The PrimeKey SignServer team is pleased to announce the release of SignServer 5.4.

With this release, we have implemented a new Azure Key Vault Crypto Token as well as a JSON Web Token (JWT) Authorizer.

This release also brings support for keeping SignServer configurations and custom modifications in an external directory, shared between versions.


Azure Key Vault Support

We have implemented a new Crypto Token that allows you to store and use the signing keys in Azure Key Vault. This Azure Key Vault Crypto Token can thus be used as an alternative to using a Hardware Security Module (HSM) or a software keystore. For more information, see AzureKeyVaultCryptoToken.

JSON Web Token Authorizer

A new Authorizer implementation makes it possible to allow signature requests based on the provided JSON Web Token (JWT) included in the request. This allows having an identity provider separate from the SignServer application. Such an identity provider (or authorization server) can potentially offer support for standards like OpenID Connect or OAuth 2.0 etcetera and user directories such as LDAP and Active Directory. For more information, see JWT Authorizer.

Custom Folder for Configuration

To ease upgrades and allow keeping your configurations from a version to another, you can now store your SignServer configurations in a signserver-custom folder outside of the SignServer home directory.

Your configuration files placed in the signserver-custom folder will override the corresponding files found in the SIGNSERVER_HOME directory. Thus, when upgrading SignServer, you can then replace the SignServer folder without having to manually copy old configurations. For more information, see Custom Configuration Outside of Installation Directory in Install SignServer

Upgrade Information

No database changes are required for this release. Review the SignServer Upgrade Notes for important information on changes and requirements to be aware of when upgrading SignServer. For upgrade instructions, see Upgrade SignServer.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.4.0, refer to our JIRA Issue Tracker.

Issues Resolved in 5.4.0

Released April 2020

New Features

DSS-296 - Folder for custom code/configuration outside SignServer tree (see ejbca-custom)

DSS-2064 - Initial support for Azure Key Vault

DSS-2105 - Initial JWT Authorizer


DSS-2124 - Upgrade Bouncy Castle to 1.61

DSS-2132 - Test Azure Crypto token with different algorithms

DSS-2133 - Implement system tests for Azure Crypto token

DSS-2134 - Document Azure Crypto token


DSS-1551 - Implement toggling to enable/disable worker

DSS-2122 - Do not display activate/deactive buttons for workers that do not have a crypto token in its configuration

DSS-2139 - Properly handle when a key alias contains characters that are illegal by Azure Key Vault

Bug Fixes

DSS-891 - JUnit test ListBasedAddressAuthorizerTest fails some times

DSS-925 - NPE if ordering attribute not specified when querying using AdminWS

DSS-1132 - SignServer does not allow signing a certified PDF were level is FORM_FILLING

DSS-1560 - queryTokenEntries Webservice operation throws NPE if ordering parameter not provided

DSS-1779 - XAdESSigner not using strong algorithm by default

DSS-2136 - Regression: PKCS11CryptoToken is not properly auto-activated after deactivation operation is performed

DSS-2137 - Regression: Database CLI / audit log verification tool does not read its configuration properly