Training Manual

SignServer

Print date: 12 October, 2022

© 2022 PrimeKey

Published by PrimeKey Solutions AB

Solna Access, Sundbybergsvägen 1

SE-171 73 Solna, Sweden

To report errors, please send a note to [email protected]

Notice of Rights

All rights reserved. No part of this book may be reproduced or transmitted in any form by any means,
electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the
publisher. For more information on getting permission for reprints and excerpts, contact
[email protected]

Notice of Liability

The information in this book is distributed on an “As Is” basis without warranty. While every precaution has
been taken in the preparation of the book, neither the authors nor PrimeKey shall have any liability to any
person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by
the instructions contained in the book or by computer software and hardware products described in it.

Trademarks

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and PrimeKey was aware of a trademark claim,
the designations appear as requested by the owner of the trademark. All other product names and services
identified throughout this book are used in editorial fashion only and for the benefit of such companies with
no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to
convey endorsement or other affiliation with this book.
 Training Manual SignServer

Table of Contents

1 Introduction PKI ...............................................................................................7

2 Introduction PrimeKey .....................................................................................8

Introduction to Cryptography ........................................................................................9
Introduction to PKI Systems .......................................................................................11
Applications of PKI ......................................................................................................13
PKI by PrimeKey...........................................................................................................15
Policy Documents ........................................................................................................18

3 Roles ...............................................................................................................19
Adding User to Admin Role .........................................................................................19
Adding User to Auditor Role ........................................................................................19
Adding User to Archiver Auditor Role .........................................................................19

4 Crypto Workers ..............................................................................................20

Setting Up a Keystore Crypto Token...........................................................................20
Setting Up a PKCS#11 Crypto Token..........................................................................20

5 Signers............................................................................................................22
Configure and Sign using XAdES Signer ....................................................................22
Renew Signer Key and Certificate...............................................................................24
Configure and Sign using TimeStampSigner .............................................................24
Configure and Sign using MSAuthCode Signer .........................................................25
Configure and Sign using PDFSigner..........................................................................27
Configure and Sign using CMS Signer........................................................................28
Configure and Sign using Plain Signer .......................................................................29
Configure and Sign using CMS Signer with Client-Side Hashing..............................29
 Training Manual SignServer

6 Time Monitor Manager ..................................................................................31

Setup Time Monitor Manager .....................................................................................31

7 Audit Log, Archive and Monitoring................................................................32

Verification of the Audit Log .......................................................................................32
Querying the Audit Log ................................................................................................32

8 Validators .......................................................................................................33

9 ePassport .......................................................................................................35
Configuring MRTD SOD Signer using CryptoTokenP12A..........................................35
Sign with MRTDSODSigner..........................................................................................35

10 Integration ......................................................................................................36
Sign HelloPE.exe Server-side with MSAuthenticode Signer......................................36
Sign HelloPE.exe with CMS Signer (Client-side Hashing) .........................................37
Sign XML Server-side with XAdES Signer...................................................................37
Add TimeStamping and Sign XML Server-side with XAdES Signer ..........................37
Sign Multiple XMLs Server-side with XAdES Signer ..................................................38
Sign XML Server-side with XAdES Signer with Certificate Client Authentication ....39

11 CLI ...................................................................................................................40
Find Last SignServer Startup.......................................................................................40
Get Status of All Workers ............................................................................................40
Deactivate CryptoToken (CLI) .....................................................................................41
Activate CryptoToken (CLI) .........................................................................................41

12 Peer Connectors ............................................................................................42

Introduction ..................................................................................................................42
Edit the End Entity Profile ............................................................................................42
 Training Manual SignServer

Create an End Entity.....................................................................................................42

Set up the Peer Connector connection.......................................................................42
Accept the incoming connection request on the SignServer....................................43
Enable Peer Connector for Time Stamp Signer Worker ............................................43
Issue a certificate for the Time Stamp Signer worker ...............................................44
Renew the key pair and certificate for the Time Stamp Signer worker ....................44

13 Archivers, Dispatchers, Authorizers..............................................................45

Archivers.......................................................................................................................45
Dispatchers ..................................................................................................................45
Authorizers ...................................................................................................................46
 Training Manual SignServer -

© 2022 PrimeKey 6 (47)

 Training Manual SignServer -Introduction PKI

1 Introduction PKI
Introduction to Cryptography Introduction to PKI Applications of PKI
Systems

• Symmetric • Digital Signatures

Cryptography • Certification
• Network / Virtual
Authorities
• Asymmetric Private Network
Cryptography • Registration Authentication
Authorities
• Public Key Certificates • Encryption
• Validation
• Travel Documents
Authorities
• Authentication

PKI by PrimeKey Policy Documents

• EJBCA • Certificate Policy (CP)

• Certification Authority
• Certificate Practice Statement (CPS)
• Registration Authority
• Validation Authority • Certificate Profile and Naming
Document
• SignServer

• NPKD

• PKI Appliance

• SEE

• Cloud PKI

© 2022 PrimeKey 7 (47)

 Training Manual SignServer -Introduction PrimeKey

2 Introduction PrimeKey
PrimeKey

• Solutions and Professional Services within Applied Cryptography with focus on PKI

• Main customers are Government & Large Enterprises

• Headquarters in Stockholm, with offices in Sweden, Germany and United States

• Developers and commercial force behind EJBCA.org and SignServer.org

© 2022 PrimeKey 8 (47)

 Training Manual SignServer -Introduction PrimeKey

Introduction to Cryptography
Cryptography is the practice of secure communication between two parties in the presence of adversaries.

The history of cryptography is as old as the history of man. There has always been a need for securing
messages between two communicating parties. While in the past, the methods used have been based on
simple mathematics like letter substitution, shifting; more modern techniques make use of complex
mathematical algorithms.

The advent of computing machinery has led to a more widespread need for secure communication between
parties. Thus in a more modern sense, cryptography is the study of protocols used to overcome the influence
of adversaries. Cryptography is strongly related to the various aspects of information security such as
confidentiality, integrity, availability and non-repudiation. A system that facilitates the implementation of a
cryptographic protocol is often referred to as a cryptosystem.

Symmetric Cryptography
If within a cryptosystem, the key used for encryption and decryption is the same, the system is referred to as
a symmetric cryptosystem and the study of such as system is referred to as symmetric cryptography. There
are several symmetric cryptosystems in use today and these are the easiest to understand and implement.

The disadvantage of symmetric crypto systems is the key management of symmetric keys. In order to begin
communication, the parties need to exchange the data necessary for establishing a secure key management
process. This can be difficult if parties are dispersed over large geographic areas. Thus a person in Europe
may have difficulty exchanging information securely with a person in the Americas as it would be difficult to
create a secure channel between the two parties to exchange the require information. The solutions to key
management are often insecure and expensive and subject to attack by adversaries. Methods employed
include the use of secure post (subject to interception), the use of secure couriers (subject to compromise).
Another disadvantage of symmetric cryptography is the difficulty in using them for multi-party
communication. If the private key in one party is compromised, the entire system is compromised. It can also
be difficult to have an awareness of if the private key is compromised and by which party. Commonly used
symmetric cryptography algorithms are AES (Advanced Encryption Standard), DES (Data Encryption
Standard).

