The following provides an overview of SignServer's capabilities and support, with relevant links to documentation and external standards.
SignServer supports multiple application servers and standard, high-performance databases. For more information on SignServer requirements, see Prerequisites.
SignServer supports* the following algorithm types and key size/curves.
|RSA||Keys up to and including 8192 bits.|
|Keys up to and including 1024 bits.|
ECDSA key algorithm with named curves.
|EdDSA||Pure EdDSA with Edwards25519 or Edwards448|
Hash algorithms for signatures, SHA-1, SHA-2.
|NSA SUITE B|
Compliant with NSA SUITE B algorithms and certificates.
*See individual workers and crypto tokens for information about what they support. For more information, see Signers Algorithm Support.
SignServer can easily be adapted to customer-specific needs by using plug-ins and supports document signing formats such as the ones listed below.
PDF (ISO 32000)
PDF document processing, including support for:
PAdES (-B, -T, -LT, -LTA)
(PDF Advanced Electronic Signatures)
XAdES (–B, -T, -LT, -LTA)
(XML Advanced Electronic Signatures)
|XAdES (XAdES-BES and XAdES-T)||XAdES Signer|
|XML (XMLdSig)||XML Signer|
Generic CMS (PKCS#7) signer signs any document or file with support for encapsulated content or detached signatures and client-side hashing.
|CMS signing with support for time-stamping|
SignServer supports code signing formats such as the following.
|Plain signing||Plain Signer|
|CMS signing||CMS Signer|
|OpenPGP signing||OpenPGP Signer|
Java code signing including
CMS signing + time-stamping
OpenPGP signing with client-side hashing
Authenticode signing including:
|Microsoft APPX package signing (AppX)|
Java code signing with client-side hashing
|Android (APK) signing v1, v2 and v3|
Debian package signing (dpkg-sig)
SignServer is used both for MRTD signing and for ICAO CSCA Master list signing.
|Document (MRTD SOD) signing with Logical Data Structure (LDS) version 1.7 and 1.8 support||MRTD SOD Signer|
|Document (MRTD) signing|
|ICAO CSCA Master list signing|
Additional algorithm support
Subject to SoW/support agreement including for instance:
SignServer can be used as the time stamp unit within a Time Stamp Authority (TSA) to generate digitally signed time stamps and includes monitoring of time synchronization, offering both RFC 3161 and MS Authenticode time-stamps.
|Basic Time-stamping||RFC 3161, RFC 5816||Time Stamp Signer|
|Professional Time-stamping including:|
Validators for signed documents, built-in support for XML validation, and XAdES (XAdES-BES and XAdES-T).
The SignServer Validation Service also allows you to make your own validator plug-in.
Hardware Security Modules
SignServer supports Hardware Security Modules (HSMs) and has built-in support for various HSMs such as the ones listed below, and other HSMs with a good PKCS#11 library. SignServer additionally supports software-based keys for lower security requirements or development.
|Generic PKCS#11 Provider|
|SafeNet||ProtectServer Gold Emulator|
|Microsoft Azure||Key Vault|
For HSM vendor specific installation and configuration information, refer to the EJBCA Documentation section Vendor Specific Information.
SignServer provides multiple integration interfaces such as: