What is DSS?
DSS is GlobalSign’s highly scalable, cloud-based Digital Signing Service. DSS is available through a RESTful API, therefore allowing anyone with a DSS Account (and credentials for authentication) to submit hash values for signature. The signature information returned from DSS are based on information that has been verified by GlobalSign. DSS will return signed hash values, when those are embedded correctly into documents (for example .pdf) a publicly trusted signature will be rendered, guaranteeing the integrity of the document and authenticity of the signature. DSS can also return timestamp tokens, which can be embedded into the signature to verify the time of signing and secure the document with Long Term Validity (LTV).
DSS in itself provides the cryptographic core components for your digital signatures based on trusted identities. However, for the most common use case of document signatures a few other steps are necessary.
A document that should be digitally signed needs to be submitted through the DSS API as a hash value. Hashing the document has to be done on the client side, either by leveraging a compatible digital signature application or by setting up and possibly writing a properly configured application.
The signed hash and timestamp tokens returned by DSS need to be embedded into the document. Once again, this has to be done on the client side, either by leveraging a compatible digital signature application or by setting up and possibly writing a properly configured application.
For further questions on how to use DSS to its full extent, please contact our Sales team: https://www.globalsign.com/en/company/contact
How does DSS share a private key to end user?
DSS does not provide private keys to end users. Rather than that, a private key is created when the /identity API call is used, together with a certificate containing the requested subject information (as long as those are within the validation policy). This private key is then used for signature of the SHA-256 hash submitted with the sign API call. The signed hash is then part of the API response, but the private key never leaves the secure GlobalSign environment.
Are signatures produced by DSS AATL trusted?
As many GlobalSign CAs are part of the Adobe Approved Trust List (AATL) all certificates issued by or building a chain to any of those CAs will be trusted in Adobe Products or any software using the AATL as a trust store.
How can I sign up for DSS?
Depending on the way you intend to consume DSS, the registration process may vary. Since May 2020, we have started to offer the Atlas Portal to DSS customers, allowing set up and management of DSS subscriptions through a web-based GUI. However, the onboarding process may vary depending on your use case. Either way, your best option is to reach out to one of our local Sales teams, who will gladly assist you: https://www.globalsign.com/en/company/contact.
How do I set up DSS?
Setting up DSS works differently depending on whether or not you're using the Atlas Portal.
If you signed up for DSS using the Atlas Portal:
Setting up DSS through the Atlas Portal works through a few simple steps.
1. Log in with your Atlas Portal Login Credentials
2. Navigate to the"Services" section in your account and purchase a signature subscription.
3. Navigate to the "Identity" section in your account and submit an identity for Vetting. Note: The information submitted for Vetting is what will be used for your signatures later on. Make sure it matches whatever you want to present with your signature.
4. Navigate to the "API Credentials" section in your account and create a new set of credentials. You'll be asked to associate a service and an identity, which is why Steps 1 and 2 are pre-requites. Once the API credentials are created they are displayed and available for download. Important Note: This is the only time the API secret is available. Make sure you make a backup of it and store it securely. Unintended disclosure of your API Key and Secret may allow unauthorized parties to sign documents in your name.
5. Navigate to the "mTLS Certificate" section in your account and create an mTLS certificate. You'll have to submit a CSR in order to do so. Follow the instructions on the page and you will end up with a file that can be used for mTLS authentication against the DSS API. For help with creating a CSR, see also here: https://support.globalsign.com/ssl/ssl-certificates-installation/certificate-signing-request-csr-overview.
If you signed up for DSS, but are not using the Atlas Portal:
If you signed up for DSS but aren't using the Atlas Portal, you've been in touch with a Sales representative and possibly a Sales Engineer. They will initiate the manual creation of your DSS Account (including the Subscription of signatures, vetted Identity, mTLS Certificate and API credentials). You will need to submit a public key. Once your DSS Account has been created, we will send you your mTLS Certificate and encrypted API credentials. To complete the set up process, follow these instructions: https://support.globalsign.com/ssl/api-plugins/how-obtain-globalsign-restful-api-account-credentials
How can I manage DSS?
Managing DSS works differently depending on whether or not you're making use of the Atlas Portal.
Atlas Portal Users:
Managing your Service subscription, identities, API credentials or mTLS certificates can all be done via the Atlas Portal. Log in to your account and navigate to the corresponding section. If the functionalities of the portal don't cover your requirements, you may use the built-in button on the right to request additional support.
Non Portal Users:
Please contact the account manager or Sales Engineer who assisted you in setting up your account. You can also reach out to our Support team: https://www.globalsign.com/en/company/contact
Below are the default rates for a DSS Account. (Note: Default rates can be adjusted, depending on use case and requirements.)
Signature Rate Limit: 5/second
Timestamping Rate Limit: 5/second
Identity creation (issuance): 1/second
Signature Subscription: Your signature subscription quota depends on the number of signatures that has been purchased through the Atlas Portal (or manual onboarding process). A signature subscription is valid for one year, meaning, from the date of Account setup, you have 365 days to consume the maximum number of signatures associated with your DSS subscription.