Asymmetric Cryptography
Asymmetric cryptography is a form of cryptography where keys come in pairs. One key performs the forward
function while the other key performs the reverse function. Thus the reason the cryptography is asymmetric
is because it cannot be reversed; that is the forward key cannot be used for the reverse function and vice
versa. Asymmetric cryptography is based on the mathematical concept of one-way functions or functions
that are not reversible in a mathematically. An analogy for asymmetric cryptography is a door that has two
keys; one to lock it and the other one to unlock it. Thus is it possible to create many public copies of the key
to lock the door while keeping only one key to unlock it. It is for the reason that one key can be made public
that this crypto system is also known as Public Key Cryptography and a system implementing public key
cryptography is a Public Key Crypto System (PKCS), since users typically create a matching key pair, and
make one public while keeping the other secret. A simple example of a cryptographic system that makes use

© 2022 PrimeKey 9 (47)

 Training Manual SignServer -Introduction PrimeKey

of asymmetric cryptography is for encryption. Users can send secret messages by encrypting a message
with the recipient's public key. In this case, only the intended recipient can decrypt the message, since only
that user should have access to the required secret key. The key to successful use of asymmetric encryption
is a key management system, which implements a Public Key Infrastructure. Without this, it is difficult to
establish the reliability of public keys, or even to conveniently find suitable ones.

Public Key Certificates

A public key certificate is a digital document that binds a public key to an identity using a digital signature.
The creation of public key certificates is performed by trusted entities that verify the identity of the public key
certificate requestor and subsequently sign the public key thus rendering the certificate. Public key
certificates are also referred to as digital certificates, X.509 certificates or simply certificates.

Hardware Security Module (HSM)

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys
for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a
plug-in card or an external device that attaches directly to a computer or network server.

An HSM is trusted because it:

• Is built on top of specialized hardware. The hardware is well-tested and certified in special
laboratories.
• Has a security-focused OS.
• Has limited access via a network interface that is strictly controlled by internal rules.
• Actively hides and protects cryptographic material and operations.

An HSM has special hardware that uses a physical process to create a good source of randomness (entropy)
that in turn is used to generate good quality and “perfectly” random keys.

An HSM can have very good performance. While cryptography performed on an ordinary server typically
achieves a performance of a few hundred signatures per second, some HSMs can do thousands of
signatures per second. It performs a small number of tasks, but does so very efficiently because it’s
designed and optimized for such tasks.

© 2022 PrimeKey 10 (47)

 Training Manual SignServer -Introduction PrimeKey

Introduction to PKI Systems

A PKI system consists of several components. These components have several relations and dependencies
on each other and together form a PKI system:

• Certification Authorities
• Registration Authority
• Validation Authority
• Dissemination Services
• PKI Aware Applications
• Relying Parties
• Subscribers
• Trust Centre

Certification Authorities
A Certification Authority (CA) issues and verifies certificates. The CA is responsible for maintaining the
security of the service through the provisioning of technical and procedural controls in order to ensure that
certificates are only issued to appropriate entities. As illustrated in the figure, the CA collects certificate
requests from the registration authority and returns a certificate back to the subscriber.

Registration Authority
The part of the infrastructure that collects and verified requests for certificates is called the Registration
Authority (RA). The RA implements the procedural and vetting requirements for ensuring that the certificates
are only issued to claimants. The RA implements procedures for establishing the identity of the applicant.

Validation Authority
The validation Authority provides revocation services. As a piece of digital data, a certificate cannot be
retrieved from the entity to which it is issued. Revocation involves placing the certificate on a blacklist so that
the issued certificate can no longer be used for the purpose for which it was issued. The blacklist is
commonly referred to as a Certificate Revocation List (CRL). Another commonly used procedure for
revocation checking is to publish a protocol where by external entities may query whether a certificate is
revoked. This protocol is called the Online Certificate Status Protocol (OCSP). A server that facilitates OCSP
checking is Ver:2.2 commonly referred to as an OCSP server. Within the context of a PKI system described in
this section, CRL publishing and online OCSP services are provided by the Validation authority. Thus as
illustrated below, the relying party may query the validation service on the authenticity of a certificate and
reply back on the result as illustrated in the figure.

© 2022 PrimeKey 11 (47)

 Training Manual SignServer -Introduction PrimeKey

Dissemination Services
Certificates, once issued, need to be disseminated to the outside. This can be achieved by publishing them to
external repositories: LDAP, Active Directory and others.

PKI Aware Applications

PKI Aware Applications: Applications that rely on security mechanisms provided by PKI are often referred to
as PKI aware applications. These applications are able to interpret, verify and use certificates to provide
additional services. Examples of PKI aware applications include digital signing applications and encryption
applications.

Relying Parties
A relying party is the party that relies on the information provided by the trust service provider. As there is no
direct relation between the trust service provider and the relying party, the party has to base its trust on
various aspects of the trust service provider. These would include reputation, presence of any relying party
agreements, policies and practice statements and so on.

Subscribers
The subscriber is the legal entity to which a certificate is issued by the certification authority. Relations
between the subscribers and certification authorities are governed by subscriber agreements. A subscriber
may be a person, a device or any other tangible device capable of owning a certificate and being identified by
it. Other terms used to describe a subscriber are end entity, user (for certificates issued to persons) and
subject.

Trust Centre
At the heart of the PKI system is the requirement to provide a centralized trusted service where relations
between previously unknown entities may be established through a trusted party. Thus as there is no natural
relationship of trust between the subscriber and the relying party although the subscriber trusts the CA and
the relying party also trusts the CA an indirect trust relationship is established between the subscriber and
the relying party. The question arises as to why the relying party should trust the CA. This is because of its'
containment within a trust center. A trust center implements processes, procedures and other security
technology that make it extremely difficult to request a certificate without validating the identity of the
subscriber.

© 2022 PrimeKey 12 (47)

 Training Manual SignServer -Introduction PrimeKey

Applications of PKI
As a security service, PKI has several applications. Some of the most popular applications are described in
the subsequent sections:

• Digital Signatures
• Network / Virtual Private Network Authentication
• Encryption
• Travel Documents
• Authentication

Note that this is not an exhaustive list and only the most commonly deployed applications are cited.

Digital Signatures
A digital signature is a piece of data which is attached to a message and which can be used to find out if the
message was tampered with during the conversation (such as through the intervention of a malicious user).
This is effective in high speed communications like TLS and in protecting documents and other information
ensuring the information has not been tampered with since it was signed. The digital signature for a
message is generated in two steps

1. First, a message digest is generated. A message digest is a summary of the message to be

transmitted, and has two important properties:
• It is always smaller than the message itself and
• Even the slightest change in the message produces a different digest. The message digest is
generated using a set of hashing algorithms.
2. Second, the message digest is encrypted using the sender's private key.

The resulting encrypted message digest is the digital signature. The digital signature is attached to the
message and sent to the receiver. The receiver then does the following: Decrypts the digital signature to
obtain the message digest generated by the sender using the sender's public key. It uses the same message
digest algorithm used by the sender to generate a message digest of the received message.

It compares both message digests (the one sent by the sender as a digital signature, and the one generated
by the receiver). If they are not exactly the same, a third party has tampered with the message. We can be
sure that the digital signature was sent by the sender (and not by a malicious user) because only the sender's
public key can decrypt the digital signature which was encrypted by the sender's private key. It is useful to
keep in mind that what one key encrypts, the other one decrypts, and vice versa. If decrypting using the
public key renders a faulty message digest, this means that either the message or the message digest is not
exactly what the sender sent.

Using public key cryptography in this manner ensures integrity because we have a way of knowing if the
message we received is exactly what the sender sent. However, notice how the above example guarantees
only integrity. The message itself is sent unencrypted. This is not necessarily a bad thing; in some cases we
might not be interested in keeping the data private, we simply want to make sure it is not tampered with. To

© 2022 PrimeKey 13 (47)

 Training Manual SignServer -Introduction PrimeKey

add privacy to this conversation, we would simply need to encrypt the message as a second step or use an
encrypted method of transporting the information from originator to recipient such as secure email.

This technology can be applied to signing things like email, PDF documents, Microsoft Office documents,
Open Office documents to name a few. It can even be used to create signatures on files that don't support
signing internally to ensure they aren't tampered with after storage or archiving. This is especially handy for
legal evidence and documents required by regulation authorities.

