Home > ADSS Go>Sign Service > Configuring the Go>Sign Service > Step 1 - Creating a Go-Sign Profile > Document Signing Configurations > Certificate Filter Criteria

Certificate Filter Criteria

This page is used to define certificate filters that could retrieve specific signing certificates for the end users. This is useful when client side (local) signing is configured, and multiple certificates from a selected keystore are expected to appear at the time of signing. Hence, to make the certificate selection easy for the end users, Go>Sign signing drop down list will only show the specific certificate(s) by processing these filters. 

The configuration items are as follows:

Item Description
Filtering based on Key Usage extension Select the Key Usage extension(s) that you want to allow for the signing certificate filtration. In case of multiple selections, the filtration will be done through OR operation. This implies that if any of the selected criteria is found in a signing certificate, then that signing certificate will be shown in the Go>Sign signing drop down list.   
Filtering based on Extended Key Usage extension Select the Extended Key Usage extension(s) that you want to allow for the signing certificate filtration. In case of multiple selections, the filtration will be done through OR operation. This implies that if any of the selected criteria is found in a signing certificate, then that signing certificate will be shown in the Go>Sign signing drop down list.
Filtering based on Signature Algorithm  Select the Signature Algorithm(s) that you want to allow for the signing certificate filtration. In case of multiple selections, the filtration will be done through OR operation. This implies that if any of the selected algorithm is found in a signing certificate, then that signing certificate will be shown in the Go>Sign signing drop down list.
Filtering based on Certificate Policy extension
Specify the Certificate Policy extension(s) that you want to allow for the signing certificate filtration:  
  • Policy OID: Specify the allowed policy OIDs one by one and Add them.
  • List of Policy OID's: This field lists the allowed policy OIDs for this profile. 
    In case of multiple entries, the filtration will be done through OR operation. This implies that if any of the listed policy OIDs is found in a signing certificate, then that signing certificate will be shown in the Go>Sign signing drop down list.  
In case of multiple policies, the filtration will be done through OR operation. This implies that if any of the configured policy is found in a signing certificate, then that signing certificate will be shown in the Go>Sign signing drop down list.
Filtering based on Distinguished Name (DN)
Specify the Distinguished Name (DN) that you want to allow for the signing certificate filtration. Distinguished Name (DN) filtration for a signing certificate can be set in two ways by using:  
  • Subject DN: Specify the allowed Subject DN.

  • Issuer DN: Specify the allowed Subject DN(s) one by one and Add them.
Note: Currently we support only four RDNs for filtration criteria which are: 
  • CN
  • OU
  • O
  • C     
Support for rest of the RDNs in our roadmap and we it will be provided soon in a future releases. 
Filtering based on Subject Alternative Name (SAN)
Specify the Subject Alternative Name (SAN) that you want to allow for the signing certificate filtration. Subject Alternative Name (SAN) based filtration can be set for rfc822Name, otherName or for both the SAN extensions:  
  • rfc822Name: When enabled, it will filter only those signing certificates that have rfc822Names.
  • otherName(type-id):
     
    • OID: Specify the allowed otherName(s) one by one and Add them. 

    • List of OID's: This field lists the allowed othername OIDs for this profile. In case of multiple entries, the filtration will be done through OR operation. This implies that if any of the listed otherNames(s) found in a signing certificate, then that signing certificate will be shown in the Go>Sign signing drop down list.
Use only Qualified certificates When enabled, it will filter only those signing certificates that are EU eIDAS Qualified and holds their private keys inside a Qualified/ Secure Signature Creation Device (SSCD) which is also called QSCD. 
Allow expired certificates to be used When enabled, it will allow showing the expired signing certificates in the Go>Sign signing drop down list.
Alias Display Pattern
Specify the format in which the signing certificates should be shown in the Go>Sign signing drop down list. SUBJECT_CN, ISSUER_O means subject CN and issuer organization will be shown in the certificate selection dropdown separated with comma. Following are the possible supported values which are applicable to the certificate selection dialog:
  • SUBJECT_CN
  • SUBJECT_C
  • SUBJECT_OU
  • SUBJECT_O
  • SUBJECT_S
  • SUBJECT_L
  • SUBJECT_E
  • SUBJECT_SERIAL_NO
  • ISSUER_CN
  • ISSUER_C
  • ISSUER_OU
  • ISSUER_O
  • ISSUER_S
  • ISSUER_L
  • ISSUER_E
Alias Display Value Missing Specify a string to be shown in the Go>Sign certification selection dialog, when none of the above configured criteria matches the available signing certificate(s), e.g. N/A 

Business Applications can also provide a filter criteria in the request. If any filter criteria is configured in the profile, and some criteria is provided in the request then filter criteria configured in the profile will be overridden by the criteria provided in the request.
For example, if the configured Key usage filter criteria in a profile is "digitalSignature, nonRepudiation" and the criteria provided in a request is "digitalSignature, dataEncipherment", then the final criteria for key usage will be "digitalSignature, dataEncipherment" and the remaining criteria for other certificate attributes will be used from the profile, as configured.
Click the Next button to display the Service Settings page. 

See also

Signature Settings
Viewer Settings
Key Store Settings
Service Settings
Advanced Settings