Offline External CA

If it is required to do server side signing with the keys that are already issued by an external CA which is not registered within ADSS Server then use the option Offline External CA, select the Offline External CA from the CA Type drop down. The following page will be shown to configure the Offline External CA.

The items in the above screen are described below:

Items	Description
CA Alias	An operator-defined unique name for easy management of certificate authorities within ADSS Server. This is only for human identification purposes.
CA Type	Select the option Offline External CA, if it is required to do server side signing with the keys that are already issued by an external CA which is not registered within ADSS Server.
CA Certificate	All the CA certificates configured in Trust Manager with purpose CA (will be used to verify other certificates and CRLs) will be available here for configurations. Select the External CA which will be used to issue the target certificates. Note: It is required to register the complete chain of the Offline External CA in Trust Manager.

Once the Offline External CA is configured then follow these instructions to import the end user keys(PFX, p7b, cer):

Go to location Manage CA > Configured External CAs.
Select the required Offline External CA from the grid and click on the Issued Certificates button.
Click on the Import Key button.
Provide the end user Alias, PFX and certificate chain as shown in the below screen shot.
Click on the save button.

Now these keys can be used for document signing by passing the key/certificate alias in the signing request.

Note: The owner of the key can change its password by sending the CHANGE_PASSWORD request. If there is a need to revoke any of the certificate then contact your CA to revoke the key. Document signing will remain allowed until the new CRL is not downloaded in the ADSS Server. If you wish to stop the document signing until the new CRL is not available then you are suggested to either revoke the certificate manually from the ADSS Server console or send the certificate REVOKE request to ADSS Server (For more see the ADSS Certification Service).