Network / Virtual Private Network Authentication

Utilizing prevalent and widely adopted industry standards such as 802.1x, IPSec, L2TP, or SSL-VPN for
network or virtual network authentication standards, certificates issued by a CA can easily identify users and
devices and even provide single sign-on capabilities for organizations securing wireless, wired or remote
access connections to their network resources.

Encryption
Upon generation of private/public key pairs users can utilize these keys to encrypt data of various types,
including entire storage devices like hard drives, email messages, documents, network transmissions and
many others.

Travel Documents
PKI is used as a security feature in the issuance of travel documents. Digital data is signed by a document
signer during the document issuance process. The use of PKI is part of the International Civil Aviation
Organization (ICAO) standard on travel documents and had led to a new wave of PKI implementations all
over the globe. Second and third generation travel documents make use of extended access control (EAC).
This requires an additional PKI system called the EAC PKI for issuance and verification.

Authentication
As a form of digital identification, PKI can be used to provision digital identities. This is often performed
through the use and deployment of smart cards for private key storage. The use of certificates on smart
cards for authentication is inherently supported by Microsoft systems

© 2022 PrimeKey 14 (47)

 Training Manual SignServer -Introduction PrimeKey

PKI by PrimeKey
PrimeKey provides several products capable of delivering the requirements required by a PKI management
system. Each of these products serves an individual role in the creation and maintenance of a PKI service
within the context of a trust service provider. A short description of the products is presented below:

• EJBCA
• Validation Authority
• SignServer
• SPOC
• NPKD
• RA Server
• PKI Appliance

The rest of this manual goes into more detail about the installation, configuration and administration of
some of these products.

EJBCA
EJBCA is a Java based Certificate Authority that can be used to issue and manage certificates. The EJBCA is
compliant with EAC 1.11 specification and supports EU qualified certificate directive. The EJBCA can store
its keys in a Hardware Security Module (HSM) through PKCS#11 interface. EJBCA supports various
algorithms as RSA or ECC as well as different key length. EJBCA uses X509 certificates to authenticate the
users accessing the administration GUI. EJBCA use role-based access control as well having support for
security functions like dual authorization for administrative tasks and separation of duties. EJBCA supports
both CRL and OCSP for revocation information. EJBCA version 5 is common criteria certified up to EAL 4+.

Validation Authority
The validation authority (VA) module of EJBCA provides services used to validate a certificate. These
services can run on an installed EJBCA or on a standalone VA installation Each service can be enabled/
disabled independently at compile time. The services are disabled by default. VA can be deployed for signed
OCSP responses with the signature generated in an HSM. This proposal however does not include an HSM
for the VA. The VA is built as an instance of EJBCA.

SignServer
SignServer is a Java based server-side signature service, used for signing various kinds of objects.
SignServer can store its keys in a Hardware Security Module (HSM) to enhance both security as well as
performance. SignServer communicates with the HSM through PKCS#11 interface. SignServer is a dynamic
product and able to fit several business cases. By customizing the different workers, SignServer can be
deployed in one of the following roles:

• SignServer as a TSA

© 2022 PrimeKey 15 (47)

 Training Manual SignServer -Introduction PrimeKey

• SignServer as a PDF Signer

• SignServer as an XML Signer
• SignServer as a CMS Signer

SignServer is a cutting-edge signer able to provide code signing, advanced CMS and XML signatures through
the deployment and configuration of various workers. SignServer is a modular product and allows for the
creation of workers for each signing purpose. It is possible to create several parallel signers that use
different certificates to perform signing operations. Within the context of SignServer, each signer is referred
to as a worker. A single deployment can host several workers. SignServer provides an SDK, WS Interface and
a command level interface (CLI) for communication with the server. External integration can be performed
using any one of these interfaces. A worker holds the policy for signing operations. Each worker has a
number of user keys associated with it. SignServer integrated with a database and HSM for persistent
storage. The DB stores configuration, end user certificates (in encrypted format) and log information while
the HSM stores certain private keys for specified operations.

SPOC
SPOC (Single Point of Contact) is a scheme developed by European Union (EU) to enable Extended Access
Control (EAC) to Machine-Readable Travel Documents (MRTD) like pass- ports. The purpose of EAC is
allowing each country to decide which other countries who should be permitted to read biometric
information. A single SPOC server per country is serving the cross-certification requests that are needed for
issuing Inspection System (IS) certificates matching the national MRTDs EAC requirements. PrimeKey
Solution's SPOC Server is tightly integrated with PrimeKey's EJBCA. The latter can simultaneously serve as a
CVCA (Country Verifying Certification Authority) and a set of DVCAs (Document Verifier Certification
Authorities). SPOC Server supports the Web Service interface according to CSN-36 9791.

NPKD
The LDAP server forms the storage database for the storage and maintenance of the certificates. The LDAP
shall store certificates using the same schema as the ICAO PKD. The LDAP server shall be synchronized with
the ICAO PKD server and also have provisions to manually import certificates whenever required. Manual
Import of the following is supported via command line tools. Web based GUI applications for import are can
be supported:

• CSCA
• DSC
• Defect lists
• CSCA Masterlist

The NPKD supports the following functions:

• Certificate Import
• CRL Import
• CRL Activation
• Certificate De-activation
• CRL export
• Retrieving Information from an IS

© 2022 PrimeKey 16 (47)

 Training Manual SignServer -Introduction PrimeKey

RA Server
The RA Server facilitates centralized registration facilities for Inspection Systems (IS). The RA Server is
designed to facilitate the following functions:

• Handle the communication between the DVCA and the IS.

• Ability to handle multiple IS requests to multiple DVCAs
• Ensure uniqueness of certificates

In the absence of a RA Server, the IS would be required to handle certificate requests several DVCAs
depending on the range of documents and countries that it would like to inspect. This can introduce errors
into the procedures especially if several IS systems are sending requests at the same time. In addition, the
short validity of the IS certificates can lead to additional issues with the system.

PKI Appliance
The PrimeKey PKI Appliance uses EJBCA 7 Enterprise Edition, with ability to deploy all PKI components,
including Certificate Authority, Registration Authority and Validation Authority (CA/RA/VA). In a single
deployment of EJBCA, it is possible to effectively manage multiple CAs, thus reducing need for multiple,
dedicated hardware units. Similarly, one VA can operate as OCSP responder on behalf of multiple issuing
CAs. When starting up, the setup wizard provides with faster and easier deployment. Out of the box
functionality for backup/restore and software updates, as well as key management functions, are designed
to simplify operations- and maintenance tasks. Integrated with FIPS 140-2 Level 3 certified HSM, the
PrimeKey PKI appliance has robust hardware:

• Field replaceable, redundant high-performance SSDs

• Field replaceable redundant Power Supply
• Intel Xeon Server CPU
• Dual Ethernet Interface
• Excellent Performance and Scalable Architecture

The standard configuration can issue up to 100k certificates per hour per device, supports full life cycle for
8M+ certificates per device, and the Validation Authority can serve up to 1000 OCSP responses per second.
While a single unit delivers plenty of power on its own, the PrimeKey PKI Appliance is engineered to make it
easy to scale both vertically and horizontally. In that sense, PrimeKey provides a robust building block ́ for
complex and large-scale PKI projects.

© 2022 PrimeKey 17 (47)

 Training Manual SignServer -Introduction PrimeKey

Policy Documents

Certificate Policy (CP)

Document stating the different entities of a Public Key Infrastructure (PKI). As defined in X.509, a Certificate
Policy is a named set of rules that indicates the applicability of a certificate to a particular community and/or
class of application with common security requirements.

