Skip to end of metadata
Go to start of metadata

Configuring public URLs of AIA and CDP addresses if ADSS Server is running in MZ

AIA -> OCSP Responder

If you are running the ADSS Server in MZ (Militarized Zone) and you want to redirect the AIA requests from DMZ (Demilitarized Zone) machine to ADSS Server then follow these instructions:

  1. Create a website (e.g. http://ocsp.ascertia.comin IIS on MZ machine and set the Physical Path to C:\inetpub\wwwroot
  2. Configure the AJP Connector in this website as documented in Appendix A of SigningHub Installation Guide
  3. Now go to C:\tomcat_iis_connector\conf directory and edit the file and set the worker2 as /*=worker2 instead of adss/*=worker2
  4. Edit the file and set the value of and to your ADSS Server machine name/IP instead of localhost
  5. Restart the IIS Service and access the website (e.g. If it showing the blue page as below, it means your configurations are correct and send an OCSP request to double check it

CDP and AIA -> CA Cert

If you are running the ADSS Server in MZ (Militarized Zone) and you want to redirect the CDP requests from DMZ (Demilitarized Zone) machine to ADSS Server then follow these instructions:

  1. Create a directory on MZ machine file system (e.g. C:\data) and grant Read permissions to IUSR user on this directory
  2. Create a website (e.g. http://downloads.ascertia.comin IIS on MZ machine and set the Physical Path to C:\data
  3. Create two directories in C:\data as C:\data\crls and C:\data\certs
  4. Share the C:\data\crls directory over the network and configure the shared path (e.g. \\mz-server\data\crls) in Manage CAs > Local CAs module in the respective CA to publish the CRLs at this path
  5. Run the ADSS Server Console and Core Services under the Windows User who have access to this shared path (e.g. administrator). Click here for details.
  6. After services restart publish the CRLs from Manage CAs > Local CAs module, the CRLs will be published in the shared directory (e.g. \\mz-server\data\crls)
  7. Put the issuer certificates in the C:\data\certs directory
  8. Access these URLs from the internet to check its working (e.g. and

CRL is not publishing for the Local CA [current and new CRL numbers are same] 

This situation is caused when there was a database update failure during the publishing of the last CRL. ADSS Server prints an error in core.log that the new CRL number must be greater than the current one. The error message will be like the following in core.log: 

core.log error

[CA Name] CRL invalid because new CRL's CRLNumber '5' is not greater than the current CRL's CRLNumber '5'
Failed to update CRL in database : CRL invalid because new CRL's CRLNumber '5' is not greater than the current CRL's CRLNumber '5'

Follow these steps to resolve this issue: 

  1. Connect to the ADSS Server database and execute the following SQL query:
    Replace the [**new CRL number] with next CRL number e.g. 6 in this example and [CA name from Manage CAs > Local CAs] accordingly:

  2. Now go to Manage CAs > Local CAs
  3. Click the CA Name for which the problem is occurring. Clicking the Publish CRL Now button will publish the CRL with next CRL number
  4. Restart the ADSS Server Core from Server Manager module for the changes to take effect

What is meant by an external CA? 

The term “External CA” refers to any CA that is operated by an externally managed certificate service provider to issue certificates for business applications or RA managed services. ADSS Server provides support to work with external CAs like Microsoft CA Server 2003, GlobalSign EPKI, EJBCA, Ascertia ADSS CA Server, and offline external CA. Integration of ADSS Server with other CAs is also possible because ADSS Server uses standard data structures for certificate requests and responses, i.e. PKCS#10 for certificate requests and PKCS#7 for certificate responses. See Manage CAs > Configure External CA for more details.


Microsoft CA Server 2008 and 2012 are not supported.

How to replace an existing local CA?

When the local CAs have already been used to issue certificates, then ADSS Server would restrict deleting these CAs. As CAs are responsible to publish CRLs (revocation information) along with issuing new certificates. However, there are certain business scenarios, which require replacing a previously configured CA with a new CA, i.e.

  • The previously configured CA was used for evaluation purpose, and needs to be replaced before moving into production.
  • The old CA key has been compromised, so its usage should be discontinued.
  • The existing CA is about to expire. So there is a requirement to add a new CA in place of an existing CA, without extending the license.


  1. Browse the Key Manager > Service Keys module and create a new key with the purpose "Certificate/CRL Signing" and self-certify it, or re-certify an existing key with the same purpose.
  2. Browse the Manage CAs > Configure Local CA(s) module and edit the details of local CA, which is to replace.
  3. From the "CA Certificate Info" area, change the certificate for this local CA in the "CA Certificate" drop down. Select the new certificate from the list which was created through step 1.
  4. Click the "Update" button to save the changes.

Important Considerations

  • If a CA is renewed with the same details (e.g. Subject Information, Key pair), then all the previously issued certificates by this CA will remain valid.
  • If a new key is used to sign the CA certificate, then all the previously issued certificates by this CA will become invalid.
  • The CA that has been marked as "Default" can not be deleted.

How to import a CA and its issued certificates into ADSS Server?

If you need to import a CA and its issued certificates into ADSS Server then follow these instructions:

  1. If the CA key is held in Hardware Crypto Device then:
    1. Configure that device in ADSS Server. Follow the link for more details:
    2. Import the key from device in ADSS Server. Follow the link for more details:
  2. If the CA key is held in software (PKCS#12) then import the key in ADSS Server from Key Manager module. Follow the link for more details:
  3. Configure this CA key in Manage CAs module. Follow the link for more details:
  4. Go to Manage CAs > Configure Local CAs, select the CA and click the Issued Certificates button as shown below:

  5. On the Issued Certificates page, click the Import Certificates button to import the issued certificates of the CA as shown below:

  6. Browse the certificates detail file in the Certificates Detail File Path field and a zipped certificates in Certificates Zip File Path filed.

    The certificates details file should be a CSV in the following format:

  7. Click OK to complete the action.
  8. To import CRL, go to Manage CAs > Configure Local CAs sub-module, select the CA and click the View CRLs button as shown below:

  9. Now click the Import CRL button as shown below:

  10. Browse the latest CRL for this from the file system as shown below:

  11. Click OK to proceed.
  12. See details as how to configure the CRL publishing settings for this CA

How to configure a Microsoft CA with ADSS Server?

This section describes how business applications can register users, have ADSS Server generate keys and then have an external Microsoft CA certify these.

This section describes the steps required to configure the ADSS Server certification module (ADSS_msca) within the Internet Information Services (IIS) on the Windows 2003 CA server so that this CA can be used by ADSS Server Certification Service.

For installation and configuration of Windows 2003 Certification Authority (CA) itself, consult the separate ADSS – Microsoft CA 2003 Installation & Configuration Manual.

Microsoft .NET framework is needed to be installed on the target server in order to run the ADSS_msca module.

Configuration of ADSS_MSCA module in IIS:

The following steps are required to configure the ADSS_msca module with IIS:

  • Unzip and extract the "" contents in a folder e.g. "C:\ADSS_msca". This module is present at the location: “<ADSS Server installation directory>/support”. ADSS_msca is an application built using ASP.Net. This application acts as middle-ware between the ADSS Server which requests certificates and the Windows 2003 CA which accepts these certificate requests and generates corresponding certificates.
  • Click the "Start" button > Control Panel > Administrative Tools > Internet information Services Manager (IIS). The Internet Information Services window opens.
  • Expand Web Sites (as shown below):

  • Right click the Default web Site > click New > Virtual directory. The Directory Creation wizard will pop-up, click the "Next" button below to start the process:

  • On the next screen, type alias "ADSS_msca" and click the "Next" button:

  • Browse "C:\ADSS_msca" for the contents to publish for this virtual directory and click OK to select the path. Click Next to complete the procedure, when done click Finish in next window to complete virtual directory creation wizard.

  • Right click the "adss_msca" virtual directory in IIS and click on properties and change the executable permissions to Scripts only then click OK:

  • You will now need to restart Microsoft Internet Information Service.

Configuring ADSS_msca module to work with Windows 2003 CA Server:
The following steps are needed to use Windows 2003 CA server with ADSS Server and they are performed where the CA is installed:
  • Make sure Microsoft Windows .NET framework runtime v1 or greater is installed on the machine where Windows 2003 CA server is deployed.
  • Click the "Start" button in task bar and then click "Run" and type "C:\windows\system32\certsrv\" and copy the value of "ServerConfig" global state.

  • Edit c:\ADSS\adss_msca\Web.config extracted in step 1 (in Section A.1) and paste the above value to the add tag as value of the key "CertificateServer". e.g. if the value of "CertificateServer" is "W2K-BSPSIGN.AD.UK\Test CA" then the add tag in Web.config. It will look like this: 


    <add key="CertificateServer" value="W2K-BSPSIGN.AD.Test.UK\Test CA"> </add>
  • Save and close this file.
  • Restart the IIS service


  • The Windows 2003 CA server can be installed on the same machine where ADSS Server is running.
  • Make sure to change the policy module inside the Windows 2003 CA server to issue certificates automatically before any requests are sent by the ADSS Server. Restart the CA service if this setting is updated.
  • You will need to configure the ADSS certification policy to point to this web application running on IIS for the ADSS Server to connect to the Windows 2003 CA server.  This is described in the ADSS Admin Manual.

How to configure DigiCert PKI External CA with ADSS Server?

DigiCert PKI can be configured with ADSS Server to act as an External CA. Configuration of DigiCert PKI with ADSS Server can be divided into two main sections:

  • Generation of API key on DigiCert PKI Platform 
  • Configure DigiCert PKI in ADSS Server

Each of these are explained below:

 Generate API Key on DigiCert PKI Platform:

An API Key must be generated on DigiCert PKI admin portal first which will later be referenced in ADSS Server for configuration. Follow the set of instructions below in order to generate the API Key:

  1. Access the PKI Manager admin portal, you will a settings icon (in blue color) at the bottom of the screen:

  2. Clicking on the Settings icon will show following options:

  3. Clicking on the Manage API Key link will lead you to the screen where the required API Key can be created: 

  4. Click on the Add api key link at the top of the screen will show following options:

  5. Set the required Friendly name of the API key for easy recognition and clicking on the Save button will save the name and also generate the required API Key. The generated API key will be displayed on the screen as shown below:

  6. Once the API Key is generated, it must be copied since the operator will not be able to view it again. This API Key will be used while configuring DigiCert in ADSS Server under Manage CA module.

  7. The generated API Key mentioned in the field would be used by ADSS Server to create, renew and revoke the certificates from DigiCert PKI CA.

Configure DigiCert PKI in ADSS Server:

Once an API Key has been generated on DigiCert PKI Platform, it can be referenced within the ADSS Server. To configure DigiCert PKI in ADSS Server, follow these instructions:

  1. Launch the web browser and opens the URL (https://[Host Machine]:8774/adss/console) to access the ADSS Server Console

    1. Browser prompts to select the TLS Client Authentication certificate

    2. Selects the relevant certificate and presses the “OK” button to login the ADSS Server Console (Provide the admin PFX password if prompted/required as per security policy)
  2. Navigate to the Trust Manager screen and register the DigiCert High Assurance EV Root CA and DigiCert SHA2 Extended Validation Server CA in Trust Manager one by one by following these instructions:


    1. Press the New button, following screen will be displayed:

    2. Press the Choose File button (selects Browse button if Choose File button doesn’t appear) and select the [Certificate File] 

    3. Enable the option “CA (will be used to verify other certificates and CRLs)” and then click “Next” 

    4. Complete rest of the wizard with the default options and clicks “Save” button on the last screen

  3. Restart ADSS NT-Services or Linux Daemons.

  4. Navigate to Manage CAs > External CAs screen:


  5. Click on the New button and fill in the following details:

  6. Select the DigiCert PKI as an External CA in the CA Type drop-down. Once selected, enter the credentials information of selected External CA in the respective fields as explained below:

    1. Enter the CA Alias which is an operator-defined unique name for easy management of certificate authorities within ADSS Server.

    2. Select the issuing CA DigiCert SHA2 Extended Validation Server CA in the CA Certificate field which is already being configured in the Trust Manager.

    3. Specify the URL in the CA Address field from where this CA could listen the certificate request messages.

    4. Specify the API Key in API Key field which is generated by the operator on the DigiCert PKI Admin portal.

    5. Specify the profile in the Profile field configured at DigiCert PKI Admin Portal by selecting it from drop-down.

  7. Click on the "Save" button to save the changes
  • No labels