The following describes the server side installation of SignServer:

Before you install SignServer, see the following sections:

Download and Unpack SignServer

Download and unzip the latest SignServer Enterprise Edition from your PrimeKey download area or use the latest SignServer Community Edition release archive from SourceForge.

SignServer is available in the following different distributions:

  • signserver-6.x.y-bin.zip: The binary distribution. Recommended.
  • signserver-6.x.y.zip: The mixed distribution. Contains the sources and all required libraries. This distribution requires you to build SignServer before deploying, see Optional: Build SignServer.

Make sure to compare the checksums as provided on https://signserver.org/download.html, or from a by Keyfactor or PrimeKey provided download site.

sha256sum signserver-6.x.y-bin.zip
unzip signserver-6.x.y-bin.zip
CODE

Alternatively, you can checkout the latest unstable version from the Subversion (SVN) repository. Note that as with the mixed distribution, the latest unstable version needs to be built before deploying.

Optional: Build SignServer

Skip this step if you downloaded the binary distribution (recommended) and proceed to the step Set Environment Variables.

Building SignServer is only required if you chose to download the mixed distribution, or checked out the latest SVN version, and want to build SignServer yourself before copying it to the target server.

To build SignServer, perform the following steps on your build machine.

Install Maven

For example, to install Maven in CentOS 7, run something like the following:

sudo yum install maven
CODE

Ensure Secure Maven Installation

Before running Maven (mvn) commands, ensure that you have a secure Maven installation that does not contact the Central repository over insecure HTTP. Ensure that the URL for the Central repository is specified with HTTPS (and/or use an internal repository).

For an example on how to override the default Maven settings in ~/.m2/settings.xml, refer to the sample-maven-settings-community.xml file provided in your SignServer release. To view the current settings, run:

mvn help:effective-settings
CODE

Set Edition

To set the edition (generating res/edition.properties), run:

bin/ant init
CODE

Install Dependencies Not Yet Available in Maven Central Repository

Occasionally, we rely on versions of dependencies not yet published to the Maven repositories. To call a script to manually install the dependencies in the local repository, run:

lib/maven-install-files.sh
CODE

Build from Sources

To build from the sources, run:

mvn install -DskipTests
CODE

Set Environment Variables

APPSRV_HOME

Set APPSRV_HOME to point to your application server installation.

To set the APPSRV_HOME environment variable for WildFly 26, for example use:

export APPSRV_HOME=/opt/wildfly-26.3.1.Final
CODE

The APPSRV_HOME variable is used when deploying to the application server and could for example be set in your .bashrc or similar file, or be provided every time the deploy command is executed.

SIGNSERVER_NODEID

To set SIGNSERVER_NODEID to a unique ID for the server, use:

export SIGNSERVER_NODEID=node1
CODE

The SIGNSERVER_NODEID variable should be available to the application server and might need to be set in /etc/environment or similar. The variable is generally not mandatory but if not set, warnings will be printed in the log.

Configure Deployment

Deployment Properties

The file signserver_deploy.properties includes configuration settings for the application, database, and web services.

Copy conf/signserver_deploy.properties.sample to conf/signserver_deploy.properties and open it for editing in a text editor.

cp conf/signserver_deploy.properties.sample conf/signserver_deploy.properties
CODE

If using a database other than MySQL and MariaDB, update the property database.name. The following shows the default value, used for both MySQL and MariaDB:

database.name=mysql
CODE

SignServer Without Database

You can choose to install SignServer without a database management system and instead rely on SignServer to manage persistence using local files, see SignServer without Database.

To run SignServer without a database, set database.name to nodb in the signserver_deploy.properties file :

database.name=nodb
CODE

Set the location for the local file-based database:

database.nodb.location=/opt/signserver/nodb
CODE

Ensure to specify a path to a location where SignServer can write files. The default value is empty. If a relative path is used, it is most likely relative to the application server's working directory. The directory should either point to an existing SignServer file database, or be completely empty. If the directory is empty, SignServer will create the initial database structure at startup.

mkdir /opt/signserver/nodb
CODE

Audit Log Signing Properties

The file databaseprotection.properties includes configuration for audit log signing and verification that can be used in Enterprise Edition when running with database.

Copy conf/databaseprotection.properties.sample to conf/databaseprotection.properties and open it for editing in a text editor.

cp conf/databaseprotection.properties.sample conf/databaseprotection.properties
CODE

For information on how to configure for signed audit logs in the database, see Signed log.

Custom Configuration Outside of Installation Directory

To ease upgrades and allow keeping your configurations from a version to another, you can now store your SignServer configurations in a signserver-custom folder outside of the SignServer home directory. Your configuration files placed in the signserver-custom folder will override the corresponding files found in the SIGNSERVER_HOME directory before executing an ant command.

To maintain changes in for example the signserver_deploy.properties file, that includes settings for the application, database, and web services, create a signserver-custom folder and copy the signserver_deploy.properties file to this folder:

mkdir -p ../signserver-custom/conf 
cp conf/signserver_deploy.properties.sample ../signserver-custom/conf/signserver_deploy.properties
CODE

Later when upgrading SignServer, the signserver_deploy.properties file does not need to be copied to the new directory.

Deploy SignServer

Run bin/ant deploy to build the configuration and deploy it to the selected application server:

bin/ant deploy
CODE

Make sure the application server is running and verify that SignServer was deployed correctly.

For example, look at the server log or for WildFly, run:

ls /opt/wildfly/standalone/deployments | grep signserver.ear*
CODE

Verify Installation and Access SignServer

To verify your SignServer installation, access one of the available user interfaces.

Public Web

To verify that SignServer is deployed and to access links to documentation and so on, point your web browser to http://localhost:8080/signserver.

Administration CLI

To test the access to the server and print the deployed version, run the following Admin CLI command:

bin/signserver getstatus brief all
Current version of server is: SignServer EE 6.0.0
CODE

Administration Web

To access the SignServer Admin Web, point your web browser to http://localhost:8080/signserver/adminweb.

To temporarily allow all valid client certificates to administer the Administration Web, run the following:

bin/signserver wsadmins -allowany
CODE

For more information, see Administration Web.