Certification Practice Statement (CPS)

Statement of the practices that a Certification Authority (CA) employs in managing the certificates that it
issues.

Naming document
Defines the certificate and end entity profiles used in the PKI.

© 2022 PrimeKey 18 (47)

 Training Manual SignServer -Roles

3 Roles
This section covers how to add a user to the following roles:

• Adding User to Admin Role

• Adding User to Auditor Role
• Adding User to Archiver Auditor Role

Adding User to Admin Role

To add a user to the Admin role, do the following:

1. Go to the SignServer Admin on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Select the Administrators tab and click Add to authorize new user
3. Click Load Current
4. Select Admin from roles and click Add
5. Click Switch to Only listed to authorize only listed administrators, and then click Apply
6. Open a new private browser window or close your Firefox browser and verify that you have access by
navigating to the SignServer Admin page https://signserver.primekey.training:8443/signserver/
adminweb/

Adding User to Auditor Role

To add a user to the Auditor role, do the following:

1. Go to the SignServer Admin on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Select the Administrators tab and click Add to authorize new user
3. Add the serial number of the auditor user
4. Set the Issuer DN to C=SE, O=PrimeKey Solutions AB, CN=Management CA
5. Select Auditor from roles and click Add
6. Open a new private browser window or close your Firefox browser and verify that you have access to
SignServer Audit Log tab by navigating to the following page: https://
signserver.primekey.training:8443/signserver/adminweb/auditlog.xhtml

Adding User to Archiver Auditor Role

To add a user to the Archiver Auditor role, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Select the Administrators tab and click Add to authorize new user
3. Add the serial number of the archive auditor user
4. Set the Issuer DN to C=SE, O=PrimeKey Solutions AB, CN=Management CA
5. Select Archive Auditor from roles and click Add
6. Open a new private browser window or close your Firefox browser and verify that you have access to
SignServer Archive tab by navigating to following page https://signserver.primekey.training:8443/
signserver/adminweb/archive.xhtml

© 2022 PrimeKey 19 (47)

 Training Manual SignServer -Crypto Workers

4 Crypto Workers
This section covers the following:

• Setting Up a Keystore Crypto Token

• Setting Up a PKCS#11 Crypto Token

Setting Up a Keystore Crypto Token

To configure the crypto worker from the SignServer Admin Web, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker
3. Load the configuration by selecting From Template
4. Select keystore-crypto.properties from the Load From Template list menu and click Next
5. Make the following changes in the configuration:
• Set NAME to CryptoTokenP12
• Make sure the KEYSTOREPATH is /opt/signserver/res/test/dss10/dss10_keystore.p12
• Remove the # at the beginning of the line containing WORKERGENID1.DEFAULTKEY=testKey
6. Click Apply and verify that the new worker appears in the worker list
7. Select the CryptoTokenP12 worker
8. To view the status, select the worker and click the Status Summary tab. The status should be
OFFLINE as the keystore requires a password for activation
9. Click Crypto Token
10. Click Activate and enter the authentication password foo123
11. Click Activate to change the status to ACTIVE

Setting Up a PKCS#11 Crypto Token

To enable an additional crypto token (PKCS#11) via the SignServer Admin Web, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker
3. Load the configuration by selecting From Template
4. Select pkcs11-crypto.properties from the Load From Template list menu and click Next
5. Make the following changes in the configuration:
• Set NAME to CryptoTokenP11
• Change SHAREDLIBRARYNAME to SoftHSM2
• Make sure SLOTLABELTYPE is set to SLOT_LABEL
• Make sure SLOTLABELVALUE is set to SIGNSERVER_SLOT
• Make sure DEFAULTKEY is set to case-sensitive testKey
6. Click Apply and verify that the new worker appears in the worker list
7. To view the status, select the worker and click the Status Summary tab. The status is now OFFLINE as
the token requires a password for activation
8. Click Activate and enter the authentication password foo123. Note that even if the authorization was
successful, the token will remain offline as the testKey does not yet exist

© 2022 PrimeKey 20 (47)

 Training Manual SignServer -Crypto Workers

9. Click Crypto Token, and click on Generate key link.

10. Set the new key as foolowing:
• Set New Key Alias to testKey
• Set Key Algorithm to RSA
• Set Key Specification to 2048
• leave the number of line as 1
11. Click Generate and then Activate
12. Enter the authorization code foo123 when prompted
13. The status should now change to ACTIVE

© 2022 PrimeKey 21 (47)

 Training Manual SignServer -Signers

5 Signers
This section covers the following:

• Configure and Sign using XAdES Signer

• Renew Signer Key and Certificate
• Configure and Sign using TimeStampSigner
• Configure and Sign using MSAuthCode Signer
• Configure and Sign using PDFSigner
• Configure and Sign using CMS Signer
• Configure and Sign using Plain Signer
• Configure and Sign using CMS Signer with Client-Side Hashing

Configure and Sign using XAdES Signer

Configuring an XAdES Signer using CryptoTokenP12

To configure a worker from the SignServer Admin Web, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker
3. Load the configuration by selecting From Template
4. Select xadessigner.properties from the Load From Template list menu and click Next
5. Make the following changes in the configuration:
• Change NAME to XAdESSignerP12
• Change CRYPTOTOKEN to CryptoTokenP12
• Make sure DEFAULTKEY is set to signer00001
6. Click Apply and verify that the new worker appears in the Worker list
7. To view the status of the worker, select the worker XAdESSignerP12 and click the Status Summary
tab. The status should now be ACTIVE

 Note that this signer now uses the key and certificate signer00001 from the PKCS#12 file used by
CryptoTokenP12.

Sign with XAdESSignerP12

1. Go to the SignServer Client Web on: https://signserver.primekey.training:8442/signserver/clientweb
2. Click Direct Input tab
3. Set Worker name to XAdESSignerP12
4. In the Input Data field enter XML data such as:

<document>Test 1</document>

© 2022 PrimeKey 22 (47)

 Training Manual SignServer -Signers

5. Click Submit to obtain a XAdES signature

Configuring an XAdES Signer using CryptoTokenP11

To configure a worker from the SignServer Admin Web, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker
3. Load the configuration by selecting From Template
4. Select xadessigner.properties from the Load From Template list menu and click Next
5. Make the following changes in the configuration:
• Change NAME to XadESSignerP11
• Change CRYPTOTOKEN to CryptoTokenP11
• Change DEFAULTKEY to xades00001
6. Click Apply and verify that the new worker appears in the worker list
7. To view the status, select the worker and click the Status Summary tab and verify that the status is
OFFLINE as there is no key or certificates available yet
8. To generate a new key-pair, make sure the signer is selected and click Renew key
• Set Key Algorithm to RSA
• Set Key Specification to 2048
• Set New Key Alias to xades00001
9. Click Generate and then click Generate CSR to generate a certificate signing request (CSR) for the
new key-pair
• Set Key to xades00001
• Set Signature Algorithm to SHA256WithRSA
• Set DN to CN=Training XAdES Signer

 This name is by default not required by EJBCA, but it is still recommended to specify
this identification of the CSR.

