March 2025

This document provides information about Ascertia ADSS Server. Browse through the following topics to find out about new features, product enhancements, improvement, known issues, and limitations for this release.


For information related to tested 3rd party components such as operating systems, database servers, and Hardware Security Modules, please review Ascertia Platform Support, this can be found here: https://www.ascertia.com/product-documentation/platform-support/


Ascertia ADSS Server has successfully completed Common Criteria certification at the EAL4+ Assurance Level. For details, visit https://www.commoncriteriaportal.org/products/index.cfm, under Key Management Systems.



Product Enhancements

  • CA\B Forum Baseline Requirements for Pre-Linting of Certificates (ADSS-24154)

The ADSS server now includes a new mechanism that enables the pre-linting of certificates to provide compliance with the latest CA\B Forum Baseline Requirements. The new mechanism enables operators to configure ADSS Server to sign certificates using a 'dummy' private key, whose public key is not certified by a publicly trusted Certificate Authority (CA) during the certificate generation process and perform certificate linting before the certificate is signed with the real, publicly trusted Certificate Authority (CA). This enables TSPs the ability to prevent non-compliant certificates from being issues by their publicly trusted Certification Authorities.


Improvements

  • ADSS Server performance optimisations (ADSS-24024/ ADSS-24088)

The ADSS Server Console has been updated to enhance the performance of the revoke certificate operation.

The logic of the ADSS Certification Server has been optimized to improve parsing certificate chains during the certificate renewal process.


  • The ADSS Server RAS Service retry optimistic lock exceptions (ADSS-24178)

The ADSS RAS Service has been optimized to implement retry logic to prevent optimistic lock exceptions, based on the TOTAL_NUMBER_OF_RETRY_ON_COMMIT and RETRY_COMMIT_INTERVAL properties defined in the Global Settings > Advanced Settings.


  • Signature Placement for XML documents (ADSS-24196)

The ADSS Server Signing service has been updated to place the signature at the specified location within XML documents, as defined within the signing profile.


  • Incorrect ProfileID value set by ADSS Signing Server (ADSS-24350)

Updates have been made to the ADSS Server Signing service to correctly set the ProfileID value. The value was previously null in the remote authorization status API call, resulting in incorrect transaction counts being reported.


  • otherName in SAN extension length validation update (ADSS-24359)

ADSS Server Console (Key Manager) now allows SAN extensions otherName with values over 500 characters.


  • Info level logging improvements (ADSS-22202)

The ADSS Server Console now displays certificates that are set to expire within x days with the system logging level set to info.


  • CRL Monitor CRL import exceptions (ADSS-24403)

The ADSS Server Console for CRL Monitor has been updated to provide better exception handling in cases where the cachedCRL table does not exist, ensuring that CRLs can be imported successfully via CRL monitor.


  • Dual Control for SAM Service ADSS Server Name Change (ADSS-24406)

The ADSS Server has been enhanced to change the instance name when editing the service instance IP and approving the changes from the Security Officer, after stopping the service instances.


Security Improvements

  • Apache Tomcat version upgrade (ADSS-24415)

The Apache Tomcat version supplied with ADSS Server has been upgraded from 10.1.34 to 10.1.35.


  • Updated JDK Version (ADSS-24411)

The JDK version supplied with ADSS Server has been updated from 17.0.13 to 17.0.14.