Create a New Signing Profile

The signing profile identifies the ADSS Signing Server profile that has been configured for the SigningHub Desktop Web to create the document signatures. Based on the business requirements, you can manage (Add, Edit, and Delete) multiple signing profiles to offer different formats of signatures to your end users, including PAdES-B-LT or PAdES-B-LTA signatures, signing method, hashing algorithm, etc.

Create a new signing profile

  1. Click the 'Configurations' option from the navigation panel.

  2. Click the 'Signing Profiles' option.

  3. The 'Signing Profiles' page is displayed for you to make the necessary changes.

  4. Click theicon from the grid header.

  5. The 'Add' signing profile screen will appear to add the signing profile details. It comprises of two sections, i.e. Basic Information and Details. Specify the basic information and click the button to provide the respective signing profile details.

  6. Click the 'Create' button. A new signing profile will be saved and displayed in the list. See the table below for field descriptions.

Signing Profile

Fields

Description

Basic Information

Name

Specify a unique name for this signing profile, e.g. My SigningHub Signing. This name will be used in the Service plan configuration.

Description

Add any description related to this signing profile for your record.

Active

Select this check box to enable this signing profile for service plans configuration. Inactive profiles cannot be configured in the service plans.

Signing Method

Server-side Signing

Select this check box to enable server-side signing for this profile. Specify the signing server and profile ID information in the relevant fields. It will also provide the options to enable Remote Authorisation and Office signatures. If you do not want to allow server-side signing for your end users, deselect this check box. The "Signing Server" drop-down list displays all ADSS, eID Easy and CSC Server connectors. Select the one to use for server-side signing. Click the eye icon to view the details of the selected connector. On selection of an eID Easy or CSC connector, the "Signing Server Profile ID" field will not appear. Also, no other signing configurations will appear, i.e. Enable Remote Authorisation or Office Signatures. In the "Signing Server Profile ID" field, specify the ID or name of the profile created in the ADSS Signing Server for server-side signing, e.g. "adss:signing:profile:001" The "Signing Timeout (secs)" value is used in the HTTP request sent to the Signing Server for signing. This value is consumed while performing RAS Signing, Server Side Signing, CSC Signing, and eID Easy Signing.

  1. Server Side Signing, when selected, accepts PKCS#1 responses from all signing servers, including ADSS

  2. SigningHub produces Long Term Validation (LTV) signatures by default; this no longer requires any LTV configuration in ADSS Server signing profiles

  3. For XML signing, the same server-side signing profiles are used that are configured for document signing

  4. XML documents can be signed using USB tokens, smart cards, or server-held keys (including remote authorisation/CSC signing)

  5. SigningHub produces the "XAdES-Baseline-LTA" ETSI compliant signatures for XML documents, but for backwards compatibility with ADSS Server version 6.9 or lesser, SigningHub will produce the XAdES Extended signature on base of the key "ES-X-L" added in the web.config file.

Enable Remote Authorisation

Select this check box to enable Remote Authorised Signing (RAS). RAS allows a user to authorise a remote signature (done on the server) using their registered mobile device. The mobile device will have its own built-in (Touch ID or PIN) user authentication, so in a way, mobile usersare also getting two-factor authentication. Use the "Signing Service Profile ID" field to specify a signing profile ID against which remote signing has been enabled in the ADSS Server. The selected profile will be used to create remote signatures (done on the server) for SigningHub Desktop Web. Click the eye icon to view the details of the selected profile. Signing profiles are managed through the Signing Profiles section; see details. For the end-to-end configurations of RAS, visit Ascertia's Partner Portal to see the Configuration Guide.

Enable Office Signatures

Office signatures are the ones that are added in native Word documents. After signing, the Word document is preserved in its native format and doesn't necessarily need to be converted into a PDF. Select this check box to enable the signing of Microsoft Word files for this profile. Specify the profile ID or name that has been created in the ADSS Signing Server for Office signatures in the "Signing Service Profile ID for Office Signatures" field. If this check box is left unticked, the SigningHub won't allow Office signatures in a Word file.