10. Click Generate and then click Download and save the request as xades00001.csr
11. Bring the request xades00001.csr to the CA to obtain the certificate issued for it. From the CA, you
should get the signer certificate file, as well as the CA certificate(s). They are either in two separate
PEM files, or in one PEM file including all certificates (full chain)
12. To add the new certificates for the signer, select the worker XadESSignerP11 and click Install
certificates
13. Click Browse and select your signer certificate file
14. Click Add, and then Install
15. Select the Status Summary tab and verify that the status now is ACTIVE

Sign with XAdESSignerP11

1. Go to the SignServer Client Web on: https://signserver.primekey.training:8442/signserver/clientweb
2. Click Direct Input tab
3. Set Worker name to XAdESSignerP11

© 2022 PrimeKey 23 (47)

 Training Manual SignServer -Signers

4. In the Input Data field enter XML data such as:

<document>Test 2</document>

5. Click Submit to obtain an XAdES signature

Renew Signer Key and Certificate

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/
2. Select the signer to renew, for example XAdESSignerP11
3. Click the Status Summary tab, scroll down to view the current Signer certificate information, and note
the validity times
4. Click Renew key
• Set Key Algorithm to RSA
• Set Key Specification to 2048
• Set New Key Alias to xades00002
5. Click Generate and then click Generate CSR to generate a certificate signing request (CSR) for the
new key-pair
• Set Key to xades00002
• Set Signature Algorithm to SHA256WithRSA
• Set DN to CN=Training XAdES Signer
6. Click Generate and then Download and save the request as xades00002.csr
7. Bring the request xades00002.csr to the CA to obtain the certificate issued for it. From the CA, you
should get the signer certificate file as well as the CA certificate(s). They are either in two separate
PEM files, or in one PEM file including all certificates (full chain)
8. To add the new certificates for the signer, select the worker XadESSignerP11 and click Install
certificates
9. Click Browse and select your signer certificate file
10. Click Add and then Install
11. Select the Status Summary tab of the signer and verify that the signer is still ACTIVE and that the
Signer certificate validity times have changed

Configure and Sign using TimeStampSigner

Configuring a TimeStampSigner using CryptoTokenP11

To configure a worker from the SignServer Admin Web, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker
3. Load the configuration by selecting From Template
4. Select timestamp.properties from the Load From Template list menu and click Next
5. Make the following changes in the configuration:
• Change NAME to TimeStampSignerP11

© 2022 PrimeKey 24 (47)

 Training Manual SignServer -Signers

• Change CRYPTOTOKEN to CryptoTokenP11

• Change DEFAULTKEY to timestamp00001
6. Click Apply and verify that the new worker appears in the worker list
7. To view the status, select the worker and click the Status Summary tab and verify that the status is
OFFLINE as there is no key or certificates available yet
8. To generate a new key-pair, select the signer and click Renew key
• Set Key Algorithm to RSA
• Set Key Specification to 2048
• Set New Key Alias to timestamp00001
9. Click Generate and then click Generate CSR to generate a certificate signing request (CSR) for the
new key-pair

• Set Key to timestamp00001

• Set Signature Algorithm to SHA256WithRSA
• Set DN to CN=Training TimeStamp Signer

• Click Generate and then Download and save the request as timestamp00001.csr
• Bring the request timestamp00001.csr to the CA to obtain the certificate issued for it. From the CA,
you should get the signer certificate file as well as the CA certificates. They are either in two separate
PEM files, or in one PEM file including all certificates
• To configure the new certificates for the signer, select the worker TimeStampSignerP11 and click
Install certificates
• Click Browse and select your signer certificate file
• Click Add and then Install
• Select the Status Summary tab and verify that the status is ACTIVE

Sign with TimeStampSignerP11

1. SSH into SignServer training VM.
2. Run the command to send time stamp requests to a TSA (Run as wildfly):

/opt/signserver/bin/signclient timestamp -url "http://localhost:8080/

signserver/tsa?workerName=TimeStampSignerP11"

3. You should now get time stamp reply and time stamp request validated with status (Operation Okay)

Configure and Sign using MSAuthCode Signer

Configuring a MSAuthCode Signer using CryptoTokenP12

To configure a worker from the SignServer Admin Web, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker

© 2022 PrimeKey 25 (47)

 Training Manual SignServer -Signers

3. Load the configuration by selecting From Template

4. Select ms_authcode_signer.properties from the Load From Template list menu and click Next
5. Make the following changes in the configuration:
• Change NAME to MSAuthCodeSignerP12
• Change CRYPTOTOKEN to CryptoTokenP12
• Set DEFAULTKEY to code00001
• Set PROGRAM_URL to https://example.com/myapp
• Set SIGNATUREALGORITHM to SHA256withRSA
• Set DIGESTALGORITHM to SHA-256
6. Click Apply and verify that the new worker appears in the worker list
7. To view the status, select the worker MSAuthCodeSignerP12 and click the Status Summary tab. The
status should now be ACTIVE

Sign with MSAuthCodeSignerP12

1. Go to the SignServer Client Web on: https://signserver.primekey.training:8442/signserver/clientweb
2. Click File Upload tab
3. Set Worker Name to MSAuthCodeSignerP12
4. Click Browse and select the executable file HelloPE.exe
5. Click Submit and save the signed executable file as HelloPE-signed.exe
6. If on a Microsoft system, open the signed executable file HelloPE-signed.exe and verify the signature
(but do not run the file)
Running an unsigned executable:

Running a signed executable:

© 2022 PrimeKey 26 (47)

 Training Manual SignServer -Signers

Configure and Sign using PDFSigner

Configuring a PDFSigner using CryptoTokenP12

To configure a worker from the GUI the following steps could be used:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker
3. Load the configuration by selecting From Template
4. Select pdfsigner.properties from the Load From Template list menu and click Next
5. Make the following changes in the configuration:
• Set NAME to PDFSigner
• Change CRYPTOTOKEN to CryptoTokenP12
• Set DEFAULTKEY to signer00001
• Set LOCATION to Stockholm
• Set DIGESTALGORITHM to SHA256
6. Click Apply and verify that the new worker appears in the worker list
7. To view the status, select the worker PDFSigner and click the Status Summary tab. The status should
now be ACTIVE

 Note that this signer now uses the key and certificate signer00001 from the PKCS#12 file
used by CryptoTokenP12.

Sign with PDFSigner

1. Go to the SignServer Client Web on: https://signserver.primekey.training:8442/signserver/clientweb
2. Click File Upload tab
3. Set Worker Name to PDFSigner
4. Click Browse and select the PDF file ok.pdf
5. Click Submit and save the file as ok-signed.pdf

© 2022 PrimeKey 27 (47)

 Training Manual SignServer -Signers

6. Open the PDF file and verify the signature

Configure and Sign using CMS Signer

Configuring a CMS Signer using CryptoTokenP12

To configure a worker from the GUI the following steps could be used:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker
3. Load the configuration by selecting From Template
4. Select cmssigner.properties from the Load From Template list menu and click Next
5. Make the following changes in the configuration:
• Set NAME to CMSSigner
• Change CRYPTOTOKEN to CryptoTokenP12
• Set DEFAULTKEY to signer00001
6. Click Apply and verify that the new worker appears in the worker list
7. To view the status, select the worker CMSSigner and click the Status Summary tab. The status should
now be ACTIVE

 Note that this signer now uses the key and certificate signer00001 from the PKCS#12 file
used by CryptoTokenP12.

Sign with CMSSigner

1. Go to the SignServer Client Web on: https://signserver.primekey.training:8442/signserver/clientweb
2. Click File Upload tab
3. Set Worker Name to CMSSigner
4. Click Browse and select the PDF file cms.log
5. Click Submit and save the file as cms.log.p7s
6. To verify the CMS file signature, run the following:

openssl cms -verify -in cms.log.p7s -inform der -CAfile DSSRootCA10.cacert.pem

7. To get the list of the signed certificates, run the following:

openssl pkcs7 -in cms.log.p7s -inform der -noout -print_certs -text

© 2022 PrimeKey 28 (47)

 Training Manual SignServer -Signers

Configure and Sign using Plain Signer

Configuring a Plain Signer using CryptoTokenP12

To configure a worker from the SignServer Admin Web, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker
3. Load the configuration by selecting From Template
4. Select plainsigner.properties from the Load From Template list menu and click Next
5. Make the following changes in the configuration:
• Set NAME to PlainSigner
• Change CRYPTOTOKEN to CryptoTokenP12
• Set DEFAULTKEY to signer00001
6. Click Apply and verify that the new worker appears in the worker list
7. To view the status of the worker, select the worker PlainSigner and click the Status Summary tab. The
status should now be ACTIVE

 Note that this signer now uses the key and certificate signer00001 from the PKCS#12 file
used by CryptoTokenP12.

