The CMS signer has the fully qualified class name: org.signserver.module.cmssigner.CMSSigner.


The CMS signer can sign arbitrary data and produces a CMS (RFC 3852) SignedData structure in binary format with or without the content encapsulated. Currently the signer certificate is always included.

Available Properties


Property specifying the algorithm used to sign the data. Default: depending on the signing key: SHA256withDSA for DSA keys, SHA256withECDSA for ECDSA keys, Ed25519 or Ed448 or EdDSA keys, otherwise SHA256withRSA.

DETACHEDSIGNATUREProperty specifying if a detached signature ("external signature") should be used. Thus a signature where the content is not included/encapsulated. Default: false.
ALLOW_DETACHEDSIGNATURE_OVERRIDEProperty specifying if the requestor can request an other value for DETACHEDSIGNATURE than what is configured. Default: false.
If set to true, a request could include a metadata property with an other value for DETACHEDSIGNATURE.
CLIENTSIDEHASHINGProperty specifying if the request data should be considered to be a pre-computed (by the requesting client) hash. If this is set to to true, ACCEPTED_HASH_DIGEST_ALGORITHMS must be defined. Default: false.
ALLOW_CLIENTSIDEHASHING_OVERRIDEProperty specifying if the request is allowed to override the behavior defined via CLIENTSIDEHASHING as to if the request data is to be considered the actual data to be signed or a pre-computed hash. Default: false.

Comma-separated list of accepted hash digest algorithms. When a request is consisting of a pre-computed hash, the requested digest algorithm must be among the values specified in this property.

The property does not have a default value, and must be specified if client-side hashing is set as the default, or if overriding via the request is allowed.


Property specifying if the resulting data structure should be parsed and re-encoded using DER encoding. Default: false.

(warning) This option is performed in memory and thus does not support large files. 

CONTENTOIDProperty specifying the content OID to use in the signedData object by default. If not specified, the default CMS data OID (1.2.840.113549.1.7.1) is used.
ALLOW_CONTENTOID_OVERRIDEProperty specifying if the content OID to use in the signedData object should be allowed to be overridden by request metadata (CONTENTOID request parameter). Default: false.

Property specifying that the signature should be calculated directly over the content and not over signed attributes. Thus the signature would not contain any signed attributes if this property is set to true. Default: false.

(warning) Setting this to true is not allowed when CLIENTSIDEHASHING or ALLOW_CLIENTSIDEHASHING_OVERRIDE is configured.

DO_LOGREQUEST_DIGEST If a digest of the request should be computed and logged. Optional, default: false.
LOGREQUEST_DIGESTALGORITHM Algorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256.
DO_LOGRESPONSE_DIGEST If a digest of the response should be computed and logged. Optional, default: false.
LOGRESPONSE_DIGESTALGORITHM Algorithm used to create the message digest (hash) of the response document to put in the log. Default: SHA256.

Request parameters

The following meta data parameters can be specified in a request


If this property is set and defined as true, treat the request data as a pre-computed hash. This requires the CLIENTSIDE_HASHDIGESTALGORITHM meta data property to be set and is only allowed if either the signer is configured by default to assume client-side hashing, or if overriding is allowed.

CLIENTSIDE_HASHDIGESTALGORITHMThe hash digest algorithm of the pre-computed hash.
CONTENTOIDSpecifies the content OID to use in the signedData structure. This is only allowed if the signer is configures to allow overriding content OID.

Signing a pre-computed hash

For background and information on how to use this mode with CMS signatures, see Client Side Hashing.