching entity that holds participants and credential types together. Only required if you don't already have an ecosystem on your tenant.
  2. Create participants: These are the issuers that will be part of the VICAL. Each participant includes an IACA certificate and the credential types they are allowed to issue.
  3. Manually publish a VICAL: Create a DTS root CA as the trust anchor, then generate and publish a VICAL that includes your participants and their credential types.
  4. Configure VICAL auto-generation and publishing (optional): Set the VICAL to automatically generate and publish on a daily or weekly schedule.
  5. View previously published VICALs (optional): Review the history of previously published VICALs and download their policy files.

Create an Ecosystem

This step is only required if you don't have an existing ecosystem on your tenant. If you already have an ecosystem, you will not see the option to create a new one and should skip directly to the next step.

Perform the following steps to create an Ecosystem:

  1. Log in to the Portal.
  2. Navigate to the Ecosystem page under the Digital Trust Service section.
  3. Enter a name for your Ecosystem, such as "My Digital Trust Service".
  4. Select the Create button.

Create participants

Participants are entities that represent issuers that will be included in the VICAL. For each participant, you will need to upload an IACA certificate that will be used as the trust anchor when signing mDocs, and define what credential types they are allowed to issue.

Perform the following steps to create a participant:

  1. Select the Participants page under the Digital Trust Service section (this page is only visible if you have an existing ecosystem. If you don't have an ecosystem, you will need to return to step 1 above and create it first).
  2. Select the Create new button.
    The Create participant form appears, starting from Step 1 (Details).
  3. Insert a meaningful Name for the participant (e.g. "Montcliff DMV").
  4. Use the Country dropdown list to select the Participant’s country (optional). Note that when selected, this value must match the Country value in the IACA certificate associated with this participant.
  5. If you select a country, a State or Province dropdown list is displayed. You can use it to select the Participant’s state or province (optional). Note that when selected, this value must match the StateOrProvinceName value in the IACA certificate associated with this participant.
  6. Insert the participant’s Address (optional).
  7. Insert the participant’s Phone number (optional).
  8. Use the Status radio button to set the participant as Active.
  9. Click the Next button.
    You are directed to Step 2 (Certificates).
  10. Select the Add new button.
  11. Upload the PEM file you want to use as this participant’s identifier for issuing mDocs (this must be a valid IACA certificate and match any values set for Country and State or Province above).
    You should now see the certificate summary and details.
  12. Use the Credential types valid for text box to insert the credential types that this participant will be allowed to issue.
  • You can insert as many credential types as you want.
  • You can use the pre-populated options (org.iso.18013.5.1.mDL and/or org.iso.23220.photoid.1) or insert custom credential types that are relevant to your ecosystem.
  • The credential type is just a string value and does not need to match any values in the certificate. It is only used to link the participant to the credential types they are allowed to issue.
  1. Scroll down and use the Certificate status dropdown list to set the certificate as Active.
  2. Click the Add button.
  3. Click Create.

Repeat the above steps for each participant you want to include in your VICAL.

Manually Publish a VICAL

After you have created your participants, you can publish a VICAL that includes these participants and their associated credential types. When you publish the VICAL, the MATTR VII platform will sign a VICAL that includes the information you provided for each participant, along with the PEM-encoded IACA certificate.

Perform the following steps to publish your DTS policy as a VICAL:

Create a DTS root CA

Each VICAL must be linked to a trusted root CA via a chain of trust. This is what will be used by consuming relying parties as the trust anchor to validate the authenticity and integrity of the VICAL.

Perform the following steps to create a DTS root CA:

If you already have an existing DTS root CA that you want to use as the trust anchor for your VICAL, you can skip this step.

  1. Navigate to the Certificates page under the Platform Management section.
  2. Select the Create new button.
    The New certificate form appears.
  3. Use the Type dropdown list to select DTS CA.
  4. Use the Management method radio button to select MATTR managed.
  5. Enter a meaningful name in the Organisation field to identify the organization that will be signing the policy.
  6. Use the Country dropdown list to select the country where the organization is located.
  7. Select the Create button.
  8. Scroll down and use the Status radio button to select Active.
  9. Select the Update button.

Your new DTS root CA is now ready and can be used to establish trust in your VICAL.

Publish a VICAL

  1. Navigate to the Trust lists page under the Digital Trust Service section.
  2. Select the VICAL (Trusted issuers) tab.
  3. Enter a meaningful Provider name to identify the provider of the VICAL. This will be included in the VICAL metadata and used by relying parties to identify the source of the VICAL.
  4. Select the Create button.
  5. Review the preview area where you can see all participants and credential types included in the VICAL.
  6. Select Generate & Publish when you are ready.
    The VICAL is now generated and published, and a modal is displayed where you can:
    • Use the Download button to download the VICAL policy file.
    • Use the Copy button to copy a link to the public endpoint where relying parties can access the policy.

Configure VICAL auto-generation and publishing (optional)

You can optionally set up auto-generation of your VICAL by performing the following steps:

  1. Return to the Trust lists page under the Digital Trust Service section.
  2. Select the VICAL (Trusted issuers) tab.
  3. Expand the VICAL configuration panel.
  4. Use the Generation method radio button to select Auto generate.
  5. Use the Auto generate frequency dropdown list to select how often you want the VICAL to be automatically generated and published (daily/weekly).
  6. Select the Update button.
  7. Review the preview area where you can see all participants and credential types included in the VICAL.
    Note that the VICAL is not generated and published yet. It will only be generated and published automatically based on the frequency you selected in step 5 above. If you want to generate and publish the VICAL immediately, you can select the Generate & Publish button.

View Previously Published VICALs (optional)

  1. Return to the Trust lists page under the Digital Trust Service section.
  2. Select the VICAL (Trusted issuers) tab.
  3. Scroll down and select the View Previously Published button to see all previously published VICALs.
    You can use the Download button to download the policy file for any previously published VICAL displayed.

Next steps

Now that you have published your VICAL, you can share the public endpoint with relying parties so they can consume the VICAL and establish trust in the issuers and credential types included in it. You can also refer to the VICAL consumption guide to learn how relying parties can consume, validate and use a VICAL.

How would you rate this page?

Last updated on

Overview

Previous Page

Consumption

Next Page

On this page

Introduction
Prerequisites
Guide overview
Create an Ecosystem
Create participants
Manually Publish a VICAL
Create a DTS root CA
Publish a VICAL
Configure VICAL auto-generation and publishing (optional)
View Previously Published VICALs (optional)
Next steps