Sign with Plain Signer

1. Go to the SignServer Client Web on: https://signserver.primekey.training:8442/signserver/clientweb
2. Click File Upload tab
3. Set Worker Name to PlainSigner
4. Click Browse and select the file sample.txt
5. Click Submit and save the file as sample.txt.sig

Configure and Sign using CMS Signer with Client-Side Hashing

Configuring a CMS Signer with client-side hashing using CryptoTokenP12

To configure a worker from the GUI the following steps could be used:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker
3. Load the configuration by selecting From Template
4. Select cmssigner.properties from the Load From Template list menu and click Next
5. Make the following changes in the configuration:
• Set NAME to CMSSigner-CLIENTSIDEHASHING
• Change CRYPTOTOKEN to CryptoTokenP12

© 2022 PrimeKey 29 (47)

 Training Manual SignServer -Signers

• Set DEFAULTKEY to signer00001

• Remove the # at the beginning of the line
containing WORKERGENID1.CLIENTSIDEHASHING=true
6. Click Apply and verify that the new worker appears in the worker list
7. To view the status, select the worker CMSSigner and click the Status Summary tab. The status should
now be ACTIVE

 This worker will be used with SignClient tool

© 2022 PrimeKey 30 (47)

 Training Manual SignServer -Time Monitor Manager

6 Time Monitor Manager

The following describes steps required to setup the Time Monitor Manager and configure the Time Monitor
Service.

Setup Time Monitor Manager

To setup a Time Monitor Manager, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker
3. Load the configuration by selecting From Template
4. Select timemonitormanager.properties from the Load From Template list menu and click Next
5. Make the following changes in the configuration:
• Set NAME to TimeMonitorManager
• Set TIMESERVER.HOST to <A LOCAL NTP HOST> an alternative for training purposes can be
"time2.google.com".
• Set TIMEMONITOR.STATUSEXPIRETIME to 3000
• Set TIMEMONITOR.WARNRUNTIME to 4600
• Change TIMEMONITOR.DISABLED to false
6. Click Apply and verify that the new worker appears in the worker list
7. Select TimeStampSignerP11 worker, then click on the Configuration tab
8. Click Add to add a new configuration property and set the property as following:
• Set Name to TIMESOURCE
• Set Value to org.signserver.server.StatusReadingLocalComputerTimeSource
9. Click Submit and save the changes
10. SSH into SignServer training VM, then run the command to send time stamp requests to a TSA (Run
as wildfly):

/opt/signserver/bin/signclient timestamp -url "http://localhost:8080/

signserver/tsa?workerName=TimeStampSignerP11"

11. You should now get time stamp reply and time stamp request validated with status (Operation Okay)

© 2022 PrimeKey 31 (47)

 Training Manual SignServer -Audit Log, Archive and Monitoring

7 Audit Log, Archive and Monitoring

Verification of the Audit Log
To verify the Audit log, run the following:

1. Copy the mysql driver to the ejbca-db folder (run as wildfly):

cp /opt/wildfly/standalone/deployments/mariadb-java-client.jar /opt/signserver/
lib/ext/jdbc/jdbc.jar

2. Verify the audit log:

/opt/signserver/bin/signserver-db audit verifylog -all

Querying the Audit Log

The audit log logs both administrator operations and the startup of the server.

To query the Audit log, do the following:

1. Run the command to query the last 20 entries in the audit log (as wildfly user):

/opt/signserver/bin/signserver auditlog -query -limit 20

© 2022 PrimeKey 32 (47)

 Training Manual SignServer -Validators

8 Validators
To validate the signature and the certificate chain using the XAdES validator, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Select the Workers tab and click Add to create a new worker
3. Click the button From File, and use the following configuration:

# Sample configuration of an XAdESValidator.

#

# General properties
WORKERGENID1.TYPE=PROCESSABLE
WORKERGENID1.IMPLEMENTATION_CLASS=org.signserver.module.xades.validator.XAdESVa
lidator
WORKERGENID1.NAME=XAdESValidator
WORKERGENID1.AUTHTYPE=NOAUTH

# Self-signed CA certificates only

WORKERGENID1.TRUSTANCHORS =

# Intermediate and Issuing CAs if exist

WORKERGENID1.CERTIFICATES=

# If revocation checking (CRL) is available

WORKERGENID1.REVOCATION_CHECKING=false

4. Click Apply
5. Select the worker XadESSignerP11
6. Copy the issuer certificate with the intermediate and root CAs if any including:

----BEGIN CERTIFICATE---

and

---END CERTIFICATE---

7. Past the certificate into a text editor, and remove the white spaces at the beginning of each line.
8. Copy the text again.
9. Select the worker XAdESValidator, and click Configuration
10. Click Edit on the TRUSTANCHORS
11. Paste the self-signed CA certificate (the certificate with matching Subject and Issuer lines).
12. Click Submit.
13. Click Edit on the CERTIFICATES and paste the intermediateCA and issuingCA if Any.
14. Click Submit.
15. Go to the SignServer Client Web on: https://signserver.primekey.training:8442/signserver/clientweb
16. Click File Upload tab

© 2022 PrimeKey 33 (47)

 Training Manual SignServer -Validators

17. Set Worker Name to XadESSignerP11

18. Click Browse and select the xml file xades_validator_test.xml
19. Click Submit and save the signed file as xades_validator_test-signed.xml
20. Click File Upload tab
21. Set Worker Name to XAdESValidator
22. Click Browse and select the signed xml file xades_validator_test-signed.xml
23. Click Process type and select Validate document
24. Click Submit
25. You should get the response VALID presented

© 2022 PrimeKey 34 (47)

 Training Manual SignServer -ePassport

9 ePassport
The following describes the steps required to configure and sign using the MRTD SOD Signer:

Configuring MRTD SOD Signer using CryptoTokenP12A

To configure a MRTD SOD Signer using a CryptoTokenP12A, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker
3. Load the configuration by selecting From Template
4. Select mrtdsodsigner.properties from the Load From Template list menu and click Next
5. Make the following changes to the configuration:
• Change NAME to MRTDSODSigner
• Change CRYPTOTOKEN to CryptoTokenP12
• Make sure DEFAULTKEY is set to signer00003
• Set DIGESTALGORITHM to SHA256
• Set SIGNATUREALGORITHM to SHA256withRSA
• Set DODATAGROUPHASHING to false
6. Click Apply and verify that the new worker appears in the worker list
7. To view the status, select the worker MRTDSODSigner and click the Status Summary tab. The status
should now be ACTIVE

 Note that this signer now uses the key and certificate signer00003 from the PKCS#12 file used by
CryptoTokenP12A.

