ADSS Certification Service
ADSS Certification Service module provides Certificate Authority services to client applications that act as RAs and request the creation of asymmetric key pairs and/or send public key for certification. RFC 2797 CMC protocols are supported as are SOAP/XML web-services for applications that need extended functionality such as user registration, key generation and roaming credential management.
Once the keys are certified they can be referenced for other purposes, for example within ADSS Signing Service request messages by client applications. ADSS Server uses the identified private key to sign the requested document. ADSS Server ensures that the client application that registered the key is the one that is later allowed to use it, i.e. the key is reserved for use by the owning client application only.
ADSS Certification Service can be used by business applications to automatically request the generation and certification of keys on a large scale. It is particularly relevant where ADSS Signing Service will use server-side signing using unique user keys. Some organisations cannot rely on the end-users having suitable signing keys available and this route provides an effective way of enabling signing. End-users may authenticate themselves to the business application using a variety of options (e.g. username/passwords exchanged over TLS session, one-time grid passwords, two-factor authentication tokens etc.). Currently end-user authentication is handled by the business application although authorised signing using SAML tokens could be provided - ask for more information.
Keys that are generated are held in ADSS Server database in encrypted format. Alternatively, a Hardware Security Module (HSM) can be used to protect the private keys that are created and managed by ADSS Server.
ADSS Certification Service also issues Card Verifiable (CV) certificates for E-Passports acting as a CVCA or DVCA. It follows BSI TR-03139 (Common Certificate Policy) and BSI TR-03110 for certificate generation. It uses BSI TR-03129 protocol for all the communication to issue Card Verifiable certificates.
The following image shows Certification Service sub-modules, details of which are given in the next sections: