Unicity MSS


Electronic signature for your business

Unicity MSS (Mass Signing Server) is a high-performance mass signature server that satisfies the needs of all legal entities (companies, public services, associations etc.) that produce high volumes of electronic documents requiring signature. It enables different entities or departments within an organization to sign documents electronically (server stamp), whatever kind of business applications or document flows are involved, including, for example:

  • Fast mass signing of invoices
  • Signature of contractual documents
  • Mass signing of all kinds of documents to guarantee integrity
  • Countersignature of contracts by a legal entity
  • etc.

High-performance electronic signature

Do you need to sign high volumes of documents or produce electronic signatures at high speed as part of a complex business process? With Unicity MSS, processing speed will never be a hindrance! Depending on the configuration involved, Unicity MSS can produce several hundred signatures per second.

Learn more

Unicity MSS is fast...

Unicity MSS is a stand-alone server that handles all operations, from the inbound connection to signature. Each server module has been optimized to offer you an extremely high-performing tool. With our optimized software drivers, you can get the most out of the capabilities of your HSM. Unless you use optical fiber, you will be limited by your network connection speed before being limited by Unicity MSS!

And it can be even faster!

Do you need to sign several million invoices in a single day? Unicity MSS can easily be installed in a cluster to leverage very significant processing capabilities. Using the integration library provided and the web services, you can delegate client-side operations processing and thereby substantially reduce network transmissions. The only thing you need to keep an eye on is the size of your event log!

Flexible signature configuration

It's simple: We can handle everything! PDF, PAdES, CMS, CAdES, XMLDsig, XAdES, detached, attached, enveloping, with or without timestamping, with co-signatures or countersignatures etc. Whatever kind of signature you wish to produce, Unicity MSS can do it!

Learn more

Multiple keys, multiple signatories, multiple formats

Within the signature services, a signature key is linked to its signature environment:

  • The signature certificate and the associated certificate chain
  • A signature profile compliant with CAdES, XAdES or PAdES advanced signature standards, containing signature generation rules, and a signature policy if needed
  • Cryptographic signature algorithms

Unicity MSS enables you to generate several signature keys, which can be linked to multiple signatories, all with their own signature format.

Advanced and qualified signature support

It is possible to configure Unicity MSS to obtain advanced signatures compliant with European directive 1999/93/EC. If your certificates are qualified, your signatures will be!

External signature mode with CUTE

In this mode, Unicity MSS takes care of all the details involved in the preparation and finalization of CAdES, XAdES or PAdES advanced signature formats. Thanks to CUTE, all that remains to be done is to produce a "raw" signature, the key being stored on a device such as a smartcard or SIM card. This mode enables end-users to generate signatures with their own key in an advanced format without having to know it or define it.

Designed for IT integration

Unicity MSS integrates very easily and quickly with your existing infrastructure. A corporate signature server interacts with multiple services and with different hardware:

Learn more
  • Hardware security modules or HSMs- to manage signature keys
  • Timestamp servers to add timestamp tokens to signatures

Interaction with trusted third parties

Naturally, a signature server requires keys and certificates and must often integrate timestamp tokens into signatures. With Unicity MSS, there is no longer any need for command lines or for specific development to generate keys or obtain electronic certificates or timestamp tokens from services that are compliant with European electronic signature standards. All these operations can be performed with a user-friendly graphical interface in just a few clicks.

Signature requests via web services or hot folders

Whether from a .NET- or Java-based application server, or a Python, Perl or PHP web application, all Unicity MSS operations can be easily performed through web services (SOAP, XML-RPC and OASIS/DSS) and can therefore be easily called from any programming language.

To make integration of these interfaces even easier, and depending on your needs, Unicity MSS is supplied with:

  • A complete description of the web services and code examples
  • An integration library in Java that allows applications to send a document and receive the signature returned by Unicity MSS using simple calls to that library.

Unicity MSS also offers the Hot folders mode. In this integration mode, the calling application deposits files for signature in a pre-configured folder on the Unicity MSS server. This folder is regularly inspected by Unicity MSS; when new files are found in it they are automatically signed and moved into a final folder. This mode allows simplified access to the signature services in addition to loose coupling between the calling application and the Unicity MSS server.
With the help of the Unicity MSS integration manual, you should only need a few hours to add electronic signature functionalities to your applications.

Compatibility with cryptographic hardware and software

Don’t be bothered by the keys and certificates token… By using international standards, Unicity MSS is capable of using all kinds of hardware security modules (HSMs), smartcards and software certificates, particularly since it supports PKCS#11, PKCS#12 and nCipher formats.

High level of security

End-to-end security is a fundamental requirement for a signature server used by corporate entities.

Learn more

For optimal security, Unicity MSS integrates its own authentication layer and is based on the concept of role-based authorization control.

Integrated connection management

Unicity MSS is a stand-alone product that allows you to manage network connections and the SSL/TLS configuration directly from the graphical user interface. Configuration is therefore simplified, while end-to-end security is guaranteed from the calling application to Unicity MSS. The fact that it implements its own web services, its own web server and its own authentication layer means that Unicity MSS is not dependent on multiple third-party components for security or auditing. As with any critical configuration, the modification of inbound connection parameters can be tracked using the event log.