Sign with MRTDSODSigner

1. Go to the SignServer Client Web on: https://signserver.primekey.training:8442/signserver/clientweb
2. Click More tab and select eMRTD signing
3. Set worker name to MRTDSODSigner
4. Click Submit to obtain MRTD SOD Signing

© 2022 PrimeKey 35 (47)

 Training Manual SignServer -Integration

10 Integration
This section covers:

• Sign HelloPE.exe Server-side with MSAuthenticode Signer

• Sign HelloPE.exe with CMS Signer (Client-side Hashing)
• Sign XML Server-side with XAdES Signer
• Add TimeStamping and Sign XML Server-side with XAdES Signer
• Sign Multiple XMLs Server-side with XAdES Signer
• Sign XML Server-side with XAdES Signer with Certificate Client Authentication

Sign HelloPE.exe Server-side with MSAuthenticode Signer

To sign the HelloPE.exe server-side with the MSAuthenticode signer, do the following:

1. Go to the SignServer Admin page https://signserver.primekey.training:8443/signserver

2. Click Client CLI Download to download the SignServer CLI SignClient package.

 In order to use the SignClient utility, you need to have JAVA 11 JRE or JDK installed

3. Download the signclient package and unzip it in a destination of your choice.

4. Copy the training_files_signserver folder into the signserver directory.
5. Change directory to run the SignClient:

cd signserver/bin/

6. Create a directory:

mkdir ../training_files_signserver/out

7. Sign the HelloPE.exe file with the MSAuthenticode signer:

./signclient signdocument -host signserver.primekey.training -port 8080

-workername MSAuthCodeSignerP12 -infile ../training_files_signserver/
HelloPE.exe -outfile ../training_files_signserver/out/HelloPE_MSAuthSigned.exe

8. Examine the signature in the training_files_signserver/out directory:

ls -al ../training_files_signserver/out

9. Copy the file to a MS Windows VM, right-click the file, select Properties and examine the signature
data

© 2022 PrimeKey 36 (47)

 Training Manual SignServer -Integration

Sign HelloPE.exe with CMS Signer (Client-side Hashing)

To sign the HelloPE.exe with the CMS signer (client-side hashing), do the following:

1. Sign the HelloPE.exe file with the CMS Signer:

./signclient signdocument -host signserver.primekey.training -port 8080

-workername CMSSigner-CLIENTSIDEHASHING -metadata
USING_CLIENTSUPPLIED_HASH=true -metadata CLIENTSIDE_HASHDIGESTALGORITHM=SHA-256
-clientside -infile ../training_files_signserver/HelloPE.exe -outfile ../
training_files_signserver/out/HelloPE_CMS_MSAuthSigned.exe -digestalgorithm
SHA-256

2. Examine the signature in the training_files_signserver/out directory.

ls -al ../training_files_signserver/out

3. Copy the file to a MS Windows VM, right-click the file, select Properties and examine the signature
data.

Sign XML Server-side with XAdES Signer

To sign the XML server-side with the XAdES signer, do the following:

1. Sign the xades_validator_test.xml file with the XadESSignerP11 worker:

./signclient signdocument -host signserver.primekey.training -port 8080

-workername XadESSignerP11 -infile ../training_files_signserver/
xades_validator_test.xml -outfile ../training_files_signserver/out/
xades_validator_test_signed.xml

2. Examine the signature in the training_files_signserver/out directory

ls -al ../training_files_signserver/out

3. Open the file to verify that the file has been signed

Add TimeStamping and Sign XML Server-side with XAdES Signer

To add TimeStamping and sign XML server-side with the XAdES signer, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb

2. Select the MSAuthCodeSignerP12 signer and click the Configuration tab
3. Click Edit for the TIMESTAMP_FORMAT configuration option

© 2022 PrimeKey 37 (47)

 Training Manual SignServer -Integration

4. Specify RFC3161 in the text field and click Submit

5. Click Edit for the TSA_WORKER configuration option
6. Specify TimeStampSignerP11 in the text field and click Submit
7. Sign the HelloPE.exe file with the MSAuthenticode worker:

./signclient signdocument -host signserver.primekey.training -port 8080

-workername MSAuthCodeSignerP12 -infile ../training_files_signserver/
HelloPE.exe -outfile ../training_files_signserver/out/
HelloPE_MSAuthSigned_TimeStamped.exe

8. Examine the signature in the training_files_signserver/out directory

ls -al ../training_files_signserver/out

9. Open the HelloPE_MSAuthSigned_TimeStamped.exe file to verify that the file has been signed

Sign Multiple XMLs Server-side with XAdES Signer

To sign multiple XMLs server-side with the XAdES signer, do the following:

1. Create the following directories:

mkdir -p ../training_files_signserver/batch/in ../training_files_signserver/

batch/out

2. Copy the xades_validator_test.xml file:

< ../training_files_signserver/xades_validator_test.xml tee ../

training_files_signserver/batch/in/xades-{01..10}.xml

3. Sign multiple XML files with the XAdESSignerP12 worker:

./signclient signdocument -host signserver.primekey.training -port 8080

-workername XAdESSignerP12 -indir ../training_files_signserver/batch/in/
-outdir ../training_files_signserver/batch/out/

4. Examine the signature of XML files in the training_files_signserver/batch/out/ directory

ls -al ../training_files_signserver/batch/out/

© 2022 PrimeKey 38 (47)

 Training Manual SignServer -Integration

Sign XML Server-side with XAdES Signer with Certificate Client

Authentication
To sign XML server-side with the XAdES signer with Certificate Client Authentication, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb

2. Select XAdESSignerP12 and click the Authorization tab
3. Click Add
4. Click Load Current, then click Submit
5. In the description enter, SuperAdmin
6. Click Submit
7. Click the Configuration tab and select Edit on the AUTHTYPE configuration field
8. In the Value field, specify CLIENTCERT and click Submit
9. Copy the keystores superadmin.p12 and ManagementCA-chain.jks into the signserver directory
10. Sign the xades_validator_test.xml file with the XAdESSignerP12 worker:

./signclient signdocument -host signserver.primekey.training -port 8443

-workername XAdESSignerP12 -infile ../training_files_signserver/
xades_validator_test.xml -outfile ../training_files_signserver/out/
xades_validator_test_signed_cert_authentication.xml -truststore ../
ManagementCA-chain.jks -truststorepwd changeit -keystore ../superadmin.p12
-keystorepwd foo123 -keyalias superadmin

11. Examine the signature in the training_files_signserver/out directory

ls -al ../training_files_signserver/out

© 2022 PrimeKey 39 (47)

 Training Manual SignServer -CLI

11 CLI
The following sections describe CLI commands to use in order to:

• Find Last SignServer Startup

• Get Status of All Workers
• Deactivate CryptoToken (CLI)
• Activate CryptoToken (CLI)

Find Last SignServer Startup

To find the last time SignServer was started, do the following:

1. Open the server log using the "less" tool (run as wildfly user):

less /opt/wildfly/standalone/log/server.log

2. Press Shift+F to start follow the file

3. Press Ctrl+C to go to the end
4. Type ?SIGNSERVER_STARTUP and press Enter to search backwards to the last occurrence of the
SignServer startup:

?SIGNSERVER_STARTUP

5. Use Arrow Up and Arrow Down to scroll in the file

6. Allocate the REPLY_TIME value and copy that value
7. Press Q to exit the "less" tool
8. Convert the reply time from millisecond to date:

date -d @$((1496062751485/1000))

Get Status of All Workers

To get the status of all workers, do the following:

1. Change the directory (run as wildfly):

cd /opt/signserver

2. Run the command to get the status of all workers:

© 2022 PrimeKey 40 (47)

 Training Manual SignServer -CLI

bin/signserver getstatus brief all

Deactivate CryptoToken (CLI)

To deactivate a CryptoToken using the CLI, do the following:

1. Change the directory (run as wildfly):

cd /opt/signserver

2. Run the following command to deactivate the CryptoToken:

bin/signserver deactivatecryptotoken CryptoTokenP11

Activate CryptoToken (CLI)

To activate a CryptoToken using the CLI, do the following:

1. Change the directory (run as wildfly):

cd /opt/signserver

2. Run the following command to activate the CryptoToken:

bin/signserver activatecryptotoken CryptoTokenP11

3. Enter authorization code. The user PIN is (foo123)

4. If the crypto token activated successfully, a confirmation similar to the following is shown:

Trying to activate crypto token of worker with id : Worker{name:

CryptoTokenP11}
Activation of worker was successful

© 2022 PrimeKey 41 (47)

 Training Manual SignServer -Peer Connectors

12 Peer Connectors
Introduction

A peer connector is used to securely communicate with an EJBCA instance. For SignServer it's used for
certificate renewals through the secure tunnel.

