Architecture and Concepts

SignServer provides client interfaces for submitting files or data for signing.

SignServer can be used with a standard web browser or the client application SignClient or integrated with third-party applications like cURL.

Internally in SignServer, workers and components are handling the request performing the authentication/authorization or interacting with external components. The configuration and logs can optionally be stored in a database.

SignServer can be managed from the command line, a graphical user interface, or be integrated directly from your application using Web Services. Various development APIs are available to enable custom implementations.

The following outlines SignServer's flexible, component-based architecture.

SignServer Concepts

Workers

Workers are configured to perform certain activities like signing files of a certain type, often with a specific key.

Signers

Workers that perform signing operations are called Signers. A Signer specifies how to perform the signature creation, and which key and certificate to use.

There are multiple implementations of SignServer Signers available for signing different formats and additional implementations can be developed.

Crypto Worker

A Crypto Worker is a holder for configuring the Crypto Token component that is used to access key material. By configuring the Crypto Token in a Crypto Worker other workers can reference this crypto worker and use it for signing etc.

Dispatchers

A SignServer Dispatcher does not perform any processing (i.e. signing) of its own but instead forwards the request to another worker. Dispatchers forward the request to the first available worker that has a valid certificate (FirstActiveDispatcher), or forward a time-stamp request depending on the requested time-stamp policy (RequestedPolicyDispatcher).

Timed Service

SignServer Timed Service does not accept any input but instead runs at a fixed time interval (like a cron job). This can be useful for setting up an hourly timed service keeping the connection to the Hardware Security Module (HSM) from timing out. For more information, see HSM Keep Alive Timed Service.

Components

SignServer Components provide specific functionality and are configured in the workers.

Crypto Token

Crypto Tokens provide access to the keys and cryptography operations. Each Signer is typically configured with a reference to a Crypto Worker having a Crypto Token configured. A Crypto Token using a software keystore is the P12 Crypto Token and one using an HSM is the PKCS11 Crypto Token.

Authorizer

Authorizers are responsible for deciding if a request should be allowed or not. Options include HTTPS/TLS client certificate authentication, HTTP Basic Authentication, IP address restrictions or using a reverse proxy. For more information, see SignServer Authentication and Authorization.

Worker Logger

Signing requests are logged in the Worker Log and the configured Worker Logger handles selecting, formatting and storing the log fields. By default, logs are written to files but can also be configured to be written to the database (using the SecurityEventsWrokerLogger).

Archiver

By configuring one or more Archivers on a worker, the request and/or response can be stored by the Archiver, for example, to the database (using the Base64DatabaseArchiver).

Accounter

An Accounter component can be implemented and configured to integrate with for example an external accounting or billing system.

Integration

Client Applications

Easily submit files or data for signing using the available Client CLI / SignClient application, use a standard tool like cURL, a web browser or implement your own application using the Client HTTP Interface or Client Web Service (WS) interface.

Plug-ins

Plug-ins provide functionality allowing you to bring your own code and implement own functionality and workflows.

Service Provider Interface (SPI) for creating new workers and components.

Integration with EJBCA

Automatic signer certificate renewal when used together with EJBCA.

Signer certificate renewal with an outgoing connection from EJBCA to SignServer (Peer Connector support).

External CAs

Get your document signer certificate, such as PDF signing certificates, signed by public recognized CAs using PKCS#10.

Health Check

Use the health check service to query the status of a node from a load balancer.

Reverse Proxy

Allows you to, for instance, put an Apache HTTP Server as Reverse Proxy in front of SignServer to add support for additional authentication mechanisms or perform URL rewrites, etc.

Administration

SignServer provides multiple interfaces for administrating workers and key management, as well as querying the audit log and archive.

The SignServer Administration Web (Admin Web) supports remote management with strong authentication, see Administration Web.