Feb 21, 2024

DSS FAQs

Frequently Asked Questions

General DSS Questions

What is DSS?

DSS is GlobalSign’s highly scalable, cloud-based Digital Signing Service. DSS is available through a RESTful API, therefore allowing anyone with a DSS Account (and credentials for authentication) to submit hash values for signature. The signature information returned from DSS is based on information that has been verified by GlobalSign. DSS will return signed hash values, and when those are embedded correctly into documents (for example .pdf) a publicly trusted signature will be rendered, guaranteeing the integrity of the document and the authenticity of the signature. DSS can also return timestamp tokens, which can be embedded into the signature to verify the time of signing and secure the document with Long-Term Validity (LTV).

Can I sign documents with DSS alone?

DSS in itself provides the cryptographic core components for your digital signatures based on trusted identities. However, for the most common use case of document signatures, a few other steps are necessary.

A document that should be digitally signed needs to be submitted through the DSS API as a hash value. Hashing the document has to be done on the client side, either by leveraging a compatible digital signature application or by setting up and possibly writing a properly configured application.
The signed hash and timestamp tokens returned by DSS need to be embedded into the document. Once again, this has to be done on the client side, either by leveraging a compatible digital signature application or by setting up and possibly writing a properly configured application.
For further questions on how to use DSS to its full extent, please contact our Sales Team at: https://www.globalsign.com/en/company/contact

How does DSS share a private key to end user?

DSS does not provide private keys to end users. Rather than that, a private key is created when the /identity API call is used, together with a certificate containing the requested subject information (as long as those are within the validation policy). This private key is then used for the signature of the SHA-256 hash submitted with the sign API call. The signed hash is then part of the API response, but the private key never leaves the secure GlobalSign environment.

Are signatures produced by DSS AATL trusted?

As many GlobalSign CAs are part of the Adobe Approved Trust List (AATL), all certificates issued by or building a chain to any of those CAs will be trusted in Adobe Products or any software using the AATL as a trust store.

How can I sign up for DSS?

Depending on the way you intend to consume DSS, the registration process may vary. Since May 2020, we have started to offer the Atlas Portal to DSS customers, allowing the set-up and management of DSS subscriptions through a web-based GUI. However, the onboarding process may vary depending on your use case. Either way, your best option is to reach out to one of our local Sales Team, who will gladly assist you: https://www.globalsign.com/en/company/contact.

How do I set up DSS?

Setting up DSS through the Atlas Portal involves a few simple steps.

1. Log in with your Atlas Portal Login Credentials.
2. Navigate to the Dashboard, accept the Quote sent by Sales about your “DSS Product Pack", and complete the process.
3. Navigate to ‘Product Packs’ to see your Product Pack purchased list.
4. Navigate to ‘Products’ to see your active services and its information.
5. Navigate to the "API Credentials" section in your account and create a new set of credentials. You'll be asked to associate a service and an identity, which is why Steps 1 and 2 are prerequites. Once the API credentials are created, they are displayed and available for download.                             
   Note: This is the only time the API secret is available. Make sure you make a backup of it and store it securely. Unintended disclosure of your API Key and Secret may allow unauthorized parties to sign documents in your name.
6. Navigate to the "mTLS Certificate" section in your account and create an mTLS certificate. You'll have to submit a CSR in order to do so. Follow the instructions on the page, and you will end up with a file that can be used for mTLS authentication against the DSS API. For help with creating a CSR, see also here: https://support.globalsign.com/ssl/ssl-certificates-installation/certificate-signing-request-csr-overview. 

How can I manage DSS?

Managing DSS works differently depending on whether or not you're making use of the Atlas Portal.

Atlas Portal Users:

Managing your Service subscription, identities, API credentials, or mTLS certificates can all be done via the Atlas Portal. Log in to your account and navigate to the corresponding section. If the functionalities of the portal don't meet your requirements, you may use the built-in button on the right to request additional support.

Non-Portal Users:

Please contact the account manager or Sales Engineer who assisted you in setting up your account. You can also reach out to our Support Team at: https://www.globalsign.com/en/company/contact

Questions related to the Service and Quotas

What are the default signing limits for DSS?

Below are the default rates for a DSS Account. (Note: Default rates can be adjusted, depending on use case and requirements.)

Signature Rate Limit: 5/second

Timestamping Rate Limit: 5/second

Identity creation (issuance): 1/second

Signature Subscription: Your signature subscription quota depends on the number of signatures that has been purchased through the Atlas Portal (or manual onboarding process). A signature subscription is valid for one year, meaning, from the date of Account setup, you have 365 days to consume the maximum number of signatures associated with your DSS subscription.

I am getting an error message saying "Quota limit reached", what should I do?

This error message is only relevant for non Portal users and it means that you have reached the signature subscription (or time stamping) quota that you previously purchased. You can check the usage of signatures and timestamps by using the API calls counters/signatures or counters/timestamps respectively.

        Note: If you are using the Atlas Portal, you can check signature usage on the "Service tile". Atlas Portal users also have a signature overage concept           built-in, where you can exceed your signature quota and begin to pay per signature.

Do customers need to go through identity verification to use DSS?

As a publicly trusted CA, GlobalSign serves as a "trust anchor". Any digital identity signed as valid by GlobalSign will be displayed as valid by most software and applications. Therefore, GlobalSign will have to verify the identity of your organization before activating your DSS Account.

What signing identities does DSS Support?

DSS currently supports signing with employee or organization/department-level identities. Depending on the setup of your DSS account, the Common Name (the name that will be displayed together with your signature) for your signatures is either fixed or can be dynamically applied by submitting a /identity API call and then referencing that identity when using /sign.

Questions related to API Credentials

I've lost my API credentials, what do I do?

Atlas Portal Users:

Navigate to the "API Credentials" tab in your account and create a new set of credentials. You'll be once again asked to associate a service and an identity. Once the API credentials are created, they are displayed and available for download.

Non Portal Users:

Please contact the account manager or Sales Engineer who assisted you in setting up your account. Or you can reach out to our Support team: https://www.globalsign.com/en/company/contact

I have trouble decrypting my API credentials (non portal users):

Non portal users that receive an encrypted file from GlobalSign, containing the API credentials, can refer to the following guide: https://support.globalsign.com/ssl/api-plugins/how-obtain-globalsign-restful-api-account-credentials

Note: This is not relevant for Atlas Portal users.

Other Questions

What is the difference between Signing and Certifying?

Digital Signatures are sometimes called approval signatures and expedite an organization's approval procedure by capturing the approvals made by individuals or departments and embedding them within the actual PDF. They do exactly what the name implies, prove that you and/or other signers, have approved the content of the document.

Certifying a document is sometimes referred to as sealing the document. Unlike approval signatures mentioned above, you can only certify a document once and you cannot certify if the document already has a digital signature. This means certifying is usually done by the author or creator of the document, before it's published or sent for additional signatures or form fill-ins.
Note: As of now, you can only certify using Adobe Acrobat. Adobe Reader doesn't support this function. For more information, please see our AATL Document Signing FAQs: https://support.globalsign.com/aatl-document/aatl-document-signing-faqs

What leading document workflow platforms is DSS currently integrated with?

GlobalSign’s Digital Signing Service is already integrated with leading document work flow providers including Adobe Acrobat Sign and DocuSign. This provides customers with an easy way to add legally accepted and publicly trusted digital signatures to Adobe Acrobat Sign and DocuSign workflows. Once an organization’s DSS account is set up, employees can start digitally signing within these applications.