The following provides an overview of SignServer's capabilities and support, with relevant links to documentation and external standards.SignServer supports multiple application servers and standard, high-performance databases. For more information on SignServer requirements, see Prerequisites.


SignServer supports* the following algorithm types and key size/curves.

AlgorithmKey Size/curve
RSAKeys up to and including 8192 bits.


Keys up to and including 1024 bits.

ECDSA key algorithm with named curves.

EdDSAPure EdDSA with Edwards25519 or Edwards448
Hash algorithms

Hash algorithms for signatures, SHA-1, SHA-2.


Compliant with NSA SUITE B algorithms and certificates.

*See individual workers and crypto tokens for information about what they support. For more information, see Signers Algorithm Support.

**Use of DSA is deprecated since SignServer 6.2.

Signature Formats

Document Signing

SignServer can easily be adapted to customer-specific needs by using plug-ins and supports document signing formats such as the ones listed below.


PDF (ISO 32000)

PDF document processing, including support for:

  • Visible signatures.
  • Different certification levels.
  • Requesting and embedding timestamp responses.
  • Requesting and embedding CRLs.
  • Requesting and embedding OCSP responses.
  • PDF permissions.
PDF Signer

PAdES (-B, -T, -LT, -LTA)

(PDF Advanced Electronic Signatures)


AdES Signer

XAdES (–B, -T, -LT, -LTA)

(XML Advanced Electronic Signatures)


AdES Signer

XML (XMLdSig)XML Signer


Generic CMS (PKCS#7) signer signs any document or file with support for encapsulated content or detached signatures and client-side hashing.

CMS Signer
CMS signing with support for time-stamping

Code Signing

SignServer supports code signing formats such as the following.

Plain signingPlain Signer
CMS signingCMS Signer
OpenPGP signingOpenPGP Signer

Java code signing including

  • JAR signing
  • Android (APK) signing v1
JArchive Signer

CMS signing + time-stamping

OpenPGP signing with client-side hashing

Authenticode signing including:

  • Signing of Windows Executable files
  • Signing of Windows Installer files (.MSI)
  • Signing of PowerShell script files (.ps1)
  • Signing of Catalogue files (.cat)
  • Signing of Cabinet files (.cab)
Microsoft APPX package signing (AppX)


Appx Signer

Java code signing with client-side hashing

Android (APK) signing v1, v2 and v3


APK Signer

Debian package signing (dpkg-sig)


SignServer is used both for MRTD signing and for ICAO CSCA Master list signing.

Document (MRTD SOD) signing with Logical Data Structure (LDS) version 1.7 and 1.8 supportMRTD SOD Signer
Document (MRTD) signing

MRTD Signer

ICAO CSCA Master list signing

Additional algorithm support

(warning) Subject to SoW/support agreement including for instance:

  • Java patch with HSM support for ePassport required algorithms such as
    • SHA256withRSAandMGF1 (RSASSA-PSS)
    • SHA224withECDSA
    • Brainpool ECC curves
    • ...


SignServer can be used as the time stamp unit within a Time Stamp Authority (TSA) to generate digitally signed time stamps and includes monitoring of time synchronization, offering both RFC 3161 and MS Authenticode time-stamps.

FormatExternal ReferencesDocumentation
Basic Time-stampingRFC 3161, RFC 5816Time Stamp Signer
Professional Time-stamping including:
  • Time synchronization monitoring
  • eIDAS Qualified Electronic Time-stamping extension

RFC 3161, RFC 5816

ETSI EN 319 422

Validation Service

Validators for signed documents, built-in support for XML validation, and XAdES (XAdES-BES and XAdES-T).

The SignServer Validation Service also allows you to make your own validator plug-in.

Third-party Hardware

Hardware Security Modules

SignServer supports Hardware Security Modules (HSMs) and has built-in support for various HSMs such as the ones listed below, and other HSMs with a good PKCS#11 library. SignServer additionally supports software-based keys for lower security requirements or development.

Generic PKCS#11 Provider
SafeNetProtectServer Gold
SafeNetProtectServer Gold Emulator
Microsoft AzureKey Vault
FortanixData Security Manager (DSM)

For HSM vendor specific installation and configuration information, refer to the EJBCA Documentation section Vendor Specific Information.

Integration Interfaces

SignServer provides multiple integration interfaces such as: