ADSS RA Server

Advanced Registration Authority

Certificate registration, revocation & recovery

The ADSS RA Server acts as a gateway between PKI end-entities that include human users, servers or devices that require X.509 digital certificates and the back-end secure Certificate Authorities (CAs). It receives initial enrollment requests as well as revocation requests on from end-entities. Depending on the profile configurations these are then either automatically processed or queued for RA operators to manually approve/reject.

ADSS RA Server supports a range of protocols (SCEP, PKCS#10/PKCS#7 and CMC) to ensure requests from a wide range of devices can be accepted, such as routers, switches, firewalls, servers, databases, mobile phones, etc. For human subscribers both client-side and server-side key generation and certification is possible using a standard Internet browser interface, as well as face-to-face registration processes. ADSS Client SDK provides a Java and .NET API for easy integration of certificate registration, revocation and recovery services into any business application.

Key Points

Supports SCEP for device certificate request handling
Supports local key generation in browser (native browser keystores as well connect smartcard/USB tokens) using ADSS Go>Sign Service
Supports server-side key generation and certificate through high-level web services API

Key Points

Supports SCEP for device certificate request handling
Supports local key generation in browser (native browser keystores as well connect smartcard/USB tokens) using ADSS Go>Sign Service
Supports server-side key generation and certificate through high-level web services API

FEATURES & BENEFITS

Device registration & certification

Issuing X.509 certificates to devices (routers, firewalls, switches, mobile devices, web servers, DBMS etc.) can be managed via multiple interfaces including the widely-recognised SCEP standard interface and PKCS#10/CSR where key generation is on the device. For server-side key generation and certification, the RA Service API can be used to deliver PKCS#12/PFX files. Face-to-face registration and certification processes are also possible whereby RA operator(s) generate device certificates and provide them manually to device administrator(s) for import into devices.

End-user certification through browsers

Human end-users can be registered through a standard Internet browser. The registration HTML forms can be locally designed, meeting the local language and branding needs of the customer. The ADSS Go>Sign Service and applet is used to generate the keys locally on the client-side either in the browser keystore or any locally attached smart cards/tokens (accessed via Windows CAPI/CNG or PKCS#11 interface). Separately face-to-face registration processes for end-users are also supported.

Business application integration

Often business applications are the point where end-users are registered before being allowed to access business services. As such it is often business applications which need to request certificate services on behalf of their end-users. To achieve this an RA Web Service API is provided in both .NET and Java as part of the ADSS Client SDK. This API allows business applications to easily make certificate enrolment and revocation calls to the RA in a secure and authenticated manner. In addition to the web service interface, an optimised HTTP-based IETF CMC (Certificate Management over CMS) interface is also provided.

USE CASE

ADSS RA Service

Send request for X509 Digital Certificate from business applications, devices or directly by end-users. Keys can be held in HSM, USB/SmartCard, Windows Keystore. These keys can be referenced to create digital signatures on PDF, XML etc:

How it works

The ADSS RA Service functionality can be summarised as

Register the details of all end-entities that request certificates
Allow the requests for certificates to be approved or rejected using either automated processes or using manual processes with trusted RA Operators
Supports face-to-face registration processes managed by the RA operator(s)
Communicate with the relevant CA to obtain certificates and then provide a suitable means of delivery of these to the requesting end-entities
Manage the certificate renewal process which may follow a different workflow depending on the end-entity capabilities
Manage the certificate revocation process which may be initiated by the certificate owner or a trusted RA Operator

Verisec is building its next generation eID service for the Nordic market on Ascertia’s PKI technology. We have also integrated our Freja platform with Ascertia’s SigningHub solution to create a complete authentication and document signing application for our enterprise customers. The Ascertia team are real professionals and experts in their field – they have proven to be flexible and solutions oriented with a strong entrepreneurial corporate culture and an eye for detail that ensures the quality of the products and solutions they deliver.

Anders Henrikson
Founder, Verisec AB

Ascertia is a global leader in delivering functionally rich, easy to deploy e-security solutions. We pride ourselves in being easy and efficient to deal with.
Ascertia is a global leader in delivering functionally rich, easy to deploy e-security solutions. We pride ourselves in being easy and efficient to deal with.