- SignServer Introduction
- SignServer Installation
- Worker Setup
- Configure Client Certificate Authentication and Authorization
- Certificate Renewals Using Peer Systems
- Setting up Key Wrapping
- Setting up One-time Keys
- Setting up OpenPGP Signer
- Client HTTP Interface
- Client WS Interface
- Client CLI
- Admin WS Interface
- Legacy Interfaces
- Apache HTTP Server as Reverse Proxy
- Stresstest CLI
- P11NG CLI
- Deploy-time Configuration
- Common Configuration
- Common Properties
- Time Stamp Signer
- MS Authenticode Time Stamp Signer
- Extended Time Stamp Signer
- MRTD Signer
- MRTD SOD Signer
- PDF Signer
- ODF Signer
- XML Signer
- XAdES Signer
- OOXML Signer
- CMS Signer
- Extended CMS Signer
- MS Authenticode Signer
- MS Authenticode CMS Signer
- JArchive Signer
- JArchive CMS Signer
- Master List Signer
- Plain Signer
- OpenPGP Signer
- Debian Dpkg-sig Signer
- OpenPGPPlain Signer
- SignServer Document Validators
- SignServer Dispatchers
- SignServer Validation Service Framework
- SignServer Timed Services
- Other Workers
- Alias Selectors
- SignServer Authentication and Authorization
- Status Repository
- Health Check
- SignServer TimeMonitor Application
SignServer User Interfaces
- Administration CLI
- Administration GUI
- Main Page
- Workers Activation Page
- Workers Deactivation Page
- Workers Key Generation Page
- Workers Test Key Page
- Workers CSR Page
- Workers Install Certificates Page
- Workers Renewal Page
- Workers Removal Page
- Workers Reload from Database Page
- Workers Export Page
- Workers Add Page
- Worker Page
- Global Configuration Page
- Administrators Page
- Audit Log Page
- Archive Page
- Database CLI
- Peer Systems
- Client-Side Hashing
- Key Wrapping
- Developer Reference
- SignServer Release Information
ENTERPRISE This is a SignServer Enterprise feature.
Fully qualified class name: org.signserver.module.renewal.service.RenewalTimedService
The RenewalTimedService is a timed service that can be used to periodically check the signing validity of workers and invoking the renewal worker if needed.
A typical setup with automatic renewal contains at least the following workers.
The worker holding the crypto token. Configured as usual, but needs to be separated from the worker that will be renewed, in order not to be deactivated when the worker's configuration changes during the renewal.
One or more workers that should be automatically renewed.
Each renewee requires the RENEWWORKER property, and can have additional properties:
- Required property RENEWWORKER: Points out which Renewal worker to use.
- Optional property RENEW_FORDEFAULTKEY: If set to true, the certificate request is sent for the current DEFAULTKEY and no key generation is performed. Default: false.
- Optional property RENEW_MINREMAININGSIGNINGVALIDITY: The minimum signing validity that must remain for the worker without it to be up for renewal. This value is expressed as number of days, hours, minutes, and milliseconds in the format "*d *h *m *s *ms". Default: "0d".
The worker performing the renewal. For configuration information, see RenewalWorker.
The Renewal Timed service
The worker that runs periodically and checks if a worker needs renewal. Requires a property listing each worker to check and renew if needed.
|WORKERS||Comma-separated list of workers to check the validity time for, and request renewal for, if needed.|
Like all timed services, the Renewal Timed Service is executed periodically. The service checks the configurations and certificates for all the configured workers and creates a list with renewal statuses for each worker. Each worker in the list configured correctly and up for renewal is then renewed by sending a request for it to the Renewal worker.
For crypto token activation, note that the workers that should be renewed must have their crypto tokens previously activated. Since only activated workers configured with a certificate will be scheduled for renewal, the worker needs to be renewed manually the first time to get its initial key and certificate. For the renewal service to work automatically, the worker that is going to be renewed must use a separate worker (i.e. a CryptoWorker) for its crypto token. If the worker has its own crypto token configuration, the token will be deactivated during the renewal process.
The complete status information of the services list renewal statuses. For example:
$ bin/signserver getstatus complete RenewalTimedService1 ... Workers Renewal Prognose: - TimeStampSigner (102): Renewal after: 2016-03-02 16:14:07,000, with key generation, using renewal worker "RenewalWorker1". - CMSSigner (3): Renewal after: 2016-02-22 16:01:00,000 (on next run), without key generation, using renewal worker "RenewalWorker1".
The example shows that:
- The service is configured to manage two workers, and their names and worker ID are displayed.
- Both workers have certificates configured and was active so the service will be able to determine after which date they need to be renewed.
- For the CMSSigner, the renewal date has already passed and this is indicated by the text "on next run" showing that the renewal will take place as soon as the service runs.
- We can assume that the CMSSigner is configured with the worker property "RENEW_FORDEFAULTKEY=true" as the status says "without key generation".
- Both workers are configured with "RENEWWORKER=RenewalWorker1".
Installing a service
To install a service, use the same commands as for installing a worker:
$ bin/signserver setproperties configuration.properties
$ bin/signserver setproperties doc/sample-configs/signerstatusreport.properties =========================================== Executing Command on host : localhost =========================================== Configuring properties as defined in the file : doc/sample-configs/signerstatusreport.properties Setting the property ACTIVE to TRUE for worker 2 Setting the property INTERVAL to 10 for worker 2 Setting the global property WORKER2.CLASSPATH to org.signserver.server.timedservices.SignerStatusReportTimedService with scope GLOB. Setting the property WORKERS to PDFSigner1 for worker 2 Setting the property NAME to SignerStatusReporter for worker 2 Setting the property OUTPUTFILE to /tmp/statusreport for worker 2 $ bin/signserver reload 2 =========================================== Executing Command on host : localhost =========================================== SignServer reloaded successfully Current configuration is now activated