The ADSS Server Trust Manager module is used to register all trusted Trust Authorities (TAs). When verifying signed objects it must be possible to build a certificate chain from the signer’s certificate to one of the trusted authorities registered in the Trust Manager in order for the signature to be considered valid.

The Trust Manager is therefore a global utility supporting various other modules of the ADSS Server whenever there is a need to verify signed objects such as certificates, OCSP responses, CRLs or timestamp tokens.  To support this functionality the following Trust Authority types can be registered (more than one purpose can be selected):

  • CAs – to trust CRLs and Certificates issued by the CA (e.g. certificates issued to OCSP and TSA servers or TLS certificates issued to external services).
  • OCSP Responders – to trust self-signed OCSP Responder certificates or those not issued by a trusted CA.
  • CRL Issuers – to trust CRLs (but not certificates)
  • TSAs – to trust self signed Time Stamp Authorities or those not issued by a trusted CA.
  • CAs – to trust TLS client certificates.
  • Country Signing CA – to trust the certificates, CRLs and master lists issued by a Country Signing CA (CSCA).
  • TL Issuer – used to verify the trusted lists.


To launch the Trust Manager click on the relevant tab as shown below. A table will be displayed showing the current list of known Trusted Authorities. Trust anchors can be added and existing ones can be edited and deleted as required by a suitably authorised operator.



Registered CAs are shown in the hierarchical form by default according to their issuer. One can switch between List View and Hierarchical View by clicking the List View button. Clicking on the Whitelisted Certificates button will display a list of certificate issued by an Offline CA. Click Here to see more details.

The Whitelisted Certificates button will only be enabled if the Real Time Certificate Status Settings are configured in validation policy for the relevant CA.

The list of registered trusted authorities can shown in either Ascending or Descending order by: TA Friendly Name; Status; Purpose; or Created At date.

Clicking on the Search button on the Trust Manager main page will display following screen:



This helps to locate a particular trusted authority. The TA can be searched based on TA friendly name, status or purpose of the CA registered in the Trust Manager service. If a search is based on multiple values, then these will be combined together using the “AND” operand, and thus only records that meet all the criteria will be presented.


If "_" character is used in the search then it will act as wildcard.


A new CA can be added by clicking the New button. An existing CA can be edited/deleted by clicking the Edit/Delete button. Click on the Usage Map button to see if any referential integrity exists for this CA. If any referential integrity exists and operator click the Delete button then system will show this usage dialog with the information in which services the particular CA is used. If you click the Delete button again on this dialog then the CA and its references will be deleted from all services. The following shows the dialog:

Trust Anchors which are added via TSL/LOTL are excluded from license increment.


The next sections show the steps to register a new Trust Authority.


See also

ADSS Server Knowledge Base

Welcome

Getting Started
Concepts & Architecture
ADSS RA Service
ADSS Certification Service
ADSS Signing Service
ADSS Go>Sign Service
ADSS RAS Service
ADSS SAM Service
ADSS CSP Service
ADSS TSA Service
ADSS Verification Service
ADSS OCSP Monitor
ADSS OCSP Service
ADSS SCVP Service
ADSS XKMS Service
ADSS LTANS Service
ADSS HMAC Service
ADSS Decryption Service
ADSS OCSP Repeater Service
ADSS NPKD Service
ADSS SPOC Service
Manage CAs
Key Manager
Trust Manager

TSL Monitor
ADSS CRL Monitor
Global Settings
Access Control
Client Manager
System Log Viewer
Server Manager
Approval Manager
Operational Management
Advanced Configuration