ADSS CA Server / PKI Server

Features

ADSS CA Server is a secure Certificate Authority product. It can manage the entire lifecycle of X.509 certificates and CRLs. ADSS CA Server offers an XML/SOAP web services interface as well as CMC (Certificate Management over CMS) protocol interface. All of the common RFC 5280 certificate and CRL extensions are supported. Business applications requiring certificates can be quickly and easily integrated using the ADSS Client SDK using either high level Java or .NET APIs.

ADSS CA Server has been independently evaluated and certified against the CWA 14167-1 criteria. This specification defines the security requirements for trustworthy systems that manage certificates for electronic signatures. This level of certification enables Certificate Service Providers (CSPs) to use ADSS CA Server to issue EU Qualified Certificates. For smartcard issuance and management, ADSS CA Server integrates with AET’s BlueX CWA 14167-1 compliant product.

ADSS Server uses a Java EE architecture to provide multi-platform support, performance and scalability. It offers robust, well-proven features suitable for 24 x 7 operations that can use load balanced configurations for higher availability and throughput. Windows, Linux and Solaris servers are supported.

The following list highlights its main features:

CA specific features

  • Support for root and subordinate CAs
    ADSS CA Server can be used to set-up a Root CA and one or more Subordinate CAs from the same instance. Alternatively, ADSS CA Server can be used as an off-line Root CA or an existing Root CA can be utilised. ADSS Server can also receive local requests and securely route these to another high–trust central CA instance if required.
  • Business applications can act as RAs
    Often business applications already have an established Know Your Customer (KYC) registration process. Such business applications can act as very effective Registration Authorities (RAs) and easily integrate with ADSS CA Server using configurable registration and certification processes.
  • Multiple certification profiles
    ADSS CA Server uses certification profiles to define the algorithms, ley-lengths, certificate lifetime and other important parameters. Automatic certificate and key renewal is supported. Multiple profiles are supported to meet a variety of business requirements.
  • Multiple certificate templates
    ADSS CA Server uses certificate templates to manage the certificate contents. Templates are available for common certificates types e.g. document signing, TLS/SSL client certificates, email security, code signing, archive signing etc. Less common ones such as TSA, OCSP and OMA DRM certificate templates are also provided. These templates can be edited and new ones created as required.
  • Multiple key generation/ certification and SCEP options
    ADSS CA Server supports server-side key generation and certification on behalf of end-entities. This functionality can be accessed through an API call or via the admin interface. The ADSS RA Service option allows enhanced support for user key and certificate generation as well as device certificate management using SCEP.
  • Roaming credentials
    ADSS CA Server working in conjunction with ADSS Go>Sign Service can generate roamed keys and have these certified. Roamed keys are kept in a secure container protected by a user-defined access code. All containers are stored securely within the ADSS Server database and are delivered to their respective owner for use within a browser as needed.

CA service reporting

  • Management dashboard and reporting
    ADSS CA Server includes management dashboard and detailed reporting. This provides a high level view of the service and detailed analysis of the service requests for a selected date period. The reports show the number of transactions processed, their results, who the main CA clients are, which certification profiles were used the most, etc. These reports can be exported in PDF and CSV format.
  • Human-readable transaction viewers
    All CA request/response transactions are securely logged in the ADSS CA Server database. To support administrator’s review of these transactions, viewers are provided which allow easy analysis of reported trust issues or when checking interoperability.

Security & management

  • Hardware Security Module (HSM) support
    FIPS and Common Criteria certified HSMs from SafeNet, Thales and Utimaco can be used to stored and protect all cryptographic keys. Support for other PKCS#11 compliant HSMs can also be provided if required. HSMs can be network, PCIe or USB connected. One or more HSMs, smart cards or USB tokens can be connected to ADSS Server. Another key feature of ADSS Server is the sophisticated auto-reconnect feature that prevents a network issue requiring operator intervention to reconnect a network HSM!
  • Strong crypto algorithm support
    Support for the common cryptographic algorithms is provided including SHA1, SHA-2 (SHA-256, SHA-384, SHA-512), RSA keys up to 4096 bits and ECDSA up to 521 bits.
  • Strong operator authentication
    ADSS Server operators are authenticated using certificates over a mutually authenticated TLS/SSL sessions. The operator's private key and certificates can be on a hardware token for strong multi-factor authentication. ADSS Server performs full certificate validation, including revocation checking, before allowing operators to login to the console.
  • Role based access control
    ADSS Server enables multiple operator roles to be defined. Each operator registered within the system is assigned a role. The role-based access control system enables very fine control over specific service modules that an operator can see and whether they have read, write, edit or delete capability for specific areas of functionality.
  • Dual control
    ADSS Server implements dual control in a flexible and practical way, i.e. dual control can be applied selectively to the important aspects of functionality that are considered most sensitive (such as key generation, policy change etc). When used, an operator's actions are queued for a Security Officer role-holder to review and then approve or reject the action.
  • Business application client authentication and separation
    Business applications are authenticated using TLS/SSL client certificates that are pre-registered in ADSS Server. The application’s access to specific profiles and/or keys is checked as part of the ADSS Server authorisation process when service requests are received.
  • Secure logging with automatic integrity checking
    Cryptographic tamper-resistant logs are provided for all service transaction logs that contain details of requests and responses, all operator activity logs and all system event logs. Advanced reporting, reviewing including searching and filtering of log records is provided. All database log records are cryptographically protected to prevent record modification, deletions or additions.
  • Automatic system integrity checking
    All ADSS Server configurations and settings held in the database are cryptographically protected to prevent record modification, deletion or addition. The system automatically checks these records at pre-defined intervals or on demand to ensure system integrity. A detailed report is produced for any issues that are found.
  • Operator and system management alerting
    Selected system operators can be alerted when certain event conditions occur using email or SMS messages. Management systems can be alerted using SNMP messages or via Syslog (log4j) messages.
  • Easy to install, manage and upgrade
    ADSS Server is feature rich to minimise IT operations time. The simple installation wizard, the automatic checking of system integrity and auto-archiving and alerting ensure the system runs without daily operator involvement. The detailed transaction logs and detailed request/response viewers reduce support desk time in resolving operational issues. ADSS CA Server is also able to run an automatic upgrade process for its settings and data to run the latest version of software.
  • Auto-archiving
    To prevent database bloating ADSS Server can be configured to automatically archive database log records. As the archive log files are created and written to disk, they are digitally signed to provide authentication and integrity. The archived files can later be imported, verified and viewed within the transaction log viewer.
  • NTP time monitoring
    ADSS Server features an optional NTP Time Monitor service that regularly checks the operating system time and compares this with one or more configured NTP time servers to detect unacceptable time drift or IT operational errors. Configured time thresholds allow ADSS Server operators to be alerted to time issues and ultimately all trust services can also be stopped automatically.

Request Info

Submit

Sales Inquiries:
+44 (0)800 772 0 442

15

+
Years of Digital Signature
Innovation