ENTERPRISE This is a SignServer Enterprise feature.
This quick start guide describes how to use the SignServer Administration Web (AdminWeb) to set up a crypto token and sample signers for testing purposes.
Setup a Sample Crypto Token
To setup a sample crypto token, do the following:
- Log in to the Administration Web. For example https://localhost:8443/signserver/adminweb when running SignServer locally.
- Click Workers in the top menu.
- Click Add below the workers list.
- Click From Template, select keystore-crypto.properties in the list menu, and click Next.
- In the configuration text view, change the value for “WORKERGENID1.KEYSTOREPATH” so that the path corresponds to your SignServer installation, for example: WORKERGENID1.KEYSTOREPATH=/home/username/signserver/res/test/dss10/dss10_keystore.p12. Click Apply.
Setup a Sample PDF Signer
To set up a sample PDF signer, do the following:
- Click Add below the workers list.
- Click From Template, select pdfsigner.properties in the list menu, and click Next.
- Click Apply.
- To activate the new signer, select the link to the new signer in the workers list, and then click Activate.
- Enter the key store PIN code for the crypto token set up above. The PIN for the sample key store used is “foo123”.
- Click Activate.
The sample PDF signer can now be used, for example using the Client Web page on the PDF upload page: https://localhost:8443/signserver/clientweb/pdfsign.jsp.
Setup a Sample Time-stamp Signer
Follow the steps described in Setup a Sample PDF Signer, but select the template timestamp.properties in. This sample is using a pre-configured entry in the sample key store containing a key-pair with an associated suitable signer certificate for time-stamping (with the required extended key usage extension marked as critical).
Setup a Sample HSM (PKCS#11) Crypto Token
To set up a sample HSM crypto token, do the following:
- Follow the steps 1-4 in Setup a Sample Crypto Token for setting a keystore-based crypto token, but select the template pkcs11-cryptotoken.properties in the From Template list menu.
- Click Next.
- In the configuration text area, modify the property “WORKERGENID1.LIBRARYNAME” to use the library name corresponding to the library used by your HSM vendor.
- For testing purposes, the value for “SoftHSM” can be commented (and the previously set value commented out, using the # comment mark). SoftHSM should be available on most GNU/Linux-based operating systems. If required, the values for slot numbers can be edited to correspond to a configured slot in the HSM.
- Generate a new key-pair: Click Renew key… and enter the key algorithms (for example RSA or ECDSA, and a suitable key specification, i.e. 2048 for RSA, or prime256v1 for ECDSA), and a new key alias for the key.
- Generate a Certificate Signing Request (CSR) for a signer: Click Generate CSR, and enter the key alias of the newly-generated key. Click the “<” button to enter the key alias. Enter the signature algorithm, for example SHA256withRSA and a distinguished name (DN) for signing certificate (for example CN=testsigner.
- Click Generate, and click Download below the result, and then save the resulting CSR (.p10 file).
- Issue a signer certificate for your new signer using your CA and this CSR.
Ensure to issue an appropriate certificate when setting up a time-stamp signer or code signer (such as Java JAR signer or MS Authenticode signer), using the correct certificate extensions.
Setup a Sample Signer using an HSM Crypto Token
To set up a sample signer using an HSM crypto token, do the following:
- Follow the steps described in Setup a Sample PDF Signer, but before applying the settings, edit the signer settings in the configuration text area and change the “WORKERGENID1.CRYPTOTOKEN” setting to use the commented-out sample using PKCS#11 crypto token, CryptoTokenP11, to match the crypto token set up using the above template.
- Set the DEFAULTKEY worker property by selecting the new signer, click Configuration, and then click the Edit link in the table row for the DEFAULTKEY property.
- Enter the key alias for the new key generated in the HSM into the Value text area and click Submit.
- Install the signer certificate chain as issued by your CA: click the link to your PKCS#11 crypto worker in the workers list, and click Install certificates.
- Click the “>” button to select your key generated previously.
- Click Browse and select your issued certificate chain.
- Select Install in token and click Install.
- To activate the new signer, select the link to the new signer in the workers list, and click Activate.
- Enter the HSM slot PIN and click Activate.