February 2025

This document provides information about Ascertia ADSS Server. Browse through the following topics to find out about new features, product enhancements, improvement, known issues, and limitations for this release.


For information related to tested 3rd party components such as operating systems, database servers, and Hardware Security Modules, please review Ascertia Platform Support, this can be found here: https://www.ascertia.com/product-documentation/platform-support/


Ascertia ADSS Server has successfully completed Common Criteria certification at the EAL4+ Assurance Level. For details, visit https://www.commoncriteriaportal.org/products/index.cfm, under Key Management Systems.


New Features

  • Service Plans for specific clients for ADSS Services (ADSS-18126)

The ADSS Server now supports the creation of service plans. Enterprises and Trust Service Providers can now create and manger services plans for each business application that connects to ADSS Server.

ADSS Server Service plans enable Enterprises and TSP’s to define a number of transactions that a business application can consume from ADSS Server as well as providing the ability for service plans to expire or auto-renew combined with operator notifications. 

ADSS Server operators can also view statistical reports based on service plan usage.


Product Enhancements

  • Enhancements to GoSign Desktop (GSD) for Compliance with Qualified Trust Service (QTS) Standards (ADSS-23378)

The ADSS Server GoSign Service and GoSign Desktop have been updated to provide administrators with the ability to provide QSCD Token Management Policy controls, this will allow the following policies to be enforced over applications such as Web RA when integrated with the GoSign Service for token and certificate management.


Force Common Criteria Key Generation:

A new checkbox has been added on the Keystore Settings tab, enabling operators to generate keys within a tokens Common Criteria slot as required. 

Orphan Key Management:

GoSign will automatically scan and delete orphaned keys (key pairs without associated certificates) from tokens when performing key and certificate generation. 

Certificate Import Validation:

The GoSign Service now provides a policy to ensure that imported certificates correspond to the private/public key pair on the token, or are added as trusted CA certificates. 

PIN/PUK Reset Functionality:

The ADSS Server GoSogn service now exposes new meth to facilitate PIN/PUK reset. 

Supply PIN/PUK via API:

BA applications can now programmatically set the PIN/PUK, reducing user interaction. The default behavior of password prompts remains in place if the PIN/PUK is not pre-set. 

Token Details API:

A new request type has been introduced to retrieve detailed information about configured PKCS#11 devices.

These updates enhance key management, improve token operations, and streamline user interactions, while ensuring compliance with Qualified Trust Service Provider standards. 



  • Entrust Proxy enhanced to parse Common Name (CN) value (ADSS-23045)

The ADSS Server Entrust Proxy has been updated, the proxy can now detect the user type variables that are defined by the Entrust CA.

The Entrust uertsype.template controls how a certificate common name is formatted, this addition to ADSS Server.

Please refer to the Entrust Proxy quick start guide for details of the configurations possible and common name formats supported.


Improvements

  • Enhanced configurations for nShield HSM in Key Templates (ADSS-21622)

ADSS Server offers configurable crypto source templates for Entrust nShield HSMs, applicable to both Common Criteria and non-Common Criteria Security World installations. 

A Sensitive flag has been introduced to the nShield PKCS#11 key template, specifically for the HMAC, KEK, and MK key attributes, in non-Common Criteria Security World installations.


Security Improvements

  • 3rd party updates (ADSS-22888)

Third party products supplied as part of ADSS Server have been upgraded.


  • Apache Tomcat version upgrade (ADSS- 23679)

The Apache Tomcat version supplied with ADSS Server has been upgraded from 10.1.28 to 10.1.34.


  • Updated JDK Version (ADSS-23681)

The JDK version supplied with ADSS Server has been updated from 17.0.12 to 17.0.13.