Setup
Create a VICAL Service when you need to publish signed VICAL feeds from stored IACA certificates.
Before you start
- Have an existing signing key available, typically in a Key Management Service.
- Have an existing signer certificate stored in an X.509 Store Service.
- If the signer certificate is not self-signed, have the signer certificate chain stored as separate certificates as well.
- If you need source entries for publication, add
vical-entryrecords to an X.509 Store Service.
Create the service
Endpoint: /v1/{target}/resource-api/services/create | API Reference
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "vical-service",
"signingKeyId": "test.tenant1.kms1.vical-signing-key",
"signerCertificateId": "test.tenant1.x509-store-1.vical-signer",
"signerCertificateChainIds": [
"test.tenant1.x509-store-1.vical-root"
]
}'
Body
{
"type": "vical-service",
"signingKeyId": "test.tenant1.kms1.vical-signing-key",
"signerCertificateId": "test.tenant1.x509-store-1.vical-signer",
"signerCertificateChainIds": [
"test.tenant1.x509-store-1.vical-root"
]
}
Path Parameters
orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is namedtest, your default Base URL will betest.enterprise-sandbox.waltid.devwhen using the sandbox environment.target: resourceIdentifier - The target indicates the organization + tenant in which to create the new VICAL service and the service's ID ({organizationID}.{tenantID}.[NewVicalServiceID]), e.g.test.tenant1.vical-service.
Body Parameters
type: serviceType - Specifies the type of service to create. In this casevical-service.signingKeyId: resourceIdentifier - Fully-qualified path of the signing key used to sign published VICAL artifacts.signerCertificateId: resourceIdentifier - Fully-qualified path of the stored signer certificate that matchessigningKeyId.signerCertificateChainIds: resourceIdentifier - Optional list of fully-qualified stored certificate paths representing the signer certificate chain.
Response Codes
201- Service created successfully.
The signer certificate must match the configured signing key. If the signer certificate is self-signed, omit signerCertificateChainIds. If it is not self-signed, provide a populated certificate chain.
The KMS service that owns signingKeyId and the X.509 Store services that own the configured certificate IDs are required dependencies for the VICAL Service.
Attach an X.509 Store service
Attach one or more X.509 Store services so the VICAL Service has vical-entry certificates to publish.
Endpoint: /v1/{target}/vical-service-api/dependencies/add | API Reference
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/vical-service-api/dependencies/add' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '"test.tenant1.x509-store-1"'
Path Parameters
orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is namedtest, your default Base URL will betest.enterprise-sandbox.waltid.devwhen using the sandbox environment.target: resourceIdentifier - The target indicates the organization + tenant + VICAL service to which to add an existing dependency service ({organizationID}.{tenantID}.{vicalServiceID}), e.g.test.tenant1.vical-service.
Body Parameters
dependency: String - JSON string containing the fully-qualified path of the X.509 Store service to link, for exampletest.tenant1.x509-store-1.
Response Codes
201- Dependency attached successfully.
Each publication reads all attached X.509 stores and includes only stored entries of type vical-entry. If no attached store contains at least one vical-entry, publication cannot succeed.
You can inspect or update the signer references later through /v1/{target}/vical-service-api/configuration/view and /v1/{target}/vical-service-api/configuration/update.