ADSS CA Server offers an XML/SOAP web services interface as well as CMC (Certificate Management over CMS) protocol interface. All common RFC 5280 certificate and CRL extensions are supported. Business applications requiring certificates can be quickly and easily integrated using the ADSS Client SDK using either high level Java or .NET APIs.
ADSS CA Server has been independently evaluated and certified against the CWA 14167-1 criteria. This specification defines the security requirements for trustworthy systems that manage certificates for electronic signatures. This level of certification enables Certificate Service Providers (CSPs) to use ADSS CA Server to issue EU Qualified Certificates. For smartcard issuance and management, ADSS CA Server integrates with AET’s BlueX CWA 14167-1 compliant product.
ADSS Server uses a Java EE architecture to provide multi-platform support, performance and scalability. It offers robust, well-proven features suitable for 24 x 7 operations that can use load balanced configurations for higher availability and throughput. Windows, Linux and Solaris servers are supported.
ADSS CA Server can be used to set-up a Root CA and one or more Subordinate CAs from the same instance. Alternatively, ADSS CA Server can be used as an off-line Root CA or an existing Root CA can be utilised. ADSS Server can also receive local requests and securely route these to another high–trust central CA instance if required.
Often business applications already have an established Know Your Customer (KYC) registration process. Such business applications can act as very effective Registration Authorities (RAs) and easily integrate with ADSS CA Server using configurable registration and certification processes.
ADSS CA Server uses certification profiles to define the algorithms, ley-lengths, certificate lifetime and other important parameters. Automatic certificate and key renewal is supported. Multiple profiles are supported to meet a variety of business requirements.
ADSS CA Server uses certificate templates to manage the certificate contents. Templates are available for common certificates types e.g. document signing, TLS/SSL client certificates, email security, code signing, archive signing etc. Less common ones such as TSA, OCSP and OMA DRM certificate templates are also provided. These templates can be edited and new ones created as required.
ADSS CA Server supports server-side key generation and certification on behalf of end-entities. This functionality can be accessed through an API call or via the admin interface. The ADSS RA Service option allows enhanced support for user key and certificate generation as well as device certificate management using SCEP.
ADSS CA Server working in conjunction with ADSS Go>Sign Service can generate roamed keys and have these certified. Roamed keys are kept in a secure container protected by a user-defined access code. All containers are stored securely within the ADSS Server database and are delivered to their respective owner for use within a browser as needed.
ADSS CA Server includes a management dashboard and detailed reporting. This provides a high-level view of the service and detailed analysis of the service requests for a selected date period. The reports show the number of transactions processed, their results, who the main CA clients are, which certification profiles were used the most, etc. These reports can be exported to PDF and CSV format.
All CA request/response transactions are securely logged in the ADSS CA Server database. To support an administrator’s review of these transactions, viewers are provided, which allow easy analysis of reported trust issues or when checking interoperability.
FIPS and Common Criteria certified HSMs from SafeNet, Thales and Utimaco can be used to stored and protect all cryptographic keys. Support for other PKCS#11 compliant HSMs can also be provided if required. HSMs can be a network, PCIe or USB connected. One or more HSMs, smart cards or USB tokens can be connected to ADSS Server. Another key feature of ADSS Server is the sophisticated auto-reconnect feature that prevents a network issue requiring operator intervention to reconnect a network HSM.
Support for the common cryptographic algorithms is provided including SHA1, SHA-2 (SHA-256, SHA-384, SHA-512), RSA keys up to 4096 bits and ECDSA up to 521 bits.
ADSS Server operators are authenticated using certificates over mutually authenticated TLS/SSL sessions. The operator’s private key and certificates can be on a hardware token for strong multi-factor authentication. ADSS Server performs full certificate validation, including revocation checking, before allowing operators to login to the console.
ADSS Server enables multiple operator roles to be defined. Each operator registered within the system is assigned a role. The role-based access control system enables very fine control over specific service modules that an operator can see and whether they have read, write, edit or delete capability for specific areas of functionality.
ADSS Server implements dual control in a flexible and practical way, i.e. dual control can be applied selectively to the important aspects of functionality that are considered most sensitive (such as key generation, policy change etc). When used, an operator’s actions are queued for a Security Officer role-holder to review and then approve or reject the action.
Business applications are authenticated using TLS/SSL client certificates that are pre-registered in ADSS Server. The application’s access to specific profiles and/or keys is checked as part of the ADSS Server authorisation process when service requests are received.
Cryptographic tamper-resistant logs are provided for all service transaction logs that contain details of requests and responses, all operator activity logs and all system event logs. Advanced reporting and reviewing including searching and filtering of log records are provided. All database log records are cryptographically protected to prevent record modification, deletions or additions.
All ADSS Server configurations and settings held in the database are cryptographically protected to prevent record modification, deletion or addition. The system automatically checks these records at pre-defined intervals or on demand to ensure system integrity. A detailed report is produced for any issues that are found.
Selected system operators can be alerted when certain event conditions occur using email or SMS messages. Management systems can be alerted using SNMP messages or via Syslog (log4j) messages.
ADSS Server is feature rich to minimise IT operations time. The simple installation wizard, the automatic checking of system integrity and auto-archiving and alerting ensure the system runs without daily operator involvement. The detailed transaction logs and detailed request/response viewers reduce support desk time in resolving operational issues. ADSS CA Server is also able to run an automatic upgrade process for its settings and data to run the latest software version.
To prevent database bloating ADSS Server can be configured to automatically archive database log records. As the archive log files are created and written to disk, they are digitally signed to provide authentication and integrity. The archived files can later be imported, verified and viewed within the transaction log viewer.
ADSS Server features an optional NTP Time Monitor service that regularly checks the operating system time and compares this with one or more configured NTP time servers to detect unacceptable time drift or IT operational errors. Configured time thresholds allow ADSS Server operators to be alerted to time issues and ultimately all trust services can also be stopped automatically.