I am getting an error message saying "Quota limit reached", what should I do?
This error message will is only relevant for non Portal users and it means that you have reached the signature subscription (or time stamping) quota that you previously purchased. You can check the usage of signatures and timestamps by using the API calls counters/signatures or counters/timestamps respectively. Note: If you are using the Atlas Portal, you can check signature usage on the "Service tile". Atlas Portal users also have a signature overage concept built-in, where you can exceed your signature quota and begin to pay per signature.
Do customers need to go through identity verification to use DSS?
As a publicly trusted CA, GlobalSign serves as a "trust anchor". Any digital identity signed as valid by GlobalSign will be displayed as valid by most software and applications. Therefore, GlobalSign will have to verify the identity of your organization before activating your DSS Account.
What signing identities does DSS Support?
DSS currently supports signing with employee or organization/department-level identities. Depending on the setup of your DSS account, the Common Name (the name that will be displayed together with your signature) for your signatures is either fixed or can be dynamically applied by submitting a /identity API call and then referencing that identity when using /sign.
Atlas Portal Users:
Navigate to the "API Credentials" tab in your account and create a new set of credentials. You'll be once again asked to associate a service and an identity. Once the API credentials are created, they are displayed and available for download.
Non Portal Users:
Please contact the account manager or Sales Engineer who assisted you in setting up your account. Or you can reach out to our Support team: https://www.globalsign.com/en/company/contact
I have trouble decrypting my API credentials (non portal users):
Non portal users that receive an encrypted file from GlobalSign, containing the API credentials, can refer to the following guide: https://support.globalsign.com/ssl/api-plugins/how-obtain-globalsign-restful-api-account-credentials
Note: This is not relevant for Atlas Portal users.
What is an mTLS Certificate?
The mTLS (Mutual TLS) certificate is used to authenticate to GlobalSign's DSS API. It's a regular x.509 Client Certificate enabled for Client Authentication, and serves a second factor in authenticating against our DSS API.
Atlas Portal Users:
Navigate to the "mTLS Certificate" section in the Atlas Portal. In order to have your mTLS certificate created, you'll have to submit a CSR. Follow the instructions on the page and you will end up with a file that can be used for mTLS authentication against the DSS API. For help with creating a CSR, see this guide: https://support.globalsign.com/ssl/ssl-certificates-installation/certificate-signing-request-csr-overview.
Non Portal Users:
You'll need to create a key pair and send us your public key during onboarding. GlobalSign will then supply you with an mTLS Certificate based on your public key. You will need to use this Certificate to access our APIs, along with the encrypted API credentials.
You can view more information in this support article: How to Obtain GlobalSign RESTful API Account Credentials
Note: If you use one of GlobalSign’s existing DSS integration with a signing application such as Adobe Sign or DocuSign, you won't need an mTLS Certificate.
How long are mTLS Certificates valid for?
The initial mTLS Certificates provided to customers were valid for 1 year. Since 2019, newly issued mTLS Certificates are valid for 5 years.
How do I renew my mTLS Certificate?
Atlas Portal Users:
There's currently no real functionality to "renew" a mTLS certificate. The creation of a new mTLS certificate is sufficient. Navigate to the "mTLS Certificate" section in the Atlas Portal. In order to have your mTLS certificate created you'll have to submit a CSR. Follow the instructions on the page and you will end up with a file that can be used for mTLS authentication against the DSS API. For help with creating a CSR, see this guide: https://support.globalsign.com/ssl/ssl-certificates-installation/certificate-signing-request-csr-overview.
Non Portal Users:
Contact your Sales Engineer or Account Manager to renew your mTLS Certificate. To renew, you can choose to use the previous public key or you can provide us with a new public key.
What is the difference between Signing and Certifying?
Digital Signatures are sometimes called approval signatures and expedite an organization's approval procedure by capturing the approvals made by individuals or departments and embedding them within the actual PDF. They do exactly what the name implies, prove that you and/or other signers, have approved the content of the document.
Certifying a document is sometimes referred to as sealing the document. Unlike approval signatures mentioned above, you can only certify a document once and you cannot certify if the document already has a digital signature. This means certifying is usually done by the author or creator of the document, before it's published or sent for additional signatures or form fill-ins.
Note: As of now, you can only certify using Adobe Acrobat. Adobe Reader doesn't support this function. For more information, please see our AATL Document Signing FAQs: https://support.globalsign.com/aatl-document/aatl-document-signing-faqs
What leading document workflow platforms is DSS currently integrated with?
GlobalSign’s Digital Signing Service is already integrated with leading document work flow providers including Adobe Sign and DocuSign. This provides customers with an easy way to add legally accepted and publicly trusted digital signatures to Adobe Sign and DocuSign workflows. Once an organization’s DSS account is set up, employees can start digitally signing within these applications.