DocuSign Signature Appliance with External CA - Solution Overview

DocuSign External CA - Overview

DocuSign offers the DocuSign External CA service, a trusted, compliant Certificate Authority, issuing certificates to customers seeking digital signing with third-party trust. 
DocuSign External CA is integrated with the DocuSign Signature Appliance allowing users to digitally sign agreements with certificates issued by a recognizable brand.
The DocuSign Signature Appliance (DSA) is a standard digital-signature solution that includes hardware appliances for on-premises or hybrid deployment. It streamlines the signature process that may help maximize compliance with regulations in Federal, Professional Engineering, and Life-Sciences market segment

The DocuSign Signature Appliance connects to DocuSign External Root CA, a trusted Certificate Authority hosted by DocuSign meeting the highest standards for assurance and availability. 
After completion of mandatory compliance processes,  DocuSign External Root CA issues signers compliant digital certificates.

The DocuSign Signature Appliance securely stores and manages signature certificates allowing users to digitally sign using an ecosystem of web, desktop, and mobile on-premises applications, or via DocuSign Cloud in hybrid mode.

The DocuSign External CA is a Private Certificate Authority powered by DocuSign meeting requirements for 3rd Party certificates. It is not listed in a trust program such as Web-Trusted, Microsoft store or AATL.

Customers who require an Adobe’s Approved Trust List (AATL)-supported solution, may leverage the DocuSign TSCP CA offering, Signature Appliance TSCP integration, providing digital signatures cross-certified by the Federal Bridge. Since TSCP is a member of the Adobe Trust List, this solution grants signatures a green checkmark in Adobe.

The Root certificates for the External CA service are available at under 'DocuSign ECA Certificates'.

DocuSign External CA Administration

Compliance Management

In order to ensure the Certificate Authority's trust, an organizational onboarding process is required. In addition, a compliance interview will be conducted, focusing on the assurance of Identity Proofing and proper user management.

Every new company or organization leveraging DocuSign External CA must define operational roles, that is, who will own the responsibilities for Identification, authorization and ensure secure procedures. Organizational functions taking on these roles such as HR and IT will undergo compliance enrollment and training. 

To maintain compliance, customers must comply with the DocuSign DocuSign External CA policy published at:

DocuSign Signature Appliance Management

To support technical and compliance constraints required by the DocuSign External CA policy, the following are key customer-administrative restrictions for the management of DocuSign Signature Appliance when used with DocuSign External CA services-

  • The DSA setup and installation process must be performed by DocuSign personnel.  
  • Users must prompt their password prior to performing signing operation
  • The DSA Audit log should be exported and securely stored.

The Full list of changes to the DSA may be found in the DSA Administrator Guide.