Step 1 - Generating Keys and Certificates
As explained earlier there are three options for how signing keys are managed:
- Signing using a corporate signing key managed by ADSS Server - Typically in such cases there will be small number of keys (e.g. for the sales department, for the accounts department, etc.) and these can be generated manually by the ADSS operator using the Key Manager as explained in this section.
- Signing using individual user keys managed by ADSS Server - If the environment has many hundreds or thousands of users then the ADSS operator manually generating and certifying keys for each user through the Key Manager GUI is not an effective solution. For such scenarios the online ADSS Certification Service is recommended. This can automatically generate and certify keys on behalf of business applications through the web services API.
- Signing using client-side keys (e.g. in Windows CAPI stores or on a smartcard) - In this case the generation of keys and certificates and their distribution to end users is outside the scope of ADSS Server. ADSS Server and in particular the Go>Sign applet assume that the signing keys exist and are available through the Microsoft CAPI environment. Go>Sign applet can also access signing keys through the PKCS#11 interface on non-Windows platforms.
In order to generate the keys within Key Manager module, see the section: Generating New Keys while for importing keys in ADSS Server that are issued by third parties, see the section: Importing Keys. Note that keys you want to import MUST be in PKCS#12/PFX format. When generating/importing a key for document signing then select the key purpose "Document Signing". Keys held in a PKCS#11 device can also be used for document signing, see the section Crypto Source to configure and import the keys from it.
Once the key pair is generated then Public Key needs to be certified. It can be certified by creating the Self Signed Certificates and/or Delegated Certificates.
See also
Step 2 - Registering CAs
Step 3 - Configuring CRL Monitor
Step 4 - Configuring Signing Profile
Step 5 - Registering Business Applications
Step 6 - Using the Service Manager