Trust Manager

The ADSS Server Trust Manager module is used to register all trusted Trust Authorities (TAs). When verifying signed objects it must be possible to build a certificate chain from the signer’s certificate to one of the trusted authorities registered in the Trust Manager in order for the signature to be considered valid.

The Trust Manager is therefore a global utility supporting various other modules of the ADSS Server whenever there is a need to verify signed objects such as certificates, OCSP responses, CRLs or timestamp tokens. To support this functionality the following Trust Authority types can be registered (more than one purpose can be selected):

CAs – to trust CRLs and Certificates issued by the CA (e.g. certificates issued to OCSP and TSA servers or TLS certificates issued to external services).
OCSP Responders – to trust self-signed OCSP Responder certificates or those not issued by a trusted CA.
CRL Issuers – to trust CRLs (but not certificates)
TSAs – to trust self signed Time Stamp Authorities or those not issued by a trusted CA.
CAs - to trust TLS client certificates.
Country Signing CA - to trust the certificates, CRLs and master lists issued by a Country Signing CA (CSCA).

To launch the Trust Manager click on the relevant tab as shown below. A table will be displayed showing the current list of known Trusted Authorities. Trust anchors can be added and existing ones can be edited and deleted as required by a suitably authorised operator.

Registered CAs are shown in the hierarchical form by default according to their issuer. One can switch between List View and Hierarchical View by clicking the List View button. The list of registered trusted authorities can shown in either Ascending or Descending order by: TA Friendly Name; Status; Purpose; or Created At date.

Clicking on the Search button on the Trust Manager main page will display following screen:

This helps to locate a particular trusted authority. The TA can be searched based on TA friendly name, status or purpose of the CA registered in the Trust Manager service. If a search is based on multiple values, then these will be combined together using the “AND” operand, and thus only records that meet all the criteria will be presented.

If "_" character is used in the search then it will act as wildcard.

A new CA can be added by clicking the New button. An existing CA can be edited/deleted by clicking the Edit/Delete button. Click on the Usage Map button to see if any referential integrity exists for this CA. If any referential integrity exists and operator click the Delete button then system will show this usage dialog with the information in which services the particular CA is used. If you click the Delete button again on this dialog then the CA and its references will be deleted from all services. The following shows the dialog:

The next sections show the steps to register a new Trust Authority.