The following lists the steps required to manually install SignServer and set up a crypto token to start using code signing.

Download and unzip the latest SignServer Enterprise Edition from your download area or download the free and open-source SignServer Community Edition from GitHub or Docker Hub.

Install SignServer 

The SignServer installation includes the following steps:

  1. Checking prerequisites
  2. Unpacking SignServer
  3. Building SignServer (optionally)
  4. Setting up environment variables
  5. Setting up database
  6. Configuring web server keystores
  7. Configuring Application Server
  8. Configuring deployment
  9. Deploying SignServer
  10. Accessing SignServer

For detailed information, refer to the SignServer documentation section SignServer Installation.

Make sure you are using the appropriate version of the documentation for your version of the software.

Set Up a Crypto Token

SignServer workers use a crypto token to talk to the HSM or software keystore and you therefore need to set up a worker to hold this crypto token. This worker can then later be used by other workers to access the crypto token.

To set up the crypto token, see the respective Using an HSM or Using a Soft Keystore sections below.

Using an HSM

To set up a crypto token using an HSM, do the following:

  1. Access the SignServer Administration Web.
  2. On the Workers page, click Add and select From Template.
  3. Select pkcs11-crypto.properties and click Next.
  4. Make the appropriate adjustments for:
    • NAME: Specify a name for the worker, for example HSMCryptoToken1.
    • SHAREDLIBRARYNAME: The HSM model you are using.
    • SLOTLABELTYPE: How to reference the slot to use, by number or index.
    • SLOTLABELVALUE: The slot number or index to use.
  5. Click Apply and then Activate.
  6. Enter the slot/partition password (if required by the HSM/keystore) and click Activate.
  7. Select the worker name, for example HSMCryptoToken1, and click the Status Summary tab to check for any errors.
  8. Click the Crypto Token tab, select Generate Key and specify the following before clicking Generate.
    • New Key Alias: testkey0
    • Key Algorithm: RSA
    • Key Specification: 1024.
  9. Click Activate again and enter the slot/partition password (if any), and then click Activate.
  10. The crypto worker should now be in ACTIVE state. If not, check for errors on the Status Summary tab, and secondly in the server log if needed.

Using a Soft Keystore (for Demo/Testing)

To set up a crypto token using a soft keystore, do the following:

  1. Access the SignServer Administration Web.
  2. On the Workers page, click Add and select From Template.
  3. Select keystore-crypto.properties and click Next.
  4. Make the appropriate adjustments for:
    • NAME: Specify a name for the worker, for example SoftCryptoToken1.
    • KEYSTORETYPE: INTERNAL.
    • KEYSTOREPATH: Clear this since the internal KEYSTORETYPE is used.
  5. Click Apply and then Activate and specify a password.
  6. Click the Crypto Token tab, select Generate Key and specify the following before clicking Generate.
    • New Key Alias: testkey0
    • Key Algorithm: RSA
    • Key Specification: 1024
  7. Click Activate again and enter the keystore password.
  8. The crypto worker should now be in ACTIVE state. If not, check for errors on the Status Summary tab.