Skip to content
Vidos Logo Vidos

Add VICAL to Validator Configuration

This guide shows how to configure validator trusted issuer roots from a VICAL source using:

  • vical-url (fetch from URL)
  • vical (inline base64-encoded bytes)

Prerequisites

Section titled “Prerequisites”

Before you start:

  • You can edit your validator configuration in dashboard or via management API
  • You have a VICAL source:
    • URL to a binary VICAL file (.vical / COSE/CBOR), or
    • Local VICAL file bytes to encode in base64

Where to add it

Section titled “Where to add it”

Add entries under:

{
    "policies": {
        "trustedIssuer": {
            "trustedIssuerRootCertificates": []
        }
    }
}

Each VICAL source is one item in trustedIssuerRootCertificates.

Option 1: URL-based VICAL (vical-url)

Section titled “Option 1: URL-based VICAL (vical-url)”

Use this when your VICAL is hosted and can be fetched by the validator.

{
    "type": "vical-url",
    "url": "https://unfold.mdoc.online/trustedlists/Vical.vical",
    "vicalTrustedCertificates": []
}

vicalTrustedCertificates accepts PEM certificates used to verify the VICAL signature chain.

  • [] means trustless mode (skip VICAL signature trust validation)
  • Include PEM root/intermediate certificates to enforce VICAL signature trust

Option 2: Inline encoded VICAL (vical)

Section titled “Option 2: Inline encoded VICAL (vical)”

Use this when you want to embed the VICAL bytes directly in configuration.

{
    "type": "vical",
    "cbor": "<base64-encoded-vical-bytes>",
    "vicalTrustedCertificates": []
}

Important:

  • cbor must be base64 of the raw .vical binary bytes
  • Do not paste JSON or PEM into cbor

Create base64 from a local VICAL file

Section titled “Create base64 from a local VICAL file”

macOS/Linux:

Terminal window
base64 /path/to/Vical.vical | tr -d '\n'

Use the command output as the cbor value.

Complete example

Section titled “Complete example”

This example configures both URL and inline VICAL sources:

{
    "policies": {
        "trustedIssuer": {
            "skip": false,
            "trustedIssuerRootCertificates": [
                {
                    "type": "vical-url",
                    "url": "https://unfold.mdoc.online/trustedlists/Vical.vical",
                    "vicalTrustedCertificates": []
                },
                {
                    "type": "vical",
                    "cbor": "<base64-encoded-vical-bytes>",
                    "vicalTrustedCertificates": []
                }
            ]
        }
    }
}

Validate the setup

Section titled “Validate the setup”

After saving configuration:

  1. Run a validator test request with a credential issued by a certificate present in your VICAL.
  2. Confirm trusted issuer policy succeeds.
  3. If you expected signature trust validation, verify vicalTrustedCertificates contains the expected PEM chain.

Next steps

Section titled “Next steps”