ADSS RA Server

Advanced Registration Authority

Certificate registration, revocation & recovery

The ADSS RA Server acts as a gateway between PKI end-entities that include human users, servers or devices that require X.509 digital certificates and the back-end secure Certificate Authorities (CAs). It receives initial enrollment requests as well as revocation requests on from end-entities. Depending on the profile configurations these are then either automatically processed or queued for RA operators to manually approve/reject.

ADSS RA Server supports a range of protocols (SCEP, PKCS#10/PKCS#7 and CMC) to ensure requests from a wide range of devices can be accepted, such as routers, switches, firewalls, servers, databases, mobile phones, etc. For human subscribers both client-side and server-side key generation and certification is possible using a standard Internet browser interface, as well as face-to-face registration processes. ADSS Client SDK provides a Java and .NET API for easy integration of certificate registration, revocation and recovery services into any business application.

Key Points

Supports SCEP for device certificate request handling
Supports local key generation in browser (native browser keystores as well connect smartcard/USB tokens) using ADSS Go>Sign Service
Supports server-side key generation and certificate through high-level web services API

Key Points

Supports SCEP for device certificate request handling
Supports local key generation in browser (native browser keystores as well connect smartcard/USB tokens) using ADSS Go>Sign Service
Supports server-side key generation and certificate through high-level web services API

FEATURES & BENEFITS

Device registration & certification

Issuing X.509 certificates to devices (routers, firewalls, switches, mobile devices, web servers, DBMS etc.) can be managed via multiple interfaces including the widely-recognised SCEP standard interface and PKCS#10/CSR where key generation is on the device. For server-side key generation and certification, the RA Service API can be used to deliver PKCS#12/PFX files. Face-to-face registration and certification processes are also possible whereby RA operator(s) generate device certificates and provide them manually to device administrator(s) for import into devices.

End-user certification through browsers

Human end-users can be registered through a standard Internet browser. The registration HTML forms can be locally designed, meeting the local language and branding needs of the customer. The ADSS Go>Sign Service and ADSS Go>Sign Client are used to generate the keys locally on the client-side either in the browser keystore or any locally attached smart cards/tokens (accessed via Windows CAPI/CNG or PKCS#11 interface). Separately face-to-face registration processes for end-users are also supported.

Business application integration

Often business applications are the point where end-users are registered before being allowed to access business services. As such it is often business applications which need to request certificate services on behalf of their end-users. To achieve this an RA Web Service API is provided in both .NET and Java as part of the ADSS Client SDK. This API allows business applications to easily make certificate enrolment and revocation calls to the RA in a secure and authenticated manner. In addition to the web service interface, an optimised HTTP-based IETF CMC (Certificate Management over CMS) interface is also provided.

USE CASE

ADSS RA Service

Send request for X509 Digital Certificate from business applications, devices or directly by end-users. Keys can be held in HSM, USB/SmartCard, Windows Keystore. These keys can be referenced to create digital signatures on PDF, XML etc:

How it works

The ADSS RA Service functionality can be summarised as

Register the details of all end-entities that request certificates
Allow the requests for certificates to be approved or rejected using either automated processes or using manual processes with trusted RA Operators
Supports face-to-face registration processes managed by the RA operator(s)
Communicate with the relevant CA to obtain certificates and then provide a suitable means of delivery of these to the requesting end-entities
Manage the certificate renewal process which may follow a different workflow depending on the end-entity capabilities
Manage the certificate revocation process which may be initiated by the certificate owner or a trusted RA Operator

Our experience with ADSS Server product and its availability and performance is that I as an IT Professional & as Nikken’s IT manager for 9 years, that Ascertia are the standards by which all companies in this industry sector, should consider setting their standards by.

Andy Butterworth
IT Manager Nikken UK Ltd

Ascertia is a global leader in delivering functionally rich, easy to deploy e-security solutions. We pride ourselves in being easy and efficient to deal with.
Ascertia is a global leader in delivering functionally rich, easy to deploy e-security solutions. We pride ourselves in being easy and efficient to deal with.

This website uses cookies to ensure you get the best experience on our website. Learn more

I AGREE