Role-based access control (RBAC)

Unicity MSS is based on the INCITS 359-2004 standard for secure and rigorous signatory access control. Each server operation is linked to a unique access permission and these access permissions are grouped by roles to fit with your organization's security model. Furthermore, for smooth integration with your infrastructure connection policies, it is possible to grant or deny some roles automatically, depending on the server entry point.

Signature key life cycle management

If you are already familiar with the handling of cryptographic material, you will know that full control of the signature key life cycle is especially important and sometimes even required to fulfill legal requirements associated with the production of electronic signatures. If you already have a key management policy in place and, for example, it requires that you use your HSM supplier's tools, there is nothing to worry about: Unicity MSS can also handle externally managed keys.

Extremely simple setup

Install - configure - sign. With one fully packaged solution and few installation steps, installing a mass signature server has never been so fast and easy!

Learn more


Stand-alone server

Unicity MSS does not need an application server and can be installed on any operating system with a Java virtual machine. All the server modules are grouped together in a single package: There is no need to install third-party libraries or use funny configuration files. One tiny text file is enough to set up a ready-to-configure server using the graphical interface. The few installation and configuration steps are detailed in the installation and administration guide: Immediately after that, the graphical interface takes over and does all the hard work for you!

User-friendly graphical administration interface

All the Unicity MSS administration tasks are performed using a complete and intuitive graphical interface. Each operation in Unicity MSS generates an entry in the event log: server startup or shutdown, modification of any parameter, successful or unsuccessful signature requests, new user creation, granting or denial of roles etc. Each entry includes all details of the corresponding operation. If you need to check specific information, all the entries can be viewed from the administration interface. You can export the event log or view entries using the web services interfaces, for subsequent integration into your own reports.

Full compliance with standards

This is Cryptolog's constant promise: When creating electronic signatures, it is particularly important to be able to use material provided by third parties and to produce signatures that can be verified by any tool on the market.

Learn more

Like all other products in our range, Unicity MSS carries our promise of full compliance with standards to satisfy your needs for interoperability.

Simple and advanced signature formats

Unicity MSS makes it very easy to implement all the main signature formats currently in use, in strict compliance with the latest international standards: CMS and CAdES, XMLDsig and XAdES, PDF and PAdES. Whatever the signature format, Cryptolog has implemented all the security levels described by the standards, from the most simple (BES and EPES) to the addition of an ES-T timestamp token.

Import signature policies

Signature policies compliant with the ETSI TR 102 038 and ETSI TR 102 272 standards can be easily imported to the Unicity MSS server. The signature policy rules are automatically updated and locked to prevent modification. The policy will then be referenced in the signature. Do you already have your own signature policies? Unicity MSS enables you to generate advanced electronic signatures that are compliant with them instantly!


I - Signature


Learn more

Signature formats:

  • CAdES (ETSI TS 101 733 v1.8.1)

    • CMS (RFC 3852 - Cryptographic Message Syntax)
    • BES (Basic Electronic Signature)
    • EPES (Explicit Policy Based Electronic Signature)
    • T (Signature Time-Stamp)
  • XAdES (ETSI TS 101 903 v1.4.1)

    • XMLdSig (XML-Signature Syntax and Processing)
    • BES (Basic Electronic Signature)
    • EPES (Explicit Policy Based Electronic Signature)
    • T (Signature Time-Stamp)
  • PAdES (ETSI TS 102 778 v1.1.1)

    • ISO 32000-1
    • BES (Basic Electronic Signature)
    • EPES (Explicit Policy Based Electronic Signature)
    • T (Signature Time-Stamp)

Signature tokens:

  • PKCS#12 v1.0 (Personal Information Exchange Syntax Standard)
  • PKCS#11 v2.20 (Cryptographic Token Interface)
  • nCipher nShield (Hardware Security Module)

Signature validation policies (EPES signatures):

  • ASN.1 format for signature policies (ETSI TR 102 272 v1.1.1)
  • XML format for signature policies (ETSI TR 102 038 v1.1.1)

Signature algorithms:

  • RSA PKCS#1 (RSA Cryptography Standard)

    • "RSA/Sign, padding=1.5"
    • "RSA/Sign, padding=PSS"
  • DSA (Digital Signature Algorithm or Digital Signature Standard)

    • "DSS, encoding=ASN.1"
    • "DSS, encoding=RAW"
  • ECDSA (Elliptic Curve Digital Signature Algorithm)

    • "ECDSA, encoding=ASN.1"
    • "ECDSA, encoding=RAW"

Digest algorithms:

  • SHA (Secure Hash Algorithm)

    • "sha-1"
    • "sha-256"
    • "sha-384"
    • "sha-512"
  • MD (Message Digest)

    • "md5"
  • RIPEMD (RACE Integrity Primitives Evaluation Message Digest)

    • "ripemd160"

II - Timestamping


Learn more
  • RFC 3161 (Time-Stamp Protocol)

III - Other functionalities


Learn more
  • Java 1.5 and further compatible
  • Advanced logging
  • Advanced signature field configuration for PAdES signatures
  • Advanced tracability based on event logs
  • Simple web services access : XMLRPC, Oasis/DSS, Soap
  • Hotfolders access
CTA telecharger Download our products
Test our products for 15 days
Product downloads
CTA cas client Success stories
Discover how our customers are using our products
Success stories
CTA pdf Product sheet
Learn more about our dateiled product features
Product Sheet