ADSS Certification Service module provides Certificate Authority services to client applications that act as RAs and request the creation of asymmetric key pairs and/or send public key for certification. RFC 2797 CMC, RFC 7030 EST Protocols are supported as well as SOAP/XML based proprietary protocol for applications that need extended functionality such as user registration, key generation and roaming credential management.

ADSS Certification Service (EST interface) along with other modules of ADSS Server are part of the ADSS PKI Server that is Common Criteria EAL4+ certified version of the ADSS Server and meets the (NIAP 2.1 Protection Profile for Certification Authorities).

Once the keys are certified they can be referenced for other purposes, for example within ADSS Signing Service request messages by client applications. ADSS Server uses the identified private key to sign the requested document. ADSS Server ensures that the client application that registered the key is the one that is later allowed to use it, i.e. the key is reserved for use by the owning client application only. 

ADSS Certification Service can be used by business applications to automatically request the generation and certification of keys on a large scale. It is particularly relevant where ADSS Signing Service will use server-side signing using unique user keys. Some organisations cannot rely on the end-users having suitable signing keys available and this route provides an effective way of enabling signing. End-users may authenticate themselves to the business application using a variety of options (e.g. username/passwords exchanged over TLS session, one-time grid passwords, two-factor authentication tokens etc.). Currently end-user authentication is handled by the business application although authorised signing using SAML tokens could be provided - ask for more information.

Keys that are generated are held in ADSS Server database in encrypted format. Alternatively, a Hardware Security Module (HSM) can be used to protect the private keys that are created and managed by ADSS Server.

ADSS Certification Service also issues Card Verifiable (CV) certificates for E-Passports acting as a CVCA or DVCA. It follows BSI TR-03139 (Common Certificate Policy) and BSI TR-03110 for certificate generation. It uses BSI TR-03129 protocol for all the communication to issue Card Verifiable certificates. 

The following image shows Certification Service sub-modules, details of which are given in the next sections:

See also

ADSS Server Knowledge Base

Welcome
Getting Started
Concepts & Architecture
ADSS RA Service
ADSS Signing Service
ADSS Go>Sign Service
ADSS RAS Service
ADSS SAM Service
ADSS CSP Service
ADSS TSA Service
ADSS Verification Service
ADSS OCSP Monitor
ADSS OCSP Service
ADSS SCVP Service
ADSS XKMS Service
ADSS LTANS Service
ADSS HMAC Service
ADSS Decryption Service
ADSS OCSP Repeater Service
ADSS NPKD Service
ADSS SPOC Service
Manage CAs
Key Manager
Trust Manager
ADSS CRL Monitor
Global Settings
Access Control
Client Manager
System Log Viewer
Server Manager
Approval Manager
Operational Management
Advanced Configuration