Configuring Automatic Generation and Key Renewal over Peers

Configuration of Automatic Generation and Key Renewal over Peers is done in the following steps:

SignServer Configuration

For this section we are going to create a PDF Signer that will allow key and certificate renewal over the peer connection. This saves from having to pass around CSRs from SignServer to EJBCA when doing certificate renewals.

To create the PDF Signer, do the following:

  1. Access the SignServer Administration Web. 

  2. Click on Workers, click Add and then select From Template.
  3. In Load from Template, select pdfsigner.properties and click Next.


  4. In the Configuration, comment out the line WORKERGENID1.DEFAULTKEY=signer00003 since we want to use our own key, and click Apply.


  5. The PDFSigner worker is added with an “Inactive” state. Click the Worker to select it and then select the Configuration tab.


  6. Click Add and specify the following under Add Property:

    • Name: “PEERS_VISIBLE”
    • Value: “true”


  7. Click Submit to add the property to the configuration. 

  8. Click back onto the worker to select it and then click Renew key.


  9. Under Renew Keys, enter the following details:

    • Key Algorithm: “RSA”
    • Key Specification: “2048”
    • New Key Alias: “PDFSignKey0001”


  10. Click Generate.

EJBCA Configuration

Configure EJBCA according to the following:

  1. Access the Administration GUI for EJBCA. 
  2. Select Certificate Profiles under CA Functions and add a profile called “PDF Signer Certificate Profile:


  3. Click Edit on the Certificate Profile once added, specify the following attributes and click Save:
    • Available Key Algorithms: RSA
    • Available Bit Lengths: 2048
    • Validity or end date of the certificate: 5y
    • Extended Key Usage: PDF Signing
  4. Under RA Functions, click End Entity Profiles

  5. Enter a name for a new profile in the Add Profile Field such as PDF Signer EE Profile, and click Add.


  6. Select the PDF Signer EE Profile and click Edit End Entity Profile.

  7. Within the profile, select the following values and click Save:

    • Default Certificate Profile: PDF Signer Certificate Profile

    • Available Certificate Profiles: PDF Signer Certificate Profile

  8. Select the SignServer Peer EE Profile and click Edit End Entity Profile.

  9. Within the profile select the following values:
    • Default Certificate Profile: PDF Signer Certificate Profile
    • Available Certificate Profiles: PDF Signer Certificate Profile
    • Default CA:  ManagementCA
    • Available CAs: ManagementCA
    • Default Token: User Generated
    • Available Tokens: All


Create the End Entity on EJBCA

To create the End Entity on EJBCA:

  1. In the EJBCA Admin Web, select Add End Entity under the RA Functions section.

  2. Specify the following for the End Entity and then click Add.
    • End Entity Profile: PDF Signer EE Profile
    • Username: PDFSigner
    • Password: <Desired Password>
    • CN, Common name: “PDFSigner”(warning) must match the worker name in SignServer
    • Certificate Profile: PDF Signer Certificate Profile
  3. Select Peer Systems under System Functions.

  4. Click Manage on the Peer Connection to SignServer and select the Remote Key Bindings tab.

    The Remote name of PDFSigner and the Remote key pair value of PDSSignKey0001 should be populated already if the configuration was done correctly. In Local end entity enter PDFSigner:


  5. Click Issue signing certificate. The certificate details will now show with a certificate serial number bound to the binding:


  6.  Go to the SignServer Admin Web, select the Workers tab and check that the PDFSigner worker now is active.