Certification profile identifies the ADSS Certification Server profile that has been configured for SigningHub Desktop Web, to generate the certified asymmetric key pairs. These certificates are used during the server side signing. Based on the business requirements, you can manage (Add, Edit and Delete) multiple certification profiles to offer different types of certificates (i.e. Public CA based certificates, Local CA based certificates, certificates with custom validity, certificates for qualified signatures etc.) to your end users.

A document owner has more control over the signing process and can set level of assurance on a signature field as configured under certification profile, which reflects at the time of signing. Certification profiles can also be configured based on level of assurances, where eSeal produces an Electronic Witness Signature. To produce Digital Signatures or Remote Authorisation Signing; Advanced Electronic Signature (AES), High Trust Advanced  (AATL) and Qualified Electronic Signature (QES) can be set as level of assurance.


Create a new certification profile

  1. Create a new ADSS Server connector.
  2. Choose the "Configurations" option from the left menu.
  3. Choose the "Certification Profiles" option. The "Certification Profiles" screen will appear.
  4. Click on the  icon in the grid header.

      
  5. A dialog appears where you can configure the details of the certification profile. Specify the details accordingly and click the "Save" button. A new certification profile will be saved and displayed in the list. See the following table for the description of the fields .
  6. Repeat steps 1 till 5 to configure further certification profiles.


Certification Profile

Fields

Description

Name

Specify a unique name for this certification profile, e.g. My SigningHub Certification. This name will be used in the service plan configuration.

Description

Add any description related to this certification profile for your record.   

Level of Assurance

Select a level of assurance for your certification profile, while producing a signing key for a user. The terms for a level of assurance are as per eIDAS Standards. For details of these terms click here. Possible values are:

  • Electronic Seal (eSeal)
  • Advanced Electronic Seal (AdESeal)
  • Qualified Electronic Seal (QESeal)
  • Advanced Electronic Signature (AES)
  • High Trust Advanced Signature (AATL)
  • Qualified Electronic Signature (QES)


For eSeal a "Certificate Alias" is mandatory and for the three levels of assurances "Certification Authority Server" is mandatory.

The names of Level of Assurances are displayed as configured under the Configuration > Document Settings > Signature Types.

Key Protection Option

Select the value as per your certificate key generation, if your signing certificate is generated with an user password or if the intended certificate is generated for remote authorisation signing. Possible values are User Password, System Generated Password and Remote Authorisation.

This option is used to categories the Signing Capacities in three different sections under Enterprise roles, as per their key protection option. Enterprise Users (related to this service plan) can either only use their SigningHub IDs or they may also use external IDPs to authenticate themselves for server-side signing.

  • Signing Capacities which have the User Password key protection option, will appear under 'Signing Capacities owned by User'. This allows password based authentication only (i.e., SigningHub ID & password) in the "Enterprise Role>Signature Settings>Signing Servers>Authentication Method" page. The enterprise admin can also configure a secondary authentication method for their enterprise users using server-side signing as No Authentication or OTP via SMS.
  • Signing Capacities which have the System Generated Password key protection option, will appear under 'Signing Capacities owned by [Organization name]'. This allows multiple authentication methods (i.e., SigningHub ID, Salesforce, Active Directory,  Google, Office 365, Linked-in, OTP, itsme, etc.) in the "Enterprise Role>Signature Settings>Authentication Method" field.
  • Signing Capacities which have the Remote Authorisation key protection option, will appear under 'Signing Capacities for Remote Authorization (Owned by User)'. This only allows Authorise via Mobile App as the signing authentication method, in the "Enterprise Role>Signature Settings>Signing Servers>Authentication Method" page. There is no secondary authentication available in this case.
  • Signing Capacities which have the Electronic Seal as a Level of Assurance do not contain any key protection option which can be selected. It appears under 'Signing Capacities owned by Organisation'. It allows multiple authentication methods (i.e. SigningHub ID, Salesforce, Active Directory,  Google, Office 365, Linked-in, OTP, itsme, etc.) in the "Enterprise Role>Signature Settings>Authentication Method" field.
  • The enterprise admin provides the option to configure a desired authentication method (from them) for their enterprise users to authenticate themselves accordingly, when they opt to use server-side signing. The enterprise admin can also configure two-factor authentication in the form of primary and secondary authentication methods.

 Certification Authority Server

 This field displays a list of ADSS connectors. Select one to use for the certification profile. Click on the eye icon  to view the details of the selected connector.

Certificate Alias

Enter the certificate alias for the identification of service keys and it's related certificate that is configured under ADSS > Key Manager.

This field is available only if one of the following Levels of Assurance is selected for the Certification Profile:

  • Electronic Seal (eSeal)
  • Advanced Electronic Seal (AdESeal)
  • Qualified Electronic Seal (QESeal)

Auto Download Certificate

Select to allow SigningHub to automatically import the required certificate for eSeal signature from the Certification Authority Server specified above. 

This field is available only if one of the following Levels of Assurance is selected for the Certification Profile:

  • Electronic Seal (eSeal)
  • Advanced Electronic Seal (AdESeal)
  • Qualified Electronic Seal (QESeal)


​This option only works with the latest ADSS Server 6.9 version.

Certificate (CER)

Select the appropriate certification file (with the .cer extension) against the Certificate Alias specified above. Use this option if you need to manually import the certificate.

This field is available if the "Auto Download Certificate" check box is empty.

Use this profile as default for Electronic Seal Signatures

This check box only appears when Electronic Seal (eSeal) is selected under Level of Assurance. Select this checkbox if you want to show the certification profile as default for eSeal signing at the time of signing, for the user for which there is no eSeal capacities are configured in service plan.

Certification Service Profile ID        

Specify the ID or name of the profile which you've created in the ADSS Certification Server for your SigningHub Desktop Web,i.e. "adss:certification:profile:001"

Active

Select this check box to enable the certification profile for service plans configuration. Inactive profiles cannot be configured in the service plans.



See Also