Signed Request Authorizer

ENTERPRISE This is a SignServer Enterprise feature.

The Signed Request Authorizer requires signed signature requests and that there is a rule matching one of the fields of the client's certificate in the worker's authorization list. Signed signature requests enable signature requests to be signed by a remote client allowing an end-to-end authorization mechanism for deployment scenarios with proxies or similar between the client and the server.

AUTHTYPE=org.signserver.server.enterprise.signedrequest.SignedRequestAuthorizer

For information on how to list, add, and remove rules, see the Worker Authorization Page in the AdminWeb, or the authorizedclients command in the Administration CLI. Note that this is handled the same way as for the Client Certificate Authorizer.

Additionally, the authorizer can be configured to also require a TLS client certificate to be present. In that case, any valid client certificate (as verified by the web/application server) will be accepted since the authorization rules for this authorizer only applies to the signed request and not the TLS client certificate. This is different from the Client Certificate Authorizer which instead uses the authorization rules for the TLS client certificate.

Worker Properties

Property

Description

Required

TRUSTANCHORS

PEM encoded set of trusted certificates to use when verifying the certificate chain of the signed request.

REVOCATION_CHECKING

Option to do certificate revocation checking or not. Default: TRUE.

Currently, only OCSP is supported. When enabled, certificates in the chain except the trusted certificates are required to have an Authority Information Access (AIA) extension with an accessible URL to the OCSP responder.

REQUIRE_TLS_CLIENT_CERTIFICATE

In addition to requiring signed signature requests it can also be required that the client connecting to SignServer is authenticated using a TLS client certificate. With this property set to TRUE, the authorizer requires a TLS client certificate to be present. The certificate is not checked against an authorization rule so all client certificates that are accepted by the web/application server are accepted here. Default: TRUE.

Request Metadata Properties

Property	Description
SIGNED_REQUEST	The encoded signed request signature created and included by Client CLI signdocument Command with the `-signrequest` flag or by following the Signed Request Specification.