March 2024

This document provides information about Ascertia ADSS Server. Browse through the following topics to find out about new features, product enhancements, improvement, known issues, and limitations for this release.


For information related to tested 3rd party components such as operating systems, database servers, and Hardware Security Modules, please review Ascertia Platform Support, this can be found here: https://www.ascertia.com/product-documentation/platform-support/


Ascertia ADSS Server has successfully completed Common Criteria certification at the EAL4+ Assurance Level. For details, visit https://www.commoncriteriaportal.org/products/index.cfm, under Key Management Systems.


New Features

  • ADSS Server Unity Service (ADSS-16929)

ADSS Server has been enhanced to deliver a new service to simplify the integration of business applications with Ascertia products. The Unity Service supports the latest Cloud Signature Consortium (CSC) version 2 APIs and an initial set of Business APIs. This includes a new, /signDoc API, which enables the signing of entire documents, generating advanced digital signatures including PAdES, XAdES, and CAdES.

The Unity Service also introduces a new system for managing short-term certificates, ensuring direct communication with the ADSS Server SAM Service. It encompasses all mobile APIs previously supported by the RAS Service, as well as client APIs for user registration. The ADSS Server Unity Service, facilitates direct interaction with other ADSS Server components and external service providers, including IDPs and SMS gateways.


Access to Unity Console:

The Unity Service is exclusively accessible through the Unity Console for ADSS Server Operators. Consequently, Operators will need to follow the instructions below to access the Unity Console:

    1. Open the ADSS Classic Console. 
    2. On Classic Console dashboard, navigate to the top banner.
    3. Click on the Unity Console option, the user will be navigated to the Unity Console dashboard.


Product Enhancements

  • ADSS Server Certificate Templates Update (ADSS-21645/ ADSS-21644)

ADSS Server certificate templates in Unity Console have been updated to support the custom certificate extension “ext-valassured-ST-certs” as defined in ETSI EN 319 412-1 "5.2 Certificate Extensions regarding Validity Assured Certificate", this is used by CA’s when issuing short life certificates.

ADSS Server certificate templates in Unity Console have also been updated to include the Subject Directory Attributes extension as defined by RFC 3739 to include “dateOfBirth” and “placeOfBirth” in certificates to ensure compliance with ETSI EN 319 412-1 “5.1.5 eIDAS eID Natural person semantics identifier”.


  • Support for Azure Managed HSM (ADSS-20821)

ADSS Server 8.3.3 introduces support for Microsoft Azure Managed HSM as a new Crypto Source in Key Manager. The updated Key Vault API is compatible with Azure Managed HSM, offering backup and restoration capabilities and support for key wrapping. Users can now back up keys from Azure Managed HSM, securely store them in the ADSS Server database, and then remove them from Azure Managed HSM. These keys can be restored to Azure Managed HSM later for signing operations.


  • ADSS Signing Server Performance Improvement (ADSS-20818)

ADSS Signing Server performance has been improved for signing profiles that support document hashes for CAdES detached signatures. Additionally, it has been updated to return the complete signature through a CallBack URL, rather than just the requestID. This is achieved by establishing a secure, authenticated channel with the business application using OAuth 2.0 authentication, which enhances performance in the Remote Authorised Signing flow.


  • ADSS Verification Server Performance Improvement (ADSS-20819)

ADSS Verification Server performance has been improved to validate signatures using both the signature itself and the document or content hash. It now has the ability to verify multiple signatures within a single request. Performance enhancements have been achieved by reducing and optimizing database calls and by caching frequently used objects.


  • ADSS RAS Server Secure APIs (ADSS-20604)

ADSS Server has introduced a new security feature for its REST APIs provided by the ADSS RAS Service. This feature can be activated by turning on the BUSINESS_API_AUTHENTICATION setting in the RAS Server’s Advanced Settings. The business APIs now operate in two modes: one that maintains compatibility with previous versions without requiring authentication, and another that uses OAuth 2.0 with ClientID and secret for secure, authenticated access.


  • New API to retrieve all certificates from a given CA (ADSS-19980)

The “Get Certificates” API in ADSS Server has been improved to provide a list of certificates from a specified Certification Authority (CA), which can be either local or external. Additionally, it now supports returning PKCS_10 and PKCS_12 formats in the response when these are specified in the ‘respondWith’ parameters.


  • Support for new RDNS in ADSS Server (ADSS-19981)

ADSS Server now includes support for the new Relative Distinguished Name (RDN) ‘Domain Component’ in the subject’s distinguished name. ADSS Server based CA’s can now issue certificates with DC= in the subject distinguished name which is required for interoperability for Microsoft Active Directory use cases.


Security Improvements

  • Upgraded Tomcat

The ADSS Server has been upgraded tomcat from v9.0.83 to v9.0.85.