The SignServer Administration Web Services can be used for remote administration of SignServer over client authenticated HTTPS.

Access is granted based on a list of certificate serial number and issuer distinguished name pairs. Currently there is only one access level and all administrators granted access will be able to perform all operations.

The WSDL file is located at the following URL: http://<hostname>:8080/signserver/AdminWSService/AdminWS?wsdl.

To authorize administrators using the Admin CLI, use the wsadmins command:

bin/signserver wsadmins
BASH

Usage:

Usage: signserver wsadmins -add -certserialno <certificate serial number (in hex)> -issuerdn <issuer DN>
Usage: signserver wsadmins -add -cert <PEM or DER file>
Usage: signserver wsadmins -remove -certserialno <certificate serial number (in hex)> -issuerdn <issuer DN>
Usage: signserver wsadmins -list
Usage: signserver wsadmins -allowany [true|false]
Example 1: signserver wsadmins -add -certserialno 123ABCDEF -issuerdn "CN=Neo Morpheus, C=SE"
Example 2: signserver wsadmins -add -cert wsadmin.pem
Example 3: signserver wsadmins -remove -certserialno 123ABCDEF -issuerdn "CN=Neo Morpheus, C=SE"
Example 4: signserver wsadmins -list
Example 5: signserver wsadmins -allowany
Example 6: signserver wsadmins -allowany false
BASH

The certificate serial number should be entered as the hexadecimal representation (leading zeros and upper/lowercase is not significant).

The issuer DN currently should be entered in the reversed order and with spaces after each component. In the example above, the issuer DN from the certificate actually is "CN=Neo Morpheus, C=SE".

An administrator can also be added by supplying a client certificate as an argument. The serial number and issuer DN is then taken from that certificate.

To troubleshoot an "Administrator not authorized to resource", refer to the logs for how SignServer interprets the serialnumber and subject DN. Example:

19:00:33,946 INFO  [AdminWS] ADMIN OPERATION; subjectDN=C=SE, O=Markus Organization, OU=Internal Testing 1, CN=External RA Admin 1; serialNumber=4a3442e98e3ce428; issuerDN=C=SE, O=Markus Organization, OU=Internal Testing 1, CN=MarkusAdminCA1; authorized=false; operation=getWorkers; arguments=
CODE