Signing profile identifies the ADSS Signing Server profile that has been configured for the SigningHub Desktop Web, to create the document signatures. Based on the business requirements, you can manage (Add, Edit, and Delete) multiple signing profiles to offer different formats of signatures to your end users including PAdES-B-LT or PAdES-B-LTA signatures, signing method, hashing algorithm, etc.


Create a new signing profile

  1. Create a new signing connector.
  2. Choose the "Configurations" option from the left menu.
  3. Choose the "Signing Profiles" option. The "Signing Profiles" screen will appear.
  4. Click on the add icon  in the grid header.

      
  5. A dialog appears where you can configure the signing profile details. The signing dialog is comprised of three screens including Basic Information, Signing Method and Settings. Specify the basic information and click the "Next" button to provide the details accordingly, to the respective screens. Click the "Finish" button to save your changes. A new signing profile will be created and displayed in the list. See the following table for the description of the fields.
  6. Repeat the steps 1-5 to configure other signing profiles.


Signing Profile

Fields

Description

Name

Specify a unique name for this signing profile, e.g. My SigningHub Signing. This name will be used in the Service plan configuration.

Description

Add any description related to this signing profile for your record.  

Active

Select this check box to enable this signing profile for service plans configuration. Inactive profiles cannot be configured in the service plans.

Server-side Signing

Select this check box to enable server-side signing for this profile. Specify the signing server and profile ID information in the relevant fields. It will also provide the options to enable Remote Authorisation and Office signatures. If you do not want to allow server-side signing for your end users, deselect this check box.

The "Signing Server" drop-down list displays all ADSS and CSC Server connectors. Select the one to use for server-side signing. Click the eye icon  to view the details of the selected connector.

On selection of CSC connector, there is no "Signing Server Profile ID" field will appear. Also no any other signing configurations will appear i.e. Enable Remote Authorisation or Office Signatures.

In the "Signing Server Profile ID" field, specify the ID or name of the profile, created in the ADSS Signing Server for server-side signing, e.g. "adss:signing:profile:001"

In the "Signing Timeout (secs)" field, specify the time in seconds after which the signing requests should expire.

  1. Server Side Signing when selected, it accept PKCS#1 responses from all signing servers including ADSS
  2. SigningHub produces Long Term Validation (LTV) signatures by default, this no longer requires any LTV configuration in ADSS Server signing profiles
  3. For XML signing, same server side signing profiles use that are configured for document signing
  4. XML documents can be signed using USB tokens, smart cards, or server held keys (including remote authorisation/CSC signing)
  5. SigningHub produces the "XAdES-Baseline-LTA" ETSI compliant signatures for XML document but for backward compatibility with ADSS Server version 6.9 or lesser SigningHub will produce the XAdES Extended signature on base of key "ES-X-L" added in web.config file.

Enable Remote Authorisation

Select this check box to enable Remote Authorised Signing (RAS). RAS allows a user to authorise a remote signature (done on server) using their registered mobile device. The mobile device will have its own built-in (touchID or PIN) user authentication, so in a way mobile users also getting two-factor authentication.

Use the "Signing Service Profile ID" field to specify a signing profile ID against which remote signing has been enabled in the ADSS Server. The selected profile will be used to create remote signatures (done on server) for SigningHub Desktop Web. Click the eye icon  to view the details of the selected profile. Signing profiles are managed through the Signing Profiles section; see details.

For the end to end configurations of RAS; visit Ascertia's Partner Portal to see Configuration Guide.

Enable Office Signatures        

Office signatures are the ones that are added in native Word documents. After signing, the Word document is preserved in its native format and don't necessarily need to be converted into a PDF. 

Select this check box to enable the signing of Microsoft Word files for this profile. Specify the profile ID or name that has been created in the ADSS Signing Server for Office signatures in the "Signing Service Profile ID for Office Signatures" field.

If this check box is left un-ticked the SigningHub wont allow Office signatures in a Word file.