Client-side (Local) Signing

Select this check box to enable client-side signing for this profile. Specify the signing server and other preferences in the fields. If you do not want to allow client-side signing for your end users, keep this check box deselected. The "Signing Server" field will display the list of ADSS Servers and T1C connectors. Select the one to use for client-side signing. Click the eye icon to view the details of the selected connector.

  1. When you select an ADSS Server connector in the "Signing Server" field, the "Go>Sign Service Profile ID" field will appear. Specify the profile ID or name that has been created in the ADSS Signing Server for client-side signing, e.g. "adss:gosign:profile:001"

Settings

Hashing Algorithm

Specify the hashing algorithm (i.e., SHA1, SHA256, SHA384 or SHA512) to create the signature.

Signature Type

Select whether PAdES-B-LT or PAdES-B-LTA signatures are required for your end users. Signature type must be the same as configured under ADSS signing profile.

Dictionary Size (KB)

Specify the signature dictionary size. When signing PDF documents, space is reserved within the document to embed the signature, called the signature dictionary. The size of the signature dictionary is directly proportional to the certificate chain to be used in the signature. The default value is set to 100 KB; however, there is a possibility that the computed signature can exceed the default dictionary size. In such a case, users may view the system message “signature dictionary size 100” KB is smaller than the expected size, e.g. “200” KB. Therefore, it is recommended to reserve an appropriate space for the signature dictionary to accommodate your certificate chain.

  1. In case PDF/A compliance is enabled in the Service Plan, then it is important to set the "Dictionary Size" to 15 KB for the Signing Profile selected in that Service Plan. In addition, based on the selection made in the "Signature Type" field of such a Signing Profile, you need to make the following configurations in the ADSS Server.

    • In case "PAdES-B-LT" is selected in the "Signature Type" field, then configure the validation policy as OCSP for the whole certification chain under "Trust Manager" in the ADSS Server.

    • In case "PAdES-B-LTA" is selected in the "Signature Type" field, then set validation policy to any available value (i.e. CRL/OCSP) as the revocation information is kept in DSS.

Signature Enhancement Connector

Signature enhancement connector facilitates a System Admin to configure a separate timestamp server (i.e. Ascertia ADSS Server), which can be independent of signing server being used for signing. This dropdown displays the list of ADSS Server connectors (i.e. those connectors which has 'ADSS Server' set as a 'Provider'), and is used for the time stamp. The signature enhancement connector appears for both signature types (i.e. PAdES-B-LT and PAdES-B-LTA signatures) and uses this enhancement connector for both signature and document timestamp. This is applicable for all types of signing, including Server Side Signing (for ADSS Server), Client-Side Signing (for ADSS Server), T1C Signing, and CSC Signing.

Signature TimeStamp Policy ID

Specify the Signature TimeStamp Policy ID that must be the same as configured under Ascertia ADSS Server for TimeStamp Authority Profile. The Signature TimeStamp will be performed using the configured TimeStamp Authority Profile matching the TSA Policy ID at signing time. TSA profile information will be embedded within the document to identify the TimeStamp Profile used by the signatory. Policy ID value must be in the following format: 1.2.3.4.5

  1. If there is no TimeStamp Policy ID is provided, then it will use the Default TimeStamp Authority Profile configured under the Ascertia ADSS Server.

Document TimeStamp Policy ID

Specify the Document TimeStamp Policy ID that must be the same as configured under Ascertia ADSS Server for TimeStamp Authority Profile. The Document TimeStamp will be performed using the configured TimeStamp Authority Profile matching the TSA Policy ID at signing time. TSA profile information will be embedded within the document to identify the TimeStamp Profile used by the signatory. Policy ID value must be in the following format: 1.2.3.4.5

  1. If there is no TimeStamp Policy ID is provided, then it will use the Default TimeStamp Authority Profile configured under the Ascertia ADSS Server.

PreviousSigning ProfilesNextEdit a Signing Profile

Last updated