Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access

Learn how to get started with SignServer Community as a Docker container.

In this tutorial, you will learn how to:

• Install Docker
• Pull SignServer Community container
• Start SignServer Community container
• Import client certificate into browser - To learn how to issue a client certificate using EJBCA, see Issue Client Authentication Certificate using EJBCA.
• Access SignServer Administration Web

Follow the steps below to start an ephemeral instance with client certificate authenticated access for management of the instance. When you stop the container, it will automatically be removed and all data will be destroyed. This setup is suitable for testing SignServer or for evaluating added functionality in an updated version. For information on running the container with more production-like settings with persistent data, refer to SignServer on Docker Hub.

To authenticate with SIgnServer Administration Web, you need to import a client certificate into your web browser. If you do not have a client certificate or a Certificate Authority (CA), you can follow the Quick Start Guide - Issue Client Authentication Certificate using EJBCA to start a CA and issue a client certificate using EJBCA.

Prerequisites

Before you begin, you need a fresh Ubuntu 22.04 LTS that already has Snap installed and ready to go.

Step 1 - Install Docker

By default, Docker is accessible with root privileges (sudo).

To install docker, use the following command:

$ sudo snap install docker

Step 2 - Pull SignServer Community container

The SignServer Community Docker container is hosted on Docker Hub and can be pulled straight from the command line using the docker tool.

To download and unpack the latest SignServer Community container from Docker Hub, use the following command:

$ sudo docker pull keyfactor/signserver-ce

Step 3 - Start SignServer Community container

The following describes how to start the SignServer Community container as an ephemeral instance with client certificate authenticated access for management of the instance.

1. Start the container with the container hostname set to "localhost" and provide the path to your CA certificate file (in this example /home/user/Downloads/ManagementCA.pem) according to the following example:
   

   $ sudo docker run -it --rm --name signserver \
       -p 80:8080 -p 443:8443 \
       -v /home/user/Downloads/ManagementCA.pem:/mnt/external/secrets/tls/cas/ManagementCA.crt \
       -h localhost \
       keyfactor/signserver-ce

   CODE

2. When done, point your browser to the following URL to access SignServer:

   http://localhost/signserver/adminweb

3. SignServer opens with information that client certificate authentication is required.
   

Step 4 - Import client certificate into browser

To access the SignServer Administration Web, import a client authentication certificate into your web browser. To learn how to issue a client certificate using EJBCA, see the Quick Start Guide - Issue Client Authentication Certificate using EJBCA.

The procedure for importing a certificate may vary. This example describes how to import a certificate to Mozilla Firefox.

To import the certificate in Mozilla Firefox:

1. On the Firefox menu, select Preferences.
2. Click Privacy & Security.
3. In the Security section, click View Certificates.
4. On the Your Certificates tab, select Import.
5. Browse to the downloaded P12 keystore to import and select the file.
6. Enter the password (one time enrollment code) for the P12 certificate file, and click Sign in.
7. On the Mozilla Firefox tab Your Certificates, verify that the certificate was imported, and then click OK.

The client certificate is now installed in your web browser.

Step 4 - Access SignServer Administration Web

Follow the steps below to access SignServer Administration Web (AdminWeb) using the imported client authentication certificate:

1. Point your browser to http://localhost/signserver/adminweb.
2. Click Use TLS client certificate.
3. In the User Identification Request dialog, ensure that your client certificate is selected, and click OK.
4. To accept the security risk, click Advanced and then Accept the risk and continue.
5. SignServer opens displaying the Administration Web.
   

Next steps

In this tutorial, you learned how to pull and start a SignServer Docker container and import a client authentication certificate into your web browser to access SignServer Administration Web.

To find out more about administrating SignServer, see SignServer Administration Web (AdminWeb) or if you are new to SignServer, start with the SignServer Introduction.

To learn how to get started with code signing in SignServer, see the Code Signing Technical How-to.