July 2024

This document provides information about Ascertia ADSS Server. Browse through the following topics to find out about new features, product enhancements, improvement, known issues, and limitations for this release.


For information related to tested 3rd party components such as operating systems, database servers, and Hardware Security Modules, please review Ascertia Platform Support, this can be found here: https://www.ascertia.com/product-documentation/platform-support/


Ascertia ADSS Server has successfully completed Common Criteria certification at the EAL4+ Assurance Level. For details, visit https://www.commoncriteriaportal.org/products/index.cfm, under Key Management Systems.


New Features

  • Support of Post Quantum Cryptography (ADSS- 17190)

The ADSS server introduces support for Post-Quantum Cryptography (PQC) algorithms, ensuring robust security against both quantum and classical computing threats.


ADSS Signing Server:

ADSS Signing Server performs server side signing and eSealing and will support CRYSTALS-Dilithium PKCS#1 and CMS signatures.


ADSS SAM Service:

The ADSS SAM Service performs eIDAS compliant remote authorised server side signing and eSealing will support CRYSTALS-Dilithium PKCS#1 signature.


ADSS PKI Server:

ADSS PKI Server can create CAs and issue X.509 certificates signed using the following Post-Quantum algorithms.

    • CRYSTALS-Dilithium. 
    • Classic McEliece.
    • Kyber

Note: Currently the PQC algorithms (Dilithium and Kyber) are provided to support proof of concepts (POC), subsequent releases will add further PQC capability as the NIST standards for PQC are finalised.


  • New Integration with Microsoft Active Directory Certificate Services (ADCS) (ADSS- 21318)

The release of ADSS Server introduces a new integration with Microsoft Active Directory Certificate Services (AD CS) Enterprise CA’s. ADSS Server now integrates via the Microsoft DCOM interface to provide a much tighter integration with Active Directory Certificate Services to offer full certificate lifecycle management, including issuance, renewal, rekeying, and revocation through the ADSS Server Certification Service.


  • Provided an 'Un-install' option for regular release (ADSS-21057)

ADSS Server 8.3.5 introduces a new un-install option for regular releases. This enhancement allows ADSS Server operators to easily roll back to previous versions. This offers greater flexibility with simplified un-installation steps, seamless file replacement, and a check to ensure manual database restore has taken place.


  • Performance statistics of Remote Signature via RAS-Demo (ADSS- 20822)

Case Number - ENH231101327

The ADSS Server 8.3.5 introduces a new performance testing feature in the RAS-Demo web application. This feature provides flexible and simplified steps to calculate performance statistics for the remote signature flow when using an IDP. Additionally, the ADSS RAS Service has been enhanced to request credential/service authorization from the user only once, and the ADSS Signing Service has been updated to notify the business application (RAS-Demo) about duplicate responses from the IdP.


Product Enhancements

  • AWS Cloud HSM update (ADSS-21269)

Case Number - ENH240101409

The ADSS Server 8.3.5 now supports Client SDK v5 of AWS Cloud HSM for Windows and Linux systems.


  • Enhanced ADSS Signing Server to lock PDF documents (ADSS-20716)

Case Number - ENH231101295

The ADSS Signing Server has been enhanced to lock PDF documents against all changes upon the final signature. This lock prevents the PDF from being used for further digital signing, form-filling, or any annotation modifications.


  • Enhanced support in eSeal Signing through ADSS Signing Gateway (ADSS-20718)

Case Number = ENH231101304 

ADSS Server now supports eSeal signing without requiring certificates and aliases to be configured in business applications. Certificates are configured on the eSeal server signing profile and are used automatically. For remote authorized signing, only the certificate alias needs to be passed, with the Signing Service retrieving the certificate from RAS for signature computation.


  • Entrust Proxy Update (ADSS-20777)

Case Number = ENH231101322 

The ADSS Server Entrust Proxy has been enhanced to support for multiple middle names within in the Common Name (CN) field when generating certificates via the Entrust proxy, the Entrust Proxy will now include all users first, middle and last names when requesting a certificate.


  • Support HTTP v1 for Firebase Push Notifications (ADSS-21161)

Case Number = ENH240101367

Customers using Google Firebase for push notifications in ADSS Server to the Ascertia Go>Sign mobile app need to take immediate action to avoid notification interruption, Google FCM will start a gradual shutdown of deprecated APIs around July 22nd, 2024.

Ascertia has upgraded to latest Firebase HTTP v1 API in its ADSS v8.3.5, so customers are advised to upgrade to ADSS v8.3.5 as soon as possible.

With Firebase Push Notifications migrating from legacy FCM APIs to HTTP v1, users need to make the following changes after upgrading to the ADSS Server version 8.3.5:

    1. Update the server address. i.e https://fcm.googleapis.com/v1/projects/[PROJECT_ID]/messages:send
    2. Upload the service account file instead of the secret key.


Users can download the service account JSON file and the updated server address from the Google FCM Portal.

https://firebase.google.com/ 

Clients who are using Go>Sign Mobile APP can get latest JSON file from the following link or Ascertia Support Team.


  • Added Support of new Extended Key Usages (ADSS-21487)

Case Number = ENH240201463

ADSS Server now supports a new set of Extended Key Usages (EKUs). These EKUs can be selected from the Extended Key Usages available in the Certificate Template for inclusion in certificates. The added EKUs are:

    • 1.0.18013.5.1.2 (mdlDS) – Mobile Drivers License Document Signer Certificate
    • 1.0.18013.5.1.3 (mdlJWS) – Mobile Drivers License JWS Certificate
    • 1.0.18013.5.1.6 (IACA link certificates) – Mobile Drivers License Link Certificate
    • 1.0.18013.5.1.4 (mDL Reader authentication) – Mobile Drivers License Reader authentication and TLS client authentication Certificate
    • 1.3.6.1.5.5.7.3.36 (id-kp-documentSigning) – RFC 9336 Document Signing Certificate.


ADSS Server also enables operators to create custom extended key usages.


Improvements

  • API Updated and backward compatibility in RAS Service (ADSS-21702)

Case Number - ENH240401496

The (List Registered Devices) API has been enhanced to support user access tokens and the URI has been updated to remove the user-id query parameter.

A new property has been introduced ‘MOBILE_API_AUTHENTICATION’ when its value is TRUE the ADSS Server RAS Service will provide backwards compatibility.


  • Improvements in CRL Monitor Alerts (ADSS-16701)

The CRL Monitor functionality has been enhanced to send alerts prior to the expiration of the CRL.


  • Improvements in Credential Info API (ADSS-21240)

Case Number - ENH240101405

The ADSS RAS Server has been enhanced to include the hashAlgorithm OID in the RAS CSC credential info API.