The ADSS Server Signature Activation Module (SAM) Service has been carefully designed to provide high-trust Qualified Remote Signature services. It meets the requirements defined in the ETSI EN 419 241-1 standard and ETSI EN 419 241-2 Protection Profile and thus, ensures that an end-user's private signing key and Qualified Certificate can only be used under the sole control of the Signer, and only used for the intended purpose. Level 2 sole control is supported as a standard feature, interacting with the user's Go>Sign Mobile App on their smartphone. It is possible to allow Level 1 sole control so that the same high-trust SAM Service environment can be used for non-qualified certificates. It is possible to allow Level 1 sole control so that the same high-trust SAM Service environment can be used for non-qualified certificates.  


ADSS SAM Service offers a REST API over TLS v1.2 and TLS v1.3 that is called by the ADSS RAS Service. Read the ADSS RAS Service description to further understand the authorisation process.


ADSS SAM Service manages registered users and their unique signing keys. In addition, it manages the connection to the hardware security modules and manages key backup and restore.


In Qualified mode this must be an EN 419 221-5 certified HSM. The following HSMs are currently being supported: 

  • Utimaco CryptoServer CP5 (PCIe HSM held in the ADSS SAM appliance) 
  • Thales Luna K7 Cryptographic Module.
  • nCipher nShield Solo XC Cryptographic Module.


In non-qualified mode a range of other HSMs are supported:

  • Utimaco CP5 network connected HSMs - uses all the same functionality except this architecture is not covered by the formal CC EAL 4+ Target of Evaluation
  • Utimaco CP5 emulator software - useful for test and development systems.
  • All other supported PKCS#11 HSMs and HSM Services, e.g Azure Key Vault - useful to provide Level 2 sole control for centrally held user (e.g. AATL) signing keys and certificates.


The following image shows ADSS SAM Service sub-modules, details of which are given in the next sections:



See also

Signing Service
Certification Service
OCSP Service

RAS Service

SAM Service

Unity Service
CSP Service
CRL Monitor