A service plan is a collection of allowed services and certificate types that are assigned to an Enterprise. A service plan may specify but not limited to the following:


  • To control the issuance of server-side keys
    • Simple
    • Remote Authorisation


  • To control the issuance of client-side key
    • Certifying a CSR
    • Generating a key pair on client side (e.g. in a PKCS#11 device) using ADSS Go>Sign Desktop


  • Multi-factor authentication (optional)
    • At the time of system login
    • At the time of sending certificate revocation request
    • At the time of sending certificate renewing request


  1. A service plan (s) can be assigned to enterprises only. You cannot assign a Service Plan to the users directly.
  2. Based on your business requirements you can create multiple service plans to offer different set of certification services to different enterprises.
  3. You can configure one service plan in multiple enterprises but it is a good practice to create separate service plans for each enterprise if you are a service provider and there are many enterprises registered in the ADSS Web RA application. 
  4. You can also change the service plan for a particular enterprise from the web portal. Click here.


Create a Service Plan


  1. Click Service Plans from the left menu.
  2. Click  from the grid header. 



  1. A dialog wizard will appear to configure the service plan details. The wizard consists of 5 sequential screens, i.e.: Basic Information, Profile Settings, Enrolments, Notification and Advance Settings. 


Basic Information


Basic Information

Field

Description

Name

Specify a unique name for this service plan, i.e. My Service Plan. The service plans are used in the configuration of Enterprise Accounts. 

Description

Specify any description related to this service plan for your record.

Active

Select this check box to make this service plan active. Inactive service plans cannot be configured in the Enterprise Accounts.



Profile Settings 


Profiles Settings

Field

Description

Key Stores > Profiles for server-side keys & certificates

This field will list all those active ADSS Certification Service Profiles that have been created to issue remote/ server-side signing keys and certificates. The remote keys will be generated and held in the ADSS Server. Specify the ones to be used by ADSS Web RA to process such certificate requests.

If the check box Enable client keys is unchecked in the profile then the profile will be shown in Profile for server-side keys & certificates drop down where operator can configured it in service plan.

In case of specifying multiple profiles here, the ADSS Web RA operator will have the option to choose the one before sending a server-side certificate request.

If no profile is specified, the enterprises registered with this service plan will not be able to request the remote/ server-side signing keys and certificates.

Key Stores > Profiles for requesting certificates with CSR

This field will list all the active ADSS Certification Service Profiles that have been created to issue certificates by submitting users' CSRs. Specify the ones to be used by ADSS Web RA to process such certificate requests.

If the check box Enable client keys is selected in the profile then the profile will be shown in Profile for requesting certificate with CSR drop down where operator can configure it in service plan.


In case of specifying multiple profiles here, the ADSS Web RA end user will have the option to choose the one before sending a CSR based certificate request.

If no profile is specified, the enterprises registered with this service plan will not be able to request CSR based certificates.

Key Stores > Profiles for creating keys on smartcards/tokens

This field will list all those active ADSS Certification Service Profiles that have been created to issue signing keys and certificates on smart cards and tokens, i.e. the profiles in which the "Smartcard/Token Profile" field is enabled. Specify the one to be used by ADSS Web RA to process such certificate requests.

In case of specifying multiple profiles here, the ADSS Web RA operator will have the option to choose the one before sending a local certificate request to Admin RA.

If no profile is specified, the enterprises registered with this service plan will not be able to request the local signing keys and certificates.

Services >Profiles to create certificates for Virtual ID (remote authorisation)

This drop down will allow user to set multiple profiles to create Virtual ID certificates.

Services >Certificate profile for user registration (Virtual ID)

This drop down will allow user to set a default profile to create Virtual ID certificates.

Services > Default certificate profile for Desktop Signing

This field will list all those active ADSS CSP Service Profiles that have been created to issue Remote Authorised Signing (RAS) certificates. Specify the one to be used by ADSS Web RA to process such certificate requests.

