Features & Benefits
Issuing X.509 certificates to devices (routers, firewalls, switches, mobile devices, web servers, DBMS etc.) can be managed via multiple interfaces including the widely-recognised SCEP standard interface and PKCS#10/CSR where key generation is on the device. For server-side key generation and certification, PKCS#12/PFX files are generated by the server, protected by a password which is set by the user and then downloaded over a secure authenticated session. Face-to-face registration and certification processes are also possible whereby RA operator(s) generate device certificates and provide them manually to device administrator(s) for import into devices.
Human end-users can be registered through a standard Internet browser. The vetting forms can be designed within ADSS Web RA Server, vetting forms can capture text, numbers, drop down selections and allow scanned copies of documents to be supplied during enrolment, this ensures the exact enrolment and vetting needs of the customer are met.
End users can generate keys and certificates locally using the ADSS Go>Sign Service and ADSS Go>Sign Client, together these are used to generate keys within Windows CAPI/CNG or PKCS#11 enabled smartcards.
Often business applications are the point where end-users are registered before being allowed to access business services. As such it is often business applications which need to request certificate services on behalf of their end-users. To achieve this ADSS Web RA Server provides a REST API. This allows business applications to easily make certificate enrolment and revocation calls to ADSS Web RA Server in a secure and authenticated manner.
ADSS Web RA Server supports multiple enterprise by providing separate service plans to be created for each enterprise, which can be assigned its own subscriber and services agreement as well as being assigned unique vetting forms and enrolment workflow. Each service plan can then be assigned different certificate types and can be configured to handle different key-lengths/algorithms, name formats, certificate validity periods, approval processes etc. ADSS Web RA Server also provides the ability to create an Enterprise RA Operator who can be assigned access to each enterprise within a deployment. Each Enterprise RA Operator, however, is limited to accessing users, devices and things enrolling in their enterprise.
The admin interface provides dashboards to indicate certificates nearing expiration, along with any general, renewal or revocation requests received.
The user interface provides dashboards to indicate certificates owned by the user that are nearing expiration or renewing and any device certificate requests that have been made.
All interactions are securely logged in the ADSS Web RA Server database. System Operators and Enterprise RA Operators can view the operator log to see interactions with the system.
Subscribers with access to the end user portal can view activity in their own activity log.
System Operators and Enterprise RA Operators use client authenticated TLS to access the administrator portal. Subscribers access the end user portal with username and password, OTP via SMS and eMail are also supported for authentication operations, certificate renewals and revocation operations. Web RA Server can also be integrated into existing authentication schemes such as SAML, OpenID Connect etc. using the WSO2 Identity Server
Support for the common cryptographic algorithms is provided including SHA1, SHA-2 (SHA-256, SHA-384, SHA-512), RSA keys up to 4096 bits and ECDSA up to 521 bits.
ADSS Server operators are authenticated using certificates over a mutually authenticated TLS session. The operator’s private key and certificates can be on a hardware token for strong multi-factor authentication. ADSS Server performs full certificate validation, including revocation checking, before allowing operators to login to the console.
ADSS Web RA Server enables multiple operator roles to be defined. Each operator registered within the system is assigned a role. The role-based access control system enables very fine control over specific service modules that an operator can see and whether they have read, write, edit or delete capability for specific areas of functionality.
ADSS Web RA Server implements dual control in a flexible and practical way, i.e. dual control can be applied selectively to enable administrators to review decisions made by other system operators against specific certificate requests.
ADSS Web RA Server is feature rich to minimise IT operations time. The product provides a simple installation wizard, intuitive operator and user interface is designed to minimise training and reduce helpdesk calls. The ADSS Web RA Server upgrade process for is built to enable easy upgrades to allow customers to run the latest versions of software.