Client-side (Local) Signing

Select this check box to enable client-side signing for this profile. Specify the signing server and other preferences in the fields. If you do not want to allow client-side signing for your end users, keep this check box deselected.

The "Signing Server" field will display the list of ADSS Servers and T1C connectors. Select the one to use for client-side signing. Click the eye icon  to view the details of the selected connector. 

When you select an ADSS Server connector in the "Signing Server" field, the "Go>Sign Service Profile ID" field will appear. Specify the profile ID or name that has been created in the ADSS Signing Server for client-side signing, e.g. "adss:gosign:profile:001"

However if you select a T1C connector in the "Signing Server" field, the "KeyStore Settings" field will appear. The T1C connector can further be configured with Belgian eID or PKCS#11. Choose as required. 

Hashing Algorithm

Specify the hashing algorithm (i.e., SHA1, SHA256, SHA384 or SHA512) to create the signature. 

Signature Type

Select whether PAdES-B-LT or PAdES-B-LTA signatures are required for your end users. Signature type must be the same as configured under ADSS signing profile.

Dictionary Size (KB)

Specify the signature dictionary size. When signing PDF documents, space is reserved within the document to embed the signature, called the signature dictionary. The size of the signature dictionary is directly proportional to the certificate chain to be used in the signature. The default value is set to 100 KB, however, there is a possibility that the computed signature can exceed the default dictionary size. In such a case, users may view the system message “signature dictionary size “100” KB is smaller than expected size e.g. “200” KB. Therefore, it is recommended to reserve an appropriate space for the signature dictionary to accommodate your certificate chain.

In case PDF/A compliancy is enabled in the Service Plan, then it is important to set the "Dictionary Size" to 15 KB for the Signing Profile selected in that Service Plan. In addition, based on the selection made in the "Signature Type" field of such a Signing Profile, you need to make following configurations in ADSS Server.

  • In case "PAdES-B-LT" is selected in the "Signature Type" field, then configure validation policy as OCSP for the whole certification chain under "Trust Manager" in ADSS Server. 
  • In case "PAdES-B-LTA" is selected in the "Signature Type" field, then set validation policy to any available value (i.e. CRL/OCSP) as the revocation information is kept in DSS.

Signature Enhancement Connector

Signature enhancement connector facilitates a System Admin to configure a separate timestamp server (i.e. Ascertia ADSS Server), which can be independent of signing server being used for signing.

This dropdown displays the list of ADSS Server connectors (i.e. those connectors which has 'ADSS Server' set as a 'Provider'), and is used for the time stamp.

The signature enhancement connector appears for both signature types (i.e. PAdES-B-LT and PAdES-B-LTA signatures) and use this enhancement connector for signature and document timestamp both.

This is applicable for all types of signing including Server Side Signing (for ADSS Server), Client-Side Signing (for ADSS Server), T1C Signing, and CSC Signing.

Signature TimeStamp Policy ID 

Specify the Signature TimeStamp Policy ID that must be same as configured under Ascertia ADSS Server for TimeStamp Authority Profile. The Signature TimeStamp will be performed using configured TimeStamp Authority Profile matching the TSA Policy ID at signing time. TSA profile information will be embedded within document to identify TimeStamp Profile used by the signatory.

Policy ID value must be in the following format: 1.2.3.4.5

If there is no TimeStamp Policy ID provided, then it will use Default TimeStamp Authority Profile configured under Ascertia ADSS Server.

Document TimeStamp Policy ID

Specify the Document TimeStamp Policy ID that must be same as configured under Ascertia ADSS Server for TimeStamp Authority Profile. The Document TimeStamp will be performed using configured TimeStamp Authority Profile matching the TSA Policy ID at signing time. TSA profile information will be embedded within document to identify TimeStamp Profile used by the signatory.

Policy ID value must be in the following format: 1.2.3.4.5

If there is no TimeStamp Policy ID provided, then it will use Default TimeStamp Authority Profile configured under Ascertia ADSS Server. 


See Also