Initial Set Up
After logging into the Software Appliance for the first time, we recommend the following setup steps.
Step 1 - Add a new user account
Create a user account, by adding either a client certificate user account or an OAuth user account.
Step 2 - Remove the OTP User
The person who manages the virtual machines, and thus can see the OTP/TTY, is in many cases not the person who manages the Software Appliance. You should therefore remove the Initial OTP User to avoid security issues.
After the new User Account has been added, log in again with the new User Account. Now you can delete the Initial OTP User.
In the Actions column of the User Accounts table, click Remove:
When prompted, click Remove to confirm the action.
Step 3 - Configure a Hardware Security Module (HSM)
You can configure a Hardware Security Module (HSM) to store and protect your cryptographic keys, or optionally use the SoftHSM software-based implementation for demonstration or testing purposes.
Configuring an HSM for the Software Appliance is irrevocable. To change an HSM configuration, you need to reset the Software Appliance.
For instructions on how to configure the HSM, see:
- Configuring a TrustWay Proteccio netHSM
- Configuring a Thales DPoD HSM
- Configuring a Luna Network HSM
- Configuring an Entrust nShield Connect HSM
- Configuring an Utimaco CryptoServer LAN
Step 4 - Configure the SignServer Application
Next, create a Crypto Token in SignServer and connect it to the configured HSM. For more information, refer to the SignServer Documentation on Crypto Tokens.
The following provides some example steps for creating a Crypto Token in SignServer and generate a test key.
You need to select a TLS client certificate to be able to connect to SignServer Admin Web. If you have not selected a TLS client certificate when your browser requested it, you may need to restart your browser.
Create Crypto Token and Test Key
Follow the example steps below to create a Crypto Token and a test key in SignServer. For more information, refer to the SignServer Documentation on Crypto Tokens and available properties.
To create a Crypto Token and generate a test key in SignServer, do the following.
- On the SignServer Software Appliance Overview page, click Admin Web for SignServer listed in the Application Overview.
- In SignServer, click Add at the bottom of the page.
- On the Add Worker/Load Configuration page, select From Template as Method.
- Select p11ng-crypto.properties and click Next.
- On the next page, click Apply to create the worker. A new worker entry named "CryptoTokenP11NG1 (1)" should now be visible on the Worker Overview page.
- Click "CryptoTokenP11NG1 (1)" to configure the worker. The worker status and token status should be displayed as Offline.
- Next, configure the Crypto Token to access the correct PKCS#11 slot. Click Configuration to see the currently configured worker properties.
- Configure the appropriate properties, for example:
- SLOTLABELTYPE: How to reference your PKCS#11 slot, by number ("SLOT_NUMBER") or index ("SLOT_INDEX").
- SLOTLABELVALUE: The slot number or index of the slot you want to connect to.
- To configure the PKCS#11 slot pin, click Add at the bottom of the page. Add a new property named PIN to the Crypto Token properties and set the PIN of the slot you want to connect to.
- To test your configuration, click Crypto Token and then Activate. On the next page, enter the PKCS#11 slot PIN in the Authentication Code field and click Activate.
If correctly entered, you will be redirected to the worker overview page.
- Next, to create a test key for the Crypto Token, select the worker name "CryptoTokenP11NG1 (1).
- Click the Crypto Token tab to list keys that are available in the Crypto Token.
- Select Generate Key and specify the following before clicking Generate.
- New Key Alias: testkey0
- Key Algorithm: Choose a key algorithm that is available on your HSM.
- Key Specification: Choose a key specification that is available on your HSM.
- Click Generate.
- Click Status Summary to check for errors. The Worker status and Token status should now both be Active.
You have now created a Crypto Token and a test key and the Crypto Token can now be used by your SignServer workers. For more information, refer to the SignServer Documentation on Crypto Tokens and available properties.
Step 5 - Renew the TLS certificate
This might be required to meet your company's security rules, for example, to remove the security warning in the address bar of the browser. For instructions on how to renew the TLS certificate, see Managing TLS Certificates.