enterprise

This quick start guide describes how to use the SignServer Administration Web (AdminWeb) to set up a crypto token and sample signers for testing purposes.

Setup a Sample Crypto Token

To setup a sample crypto token, do the following:

  1. Log in to the Administration Web. For example https://localhost:8443/signserver/adminweb when running SignServer locally.
  2. Click Workers in the top menu.
  3. Click Add below the workers list.
  4. Click From Template, select keystore-crypto.properties in the list menu, and click Next.
  5. In the configuration text view, change the value for “WORKERGENID1.KEYSTOREPATH” so that the path corresponds to your SignServer installation, for example: WORKERGENID1.KEYSTOREPATH=/home/username/signserver/res/test/dss10/dss10_keystore.p12. Click Apply.

Setup a Sample PDF Signer

To set up a sample PDF signer, do the following:

  1. Click Add below the workers list.
  2. Click From Template, select pdfsigner.properties in the list menu, and click Next.
  3. Click Apply.
  4. To activate the new signer, select the link to the new signer in the workers list, and then click Activate.
  5. Enter the key store PIN code for the crypto token set up above. The PIN for the sample key store used is “foo123”.
  6. Click Activate.

The sample PDF signer can now be used, for example using the Client Web page on the PDF upload page: https://localhost:8443/signserver/clientweb/pdfsign.jsp.

Setup a Sample Time-stamp Signer

Follow the steps described in Setup a Sample PDF Signer, but select the template timestamp.properties in. This sample is using a pre-configured entry in the sample key store containing a key-pair with an associated suitable signer certificate for time-stamping (with the required extended key usage extension marked as critical).

Setup a Sample HSM (PKCS#11) Crypto Token

To set up a sample HSM crypto token, do the following:

  1. Follow the steps 1-4 in Setup a Sample Crypto Token for setting a keystore-based crypto token, but select the template pkcs11-cryptotoken.properties in the From Template list menu.
  2. Click Next.
  3. In the configuration text area, modify the property “WORKERGENID1.LIBRARYNAME” to use the library name corresponding to the library used by your HSM vendor.
  4. For testing purposes, the value for “SoftHSM” can be commented (and the previously set value commented out, using the # comment mark). SoftHSM should be available on most GNU/Linux-based operating systems. If required, the values for slot numbers can be edited to correspond to a configured slot in the HSM.
  5. Generate a new key-pair: Click Renew key… and enter the key algorithms (for example RSA or ECDSA, and a suitable key specification, i.e. 2048 for RSA, or prime256v1 for ECDSA), and a new key alias for the key.
  6. Generate a Certificate Signing Request (CSR) for a signer: Click Generate CSR, and enter the key alias of the newly-generated key. Click the “<” button to enter the key alias. Enter the signature algorithm, for example SHA256withRSA and a distinguished name (DN) for signing certificate (for example CN=testsigner.
  7. Click Generate, and click Download below the result, and then save the resulting CSR (.p10 file).
  8. Issue a signer certificate for your new signer using your CA and this CSR.

Ensure to issue an appropriate certificate when setting up a time-stamp signer or code signer (such as Java JAR signer or MS Authenticode signer), using the correct certificate extensions.

Setup a Sample Signer using an HSM Crypto Token

To set up a sample signer using an HSM crypto token, do the following:

  1. Follow the steps described in Setup a Sample PDF Signer, but before applying the settings, edit the signer settings in the configuration text area and change the “WORKERGENID1.CRYPTOTOKEN” setting to use the commented-out sample using PKCS#11 crypto token, CryptoTokenP11, to match the crypto token set up using the above template.
  2. Set the DEFAULTKEY worker property by selecting the new signer, click Configuration, and then click the Edit link in the table row for the DEFAULTKEY property.
  3. Enter the key alias for the new key generated in the HSM into the Value text area and click Submit.
  4. Install the signer certificate chain as issued by your CA: click the link to your PKCS#11 crypto worker in the workers list, and click Install certificates.
  5. Click the “>” button to select your key generated previously.
  6. Click Browse and select your issued certificate chain.
  7. Select Install in token and click Install.
  8. To activate the new signer, select the link to the new signer in the workers list, and click Activate.
  9. Enter the HSM slot PIN and click Activate.