- SignServer Introduction
- SignServer Installation
- Worker Setup
- Configure Client Certificate Authentication and Authorization
- Certificate Renewals Using Peer Systems
- Setting up Android Signing
- Setting up Key Wrapping
- Setting up One-time Keys
- Setting up OpenPGP Signer
- Client HTTP Interface
- Client WS Interface
- Client CLI
- Admin WS Interface
- Legacy Interfaces
- Apache HTTP Server as Reverse Proxy
- Stresstest CLI
- P11NG CLI
- Deploy-time Configuration
- Common Configuration
- Common Properties
- APK Signer
- APK Hash Signer
- APK Lineage Signer
- APK Rotate Signer
- Appx CMS Signer
- Appx Signer
- CMS Signer
- Debian Dpkg-sig Signer
- Extended CMS Signer
- Extended Time Stamp Signer
- JArchive Signer
- JArchive CMS Signer
- MRTD Signer
- MRTD SOD Signer
- MS Authenticode Time Stamp Signer
- Master List Signer
- MS Authenticode Signer
- MS Authenticode CMS Signer
- ODF Signer
- OOXML Signer
- OpenPGP Signer
- OpenPGPPlain Signer
- PDF Signer
- Plain Signer
- Time Stamp Signer
- XAdES Signer
- XML Signer
- SignServer Document Validators
- SignServer Dispatchers
- SignServer Validation Service Framework
- SignServer Timed Services
- Other Workers
- Alias Selectors
- SignServer Authentication and Authorization
- Status Repository
- Health Check
- SignServer TimeMonitor Application
SignServer User Interfaces
- Administration CLI
- Administration GUI
- Main Page
- Workers Activation Page
- Workers Deactivation Page
- Workers Enable Page
- Workers Disable Page
- Workers Key Generation Page
- Workers Test Key Page
- Workers CSR Page
- Workers Install Certificates Page
- Workers Renewal Page
- Workers Removal Page
- Workers Reload from Database Page
- Workers Export Page
- Workers Add Page
- Worker Page
- Workers Enable Page 1
- Workers Disable Page 1
- Global Configuration Page
- Administrators Page
- Audit Log Page
- Archive Page
- Database CLI
- Peer Systems
- Client-Side Hashing
- Key Wrapping
- Developer Reference
- SignServer Release Information
Code Signing How-to Guides
- Code Signing Technical How-to
- Authenticode Code Signing Technical How-to
- How To Integrate Jenkins with SignServer for Automated Code Signing
Architecture and Concepts
SignServer provides client interfaces for submitting files or data for signing.
SignServer can be used with a standard web browser or the client application SignClient or integrated with third-party applications like cURL.
Internally in SignServer, workers and components are handling the request performing the authentication/authorization or interacting with external components. The configuration and logs can optionally be stored in a database.
SignServer can be managed from the command line, a graphical user interface, or be integrated directly from your application using Web Services. Various development APIs are available to enable custom implementations.
The following outlines SignServer's flexible, component-based architecture.
Workers are configured to perform certain activities like signing files of a certain type, often with a specific key.
Workers that perform signing operations are called Signers. A Signer specifies how to perform the signature creation, and which key and certificate to use.
There are multiple implementations of SignServer Signers available for signing different formats and additional implementations can be developed.
A Crypto Worker is a holder for configuring the Crypto Token component that is used to access key material. By configuring the Crypto Token in a Crypto Worker other workers can reference this crypto worker and use it for signing etc.
A SignServer Dispatcher does not perform any processing (i.e. signing) of its own but instead forwards the request to another worker. Dispatchers forward the request to the first available worker that has a valid certificate (FirstActiveDispatcher), or forward a time-stamp request depending on the requested time-stamp policy (RequestedPolicyDispatcher).
A SignServer Timed Service does not accept any input but instead runs at a fixed time interval (like a cron job). This can be useful for setting up an hourly timed service keeping the connection to the Hardware Security Module (HSM) from timing out. For more information, see HSM Keep Alive Timed Service.
SignServer Components provide specific functionality and are configured in the workers.
Crypto Tokens provide access to the keys and cryptography operations. Each Signer is typically configured with a reference to a Crypto Worker having a Crypto Token configured. A Crypto Token using a software keystore is the P12 Crypto Token and one using an HSM is the PKCS11 Crypto Token.
Authorizers are responsible for deciding if a request should be allowed or not. Options include HTTPS/TLS client certificate authentication, HTTP Basic Authentication, IP address restrictions or using a reverse proxy. For more information, see SignServer Authentication and Authorization.
Signing requests are logged in the Worker Log and the configured Worker Logger handles selecting, formatting and storing the log fields. By default, logs are written to files but can also be configured to be written to the database (using the SecurityEventsWrokerLogger).
An Accounter component can be implemented and configured to integrate with for example an external accounting or billing system.
Easily submit files or data for signing using the available Client CLI / SignClient application, use a standard tool like cURL, a web browser or implement your own application using the Client HTTP Interface or Client Web Service (WS) interface.
Plug-ins provide functionality allowing you to bring your own code and implement own functionality and workflows.
Service Provider Interface (SPI) for creating new workers and components.
Integration with EJBCA
Automatic signer certificate renewal when used together with EJBCA.
Signer certificate renewal with an outgoing connection from EJBCA to SignServer (Peer Connector support).
Get your document signer certificate, such as PDF signing certificates, signed by public recognized CAs using PKCS#10.
Use the health check service to query the status of a node from a load balancer.
Allows you to, for instance, put an Apache HTTP Server as Reverse Proxy in front of SignServer to add support for additional authentication mechanisms or perform URL rewrites, etc.
The SignServer Administration Web (Admin Web) supports remote management with strong authentication, see Administration Web.