Overview
The VICAL Service publishes signed Verifiable Issuer Certificate Authority Lists (VICALs) for mdoc and mDL ecosystems. Each published version is built from the vical-entry certificates stored in its linked X.509 Store services.
The VICAL Service is controlled by the vical feature flag. The flag is disabled by default, and the checked-in enterprise _features.conf leaves it commented out. Add vical to enabledFeatures before using the publication or public registry routes.
Service Dependencies
The VICAL Service uses linked Key Management Services and X.509 Store services. The signing key is resolved from KMS. The signer certificate, optional signer certificate chain, and publishable IACA entries are resolved from X.509 stores.
Each publication reads all attached X.509 stores and includes every stored vical-entry certificate in the generated VICAL.
More specifically, the VICAL service configuration references:
- A signing key stored in a Key Management Service.
- The VICAL signer's certificate stored in an X.509 Store Service.
- An optional signer certificate chain when the signer certificate is not self-signed, all entries of which are also stored in an X.509 Store Service.
Core Features
- Publish a new signed VICAL version from the current
vical-entrydata found across linked X.509 stores. - List published version targets for reuse with version-specific registry routes.
- Resolve the latest published artifact, manifest, and trust material through public endpoints.
- Resolve a specific published artifact, manifest, and trust material by version target.
- Return registry artifacts as
hex,base64, or rawcbor.
Get Started
- Setup - Create the service, configure the signer references, and attach X.509 stores.
- Publish and Resolve VICAL Versions - Publish a version and use the latest or version-specific registry endpoints.