Entrust Remote Signing Engine

Entrust Remote Signing Engine acts as a server-based signature provider, allowing users to authenticate in order to activate their keys and authorize the signature of documents or document hashes.

Electronic signature provider (eSigP)

PKI material for enrolled users is managed as identity attributes in a secure HSM-based repository. Each user can have one or more digital certificates to sign documents remotely once authenticated.

Signing functions are available through a web API or optionally via the TrustedX Desktop Virtual Card (VC) component.

Identity provider (IdP)

The platform is designed to leverage an existing federated Identity Provider, but it can also act as an IdP for some use cases. Consult us for more information about supported third-party IdPs.

Entrust Remote Signing Engine includes 2FA authentication methods such as SMS/Email OTP and TrustedX Mobile ID.

More authenticators can be incorporated thanks to the integration with Entrust's IntelliTrust or IdentityGuard, or with existing IdPs using our SAML 2.0 connector.

• Format: Virtual or hardware appliance. Hardware appliance is required for the Signature Activation Module. Contact us for more information about supported hardware or virtual machines.
• Signature Activation Module (SAM): Entrust Remote Signing Engine v4.2 implements a SAM conforming to CEN EN 419 241-2: Protection Profile for QSCD for Server Signing.
• Authentication standards: OASIS SAML 2.0 and OAuth 2.0/OpenID Connect.
• Native authentication methods: Passwords, digital certificates, SMS/email OTP, TrustedX Mobile ID.
• Extending authenticators: Integration with Entrust's IntelliTrust or IdentityGuard products, or with third-party IdP using the provided SAML 2.0 connector or a custom connector.
• Authentication classification: eIDAS’s levels of assurance (LoA), NIST’s authenticator assurance levels (AALs), ITU-T X.1254, ISO/IEC 29115.
• Electronic signature standards: PAdES (ETSI TS 103 172 and ETSI EN 319 142), XAdES (ETSI TS 103 171 and ETSI EN 319 132), CAdES (ETSI TS 103 173 and ETSI EN 319 122), RSA PKCS#1 and Cloud Signature Consortium/ETSI TS 119 432.
• External TSA and OCSPs: Entrust's TSA and OCSP products or IETF TSA and IETF OCSP compatible servers to create LTV signatures with extended lifetime up to TSA certificate validity.
• External PKI services: Entrust's PKI or third-party PKI using the provided mechanism of custom connectors.
• HSM support: nShield Connect+ and nShield Connect XC. The available functions may vary depending on the model chosen (nShield Connect XC is required for the SAM).
• Event monitoring: Simple Network Management Protocol (SNMP). Syslog and raw format for processing with an external SIEM.
• Database systems: Oracle, Microsoft SQL Server, and PostgreSQL. Consult us for other databases support.
• SMS/Email gateway: An SMS Gateway and/or SMTP server is required for OTP methods.