- SignServer Introduction
- SignServer Installation
- Worker Setup
- Configure Client Certificate Authentication and Authorization
- Certificate Renewals Using Peer Systems
- Setting up Key Wrapping
- Setting up One-time Keys
- Setting up OpenPGP Signer
- Client HTTP Interface
- Client WS Interface
- Client CLI
- Admin WS Interface
- Legacy Interfaces
- Apache HTTP Server as Reverse Proxy
- Stresstest CLI
- P11NG CLI
- Deploy-time Configuration
- Common Configuration
- Common Properties
- Time Stamp Signer
- MS Authenticode Time Stamp Signer
- Extended Time Stamp Signer
- MRTD Signer
- MRTD SOD Signer
- PDF Signer
- ODF Signer
- XML Signer
- XAdES Signer
- OOXML Signer
- CMS Signer
- Extended CMS Signer
- MS Authenticode Signer
- MS Authenticode CMS Signer
- JArchive Signer
- JArchive CMS Signer
- Master List Signer
- Plain Signer
- OpenPGP Signer
- Debian Dpkg-sig Signer
- OpenPGPPlain Signer
- SignServer Document Validators
- SignServer Dispatchers
- SignServer Validation Service Framework
- SignServer Timed Services
- Other Workers
- Alias Selectors
- SignServer Authentication and Authorization
- Status Repository
- Health Check
- SignServer TimeMonitor Application
SignServer User Interfaces
- Administration CLI
- Administration GUI
- Main Page
- Workers Activation Page
- Workers Deactivation Page
- Workers Key Generation Page
- Workers Test Key Page
- Workers CSR Page
- Workers Install Certificates Page
- Workers Renewal Page
- Workers Removal Page
- Workers Reload from Database Page
- Workers Export Page
- Workers Add Page
- Worker Page
- Global Configuration Page
- Administrators Page
- Audit Log Page
- Archive Page
- Database CLI
- Peer Systems
- Client-Side Hashing
- Key Wrapping
- Developer Reference
- SignServer Release Information
Code Signing How-to Guides
- Code Signing Technical How-to
- Authenticode Code Signing Technical How-to
ENTERPRISE This is a SignServer Enterprise feature.
Fully qualified class name: org.signserver.module.onetime.cryptoworker.OneTimeCryptoWorker
This is a specific Crypto Worker used for one-time keys and certificates allowing you to have a large number of individual signing keys and certificates, despite the often limited storage capabilities of HSMs. One-time keys are created on request and are deleted once the signature has been created. For more information on setting up one-time keys using the OneTimeCryptoWorker, see Setting up One-time Keys.
The OneTimeCryptoWorker generates a new key-pair for each signing request, creates a certificate signing request (CSR) and uses a CA Connector to obtain a certificate issued for the CSR. One-time keys are not stored once the signature has been created and the key is deleted from the CryptoToken (i.e. the HSM) after signing.
The OneTimeCryptoWorker internally requires a PKCS11CryptoToken referenced by the CRYPTOTOKEN property to use as the source crypto token.
When using the OneTimeCryptoWorker, enable the CESeCore keystore caching by setting cryptotoken.keystorecache=true in
conf/cesecore.properties (by default disabled).
The following displays an overview of the OneTimeCryptoWorker operations:
The Source Crypto Worker contains a Crypto Token in order to communicate with the HSM and perform key operations. The TLS key is created in the HSM using the Source Crypto Token.
The One Time Crypto Worker generates a new key-pair for each signing request, creates a certificate signing request (CSR) and uses a CA Connector to obtain a certificate issued for the CSR. One-time keys are not stored once the signature has been created and the key is deleted from the CryptoToken (i.e. the HSM) after signing.
The One Time Crypto Worker references the Source Crypto Worker to get hold of the TLS key/certificate in order to connect to EBJCA CA and also to perform one time key creation/deletion operations in HSM before/after signing respectively.
The XAdeSSigner references the One Time Crypto Worker in order to perform a signing operation. The signer is configured with a Username Authorizer to provide the user data used by the CA for certificate issuance.
|CRYPTOTOKEN||Name of (crypto) worker holding the PKCS11CryptoToken to use as the source crypto token.|
Key algorithm to be used for key generation. Required.
Key specification to be used for key generation. Required.
|KEYALIAS_PREFIX||Key alias prefix. Default: onetime-|
CA connector implementation class. Required.
CA Connector Properties
EJBCA WS CA Connector
The EJBCA WS CA Connector connects to EJBCA using Web Services in the same way as the RenewalWorker.
The CA Connector maps the SignServer User Credentials (username) to the user data required by EJBCA to issue the certificate.
|CANAME||CA name. Required.|
|CERTIFICATESTARTTIME||Certificate start time. Optional.|
|CERTIFICATEENDTIME||Certificate end time. Optional.|
|CERTIFICATEPROFILE||Certificate profile. Required.|
|EJBCAWSURL||EJBCA Web Service URL. Required.|
|ENDENTITYPROFILE||End entity profile. Required.|
|CERTSIGNATUREALGORITHM||Signature algorithm used to sign the certificate signing request (CSR). Required.|
|SUBJECTALTNAME_PATTERN||Subject alternative name pattern used to derive the Subject Alternative Names attribute of the certificate to be issued. Example: dNSName=signservertest. Optional.|
Example subject alternative names:
guid=<MS globally unique id>
directoryName=<LDAP escaped DN>
krb5principal=<Krb5 principal name>
Subject DN pattern used to derive the SUBJECT DN (Distinguished Name) of the certificate to be issued. Required.
|TLSCLIENTKEY||TLS client key. Required.|
|TRUSTSTOREPASSWORD||Trust store password.|
|TRUSTSTOREPATH||Trust store path. Either TRUSTSTOREPATH or TRUSTSTOREVALUE is required.|
|TRUSTSTOREVALUE||Trust store value. Either TRUSTSTOREPATH or TRUSTSTOREVALUE is required.|
Trust store type. Required.
|USERNAME_PATTERN||User name pattern used to derive the user name for the end entity which is registered before the certificate issuance. Required.|
The transactionId is a SignServer internal random alpha numeric number unique for each signing request.
Self-Signed CA Connector
The Self-Signed CA Connector generates its own self-signed certificate and is suitable for testing the OneTimeCryptoWorker without requiring an actual CA.
|CERTSIGNATUREALGORITHM||Signature algorithm used for self-signing the certificate and for signing the certificate signing request (CSR). Required.|