In case of specifying multiple profiles here, the ADSS Web RA operator will have the option to choose the one before sending a RAS certificate request.

If no profile is specified, the Enterprises registered with this service plan will not be able to request the RAS certificates.

Desktop Signing profile for user registration 

This field will allow a user to select a profile to register user and create a default certificate for Desktop Signing. 

Services > SigningHub Connector

This shows the list of all configured SigningHub connectors that can be used for ADSS Web RA integration.

Services > Default certificate profile for SigningHub

This shows the list of all configured certification profiles which can be used for default certificate generation for Remote Authorisation Signing under integrated app.

If None is selected then no default certificate will be generated  under integrated app for enterprise account at registration time.






Enrolments


Profiles Settings

Field

Description

Profile to create certificates for SCEP

This drop down lists all profiles used to generate Simple Certificate Enrolment Protocol (SCEP) certificate.

Profile to create certificates for CMP

This drop down lists all profiles used to generate Certificate Management Protocol (CMP) certificate.

Profile to create certificates for ACME

This drop down lists all profiles used to generate Automatic Certificate Management Environment (ACME) certificate.

Profile to create certificates for EST

This drop down lists all profiles used to generate Enrolment over Secure Transport (EST) certificate.

Profile to create certificates for Windows User Enrolment 

This section lists all profiles used to generate Windows enrolment certificate for users.

Profile to create certificates for Windows Device Enrolment

This section lists down all configured profiles to create certificates for Windows enrolment certificate for devices. 




Notification 


Notification

Field

Description

SMS Gateway

This shows all the configured SMS gateway connectors that can be selected to receive OTP via SMS. Additionally, OTP length and retry interval can also be set.

OTP Length(digits)

Set the length of OTP

OTP Retry Interval (secs)

Set the retry interval if an OTP does not appear on your mobile device.

Email Gateway

This shows the list of configured SMTP connectors that can be selected to receive email notifications.

The selected email gateway will be used from Service Plan for email communication. However, if there is no email gateway configured under service plan then the one which is configured under Configurations > Default Settings will be used to send all email notifications.




Advance Settings 


The Advance Settings screen will display a drop down named as 'Login Authentications', which will require all the primary authentications that are to be configured in the system. Here, the user can select one of the following mechanisms for primary and secondary authentications. 


A user can configure the following authentication mechanisms in a service plan:


  • Email / Password Authentication 
  • SMS OTP Authentication 
  • Email OTP Authentication 
  • Email & SMS Authentication
  • SAML Authentication 
  • Active Directory Authentication 
  • Azure Active Directory Authentication
  • OIDC


To learn more about Authentication Profiles, click here


Advance Settings 

Field

Description

Login Authentications > Primary Authentication Profiles

When primary authentication is configured as login authentication, it allows an enterprise RAO to login on ADSS Web RA User Portal. An operator can set multiple primary authentication profiles for users in an enterprise. 

Default Primary Authentication Profile

One of the available Primary Authentication profiles must be selected by default for a new service plan.

Secondary Authentication Profiles 

When secondary authentication is configured as login authentication, it allows an Enterprise RAO to login to ADSS Web RA web portal.

Default Secondary Authentication Profile 

One of the available Secondary Authentication profiles must be selected by default for a new service plan.

Enterprise Registration > Enable vetting to approve enterprise registration

This check box enables vetting for new enterprise account registrations. If enabled, the list of vetting forms appear to select a vetting form while registering an enterprise either through ADSS Web RA admin or ADSS Web RA web.


When "None" is selected under vetting form list, then no vetting form appears to be filled. An Admin RAO is required to approve the new enterprise registration only. 




  1. Once you specify the configurations of each screen accordingly, click Next to proceed further. 
  2. Click "Create". A new service plan will be saved and displayed in the list. You can also edit and delete a service plan, if required. 

It is important to note that primary and secondary authentication profiles mechanism cannot be the same. 


Once you create a service plan, configure it to an enterprise.