Issuing X.509 certificates to devices (routers, firewalls, switches, mobile devices, web servers, DBMS etc.) can be managed via multiple interfaces including the widely-recognised SCEP standard interface and PKCS#10/CSR where key generation is on the device. For server-side key generation and certification, PKCS#12/PFX files are generated by the server, protected by a password which is set by the user and then downloaded over a secure authenticated session. Face-to-face registration and certification processes are also possible whereby RA operator(s) generate device certificates and provide them manually to device administrator(s) for import into devices.

Human end-users can be registered through a standard Internet browser. The vetting forms can be designed within ADSS Web RA Server, vetting forms can capture text, numbers, drop down selections and allow scanned copies of documents to be supplied during enrolment, this ensures the exact enrolment and vetting needs of the customer are met.

End users can generate keys and certificates locally using the ADSS Go>Sign Service and ADSS Go>Sign Client, together these are used to generate keys within Windows CAPI/CNG or PKCS#11 enabled smartcards.

Often business applications are the point where end-users are registered before being allowed to access business services. As such it is often business applications which need to request certificate services on behalf of their end-users. To achieve this ADSS Web RA Server provides a REST API. This allows business applications to easily make certificate enrolment and revocation calls to ADSS Web RA Server in a secure and authenticated manner.

ADSS Web RA Server supports multiple enterprise by providing separate service plans to be created for each enterprise, which can be assigned its own subscriber and services agreement as well as being assigned unique vetting forms and enrolment workflow. Each service plan can then be assigned different certificate types and can be configured to handle different key-lengths/algorithms, name formats, certificate validity periods, approval processes etc. ADSS Web RA Server also provides the ability to create an Enterprise RA Operator who can be assigned access to each enterprise within a deployment. Each Enterprise RA Operator, however, is limited to accessing users, devices and things enrolling in their enterprise.

The admin interface provides dashboards to indicate certificates nearing expiration, along with any general, renewal or revocation requests received.

The user interface provides dashboards to indicate certificates owned by the user that are nearing expiration or renewing and any device certificate requests that have been made.

All interactions are securely logged in the ADSS Web RA Server database. System Operators and Enterprise RA Operators can view the operator log to see interactions with the system.

Subscribers with access to the end user portal can view activity in their own activity log.

System Operators and Enterprise RA Operators use client authenticated TLS to access the administrator portal. Subscribers access the end user portal with username and password, OTP via SMS and eMail are also supported for authentication operations, certificate renewals and revocation operations. Web RA Server can also be integrated into existing authentication schemes such as SAML, OpenID Connect etc. using the WSO2 Identity Server