> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Using HSM-backed keys in ADSS Server

> Reference listing of ADSS Server services and infrastructure components that consume HSM-backed keys.

*ADSS services and infrastructure components that can reference keys stored on the Futurex HSM.*

<Note>
  This section is informational. Configuration of individual ADSS services is outside the scope of this integration guide. For service-specific configuration steps, refer to the ADSS Server Admin Guide available within the running ADSS Server console at `https://[adss-host]:8774/adss/console/docs/help/welcome.html`.
</Note>

Once the Futurex HSM is configured as a Crypto Source and one or more keys have been generated against it, those keys can be referenced by any ADSS service that performs signing operations. Each service that consumes a key has a corresponding configuration section in the ADSS Server Admin Guide.

## Service signing keys

| ADSS Service          | Key Purpose                                                                                                                      | ADSS Admin Guide Reference                      |
| --------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- |
| Signing Service       | Signs documents and data on behalf of business applications. Supports PDF/PAdES, XML/XAdES, CMS/CAdES, PKCS#7, S/MIME, and ASiC. | Signing Service > Signing Profiles              |
| TSA Service           | Signs RFC 3161 / RFC 5816 timestamp tokens.                                                                                      | TSA Service > TSA Profiles                      |
| OCSP Service          | Signs OCSP responses (RFC 2560 / 6960 / 5019) on behalf of one or more registered CAs.                                           | OCSP Service > OCSP Profiles                    |
| Certification Service | Signs end-entity certificates and CRLs as an internal Certification Authority.                                                   | Certification Service > Certificate Authorities |
| SCVP Service          | Signs Server-based Certificate Validation Protocol responses (RFC 5055).                                                         | SCVP Service > SCVP Profiles                    |
| LTANS Service         | Signs long-term archive evidence records (RFC 4998 / RFC 6283) and optional notary signatures.                                   | LTANS Service > Archive Profiles                |
| Go>Sign Service       | Signs hashes in server-side signing flows and produces signature enhancements.                                                   | Go>Sign Service > Go>Sign Profiles              |
| RAS / SAM Service     | Holds end-user signing keys for Remote Authorised Signing flows under sole control.                                              | RAS Service / SAM Service                       |
| CSP Service           | Holds end-user signing keys exposed via the Cloud Signature Consortium (CSC) API.                                                | CSP Service                                     |

## Infrastructure and operational keys

| Key                                   | Purpose                                                                                                                                  | ADSS Admin Guide Reference                                       |
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
| TLS Server Authentication certificate | Secures TLS communication between the Core, Console, and Service Tomcat instances and external clients.                                  | Key Manager > Service Keys; Global Settings > System Certificate |
| System Master Key (HSM-based startup) | Protects ADSS database encryption material when the master key is held on the HSM rather than in software. Selected during installation. | Installation Guide > Master Key Configuration                    |
| Key Encrypting Key (KEK)              | Wraps end-user signing keys for encrypted storage in the ADSS database. Keys are unwrapped only inside the HSM at signing time.          | Key Manager > Crypto Source > Key Wrapping Settings              |