 Both the EJBCA and the SignServer are used during this exercise so for simplicity use two web
browser windows, one for EJBCA and one for SignServer.

Edit the End Entity Profile

EJBCA:

1. Go to the EJBCA Admin Web on: https://ca.primekey.training:8443/ejbca/adminweb/

2. Navigate to End Entity Profiles
3. Select the TimeStampEndEntityProfile and click Edit End Entity Profile
4. In the Default Certificate Profile, select TimeStampCertificateProfile
5. In the Available Certificate Profile list, select TimeStampCertificateProfile
6. Click Save.

Create an End Entity

EJBCA:

1. Click Add End Entity.

2. From the End Entity Profile drop down list select TimeStampEndEntityProfile
3. In the Username text field enter TimeStampTest
4. In the Password text field enter foo123
5. In the Confirm Password text field enter foo123
6. In the CN, Common name text field enter TimeStampTest
7. From the Certificate Profile drop down list select TimeStampCertificateProfile
8. From the CA drop down list select Sub CA
9. Click Add.

Set up the Peer Connector connection

EJBCA:

© 2022 PrimeKey 42 (47)

 Training Manual SignServer -Peer Connectors

1. Click Peer Systems.

2. Click Add to add a new Peer Connector
3. Name the new Peer connector: Peer Connector SignServer
4. Enter the URL: https://signserver.primekey.training:8443/signserver/peer/v1
5. Click Create.

SignServer:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/

adminweb/
2. Click Administrators in the top menu
3. In the Peer System section, enable Allow incoming connections and click Save

Accept the incoming connection request on the SignServer

EJBCA:

1. Go to the EJBCA Admin Web on: https://ca.primekey.training:8443/ejbca/adminweb/

2. Click Ping on the Peer Connector SignServer
3. You should see the text Unable to connect to peer. Unauthorized

SignServer:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/

adminweb/
2. Click Administrators in the main menu
3. Under the Incoming Connections section you should now see a connection attempt from the CA
4. Click Add Authorization... for the incoming connection
5. Make sure only the Peer System role is checked and click Add

EJBCA:

1. Go to the EJBCA Admin Web on: https://ca.primekey.training:8443/ejbca/adminweb/

2. Navigate to Peer Systems
3. Click ping again on the Peer Connector SignServer
4. You should see something similar to Responded to ping request within 10 ms

 The Peer Connector is now up between EJBCA and SignServer

Enable Peer Connector for Time Stamp Signer Worker

SignServer:

© 2022 PrimeKey 43 (47)

 Training Manual SignServer -Peer Connectors

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/

adminweb/
2. Click Workers in the main menu
3. Select TimeStampSignerP11 worker
4. Click on the Configuration tab
5. Click Add to add a new configuration property and set the property as following:
• Set Name to PEERS_VISIBLE
• Set Value to true
6. Click Submit and save the changes

 The PEERS_VISIBLE property should now be set to true which means that the worker
will use the peer connector and be visible in EJBCA.

Issue a certificate for the Time Stamp Signer worker

EJBCA:

1. Go to the EJBCA Admin Web on: https://ca.primekey.training:8443/ejbca/adminweb/

2. Navigate to Peer Systems
3. Click Manage on the Peer Connector SignServer connector
4. Click Remote Key Bindings
5. Confirm that you can see the newly created worker on the SignServer
6. Enter TimeStampTest in the Local end entity text box
7. Click Issue signing certificate
8. You should see the text Certificate was renewed

SignServer:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/

adminweb/
2. Click Workers in the main menu
3. Confirm that the worker is ACTIVE, which means that the worker has received its' certificate and
is now up and running

Renew the key pair and certificate for the Time Stamp Signer worker
EJBCA:

1. Go to the EJBCA Admin Web on: https://ca.primekey.training:8443/ejbca/adminweb/

2. Navigate to Peer Systems
3. Click Manage on the Peer Connector SignServer connector
4. Click Remote Key Bindings
5. Confirm that you can see the newly created worker on the SignServer
6. Tick the Remote key pair
7. Click Renew to renew the key pair and the certificate.

© 2022 PrimeKey 44 (47)

 Training Manual SignServer -Archivers, Dispatchers, Authorizers

13 Archivers, Dispatchers, Authorizers

Archivers
This section covers how to configure archiving of signing requests and responses.

Configure Base64 Archiver

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/
2. Select the XadESSignerP11 worker
3. Click on the Configuration tab
4. Click Add to add a new configuration property and set the property as following:
• Set Name to ARCHIVERS
• Set Value to org.signserver.server.archive.base64dbarchiver.Base64DatabaseArchiver
5. Click Submit
6. Go to the Archive tab in the top menu. Add yourself to the Archive Auditor role if necessary. There
should not be any entries in the archive
7. Perform a signing using the XadESSignerP11 worker
8. Reload the Archive page. You should now see an archive entry for the signing of type RESPONSE

Dispatchers
This section covers how to configure a dispatcher worker that can distribute signing requests between
multiple signers.

Setting Up a FirstActiveDispatcher
To configure a PKCS#12 crypto worker from the SignServer Admin Web, do the following:

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Click Add to create a new worker

3. Load the configuration by selecting From Template

4. Select firstactivedispatcher.properties from the Load From Template list menu and click Next

5. Make the following changes in the configuration:

• Make sure NAME is set to FirstActiveDispatcher

• Set WORKERS to XadESSignerP11

6. Click Apply and verify that the new worker appears in the worker list

© 2022 PrimeKey 45 (47)

 Training Manual SignServer -Archivers, Dispatchers, Authorizers

Sign with Dispatcher

To test signing with a dispatcher, do the following:

1. Go to the SignServer Client Web on: https://signserver.primekey.training:8442/signserver/clientweb

2. Click Direct Input tab
3. Set Worker name to FirstActiveDispatcher
4. In the Input Data field enter XML data such as:

<document>Dispatcher Test</document>

5. Click Submit to obtain an XAdES signature

6. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/
7. Go to the Archive tab and make sure that there are new archive entries since XadESSignerP11 was
used to do the signing

Authorizers
This section covers how to configure the following types of authorization for workers:

• Username and password

• Client certificate

Username and Password Authorization

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Select worker FirstActiveDispatcher

3. Click on the Configuration tab

4. Make the following changes in the configuration:

• Set AUTHTYPE to org.signserver.server.UsernamePasswordAuthorizer

5. Click Submit

6. Click Add to add a new configuration property and set the property as following:

• Set Name to USER.primekey, where primekey is the configured username

• Set Value to foo123

7. Click Submit

8. Perform a signing using the FirstActiveDispatcher worker in the Client Web. You should be prompted
to provide a username and password

© 2022 PrimeKey 46 (47)

 Training Manual SignServer -Archivers, Dispatchers, Authorizers

9. Perform a signing using signclient and providing a username:

./signclient signdocument -host signserver.primekey.training -port 8080 -worker

name FirstActiveDispatcher -username primekey -infile ../
training_files_signserver/xades_validator_test.xml -outfile ../
training_files_signserver/out/xades_validator_test_signed.xml

Client Certificate Authorization

1. Go to the SignServer Admin Web on: https://signserver.primekey.training:8443/signserver/adminweb/

2. Select worker FirstActiveDispatcher

3. Click on the Configuration tab

4. Make the following changes in the configuration:
• Set AUTHTYPE to CLIENTCERT
5. Click Submit

6. Click Remove on the USER.PRIMEKEY setting and click Remove

7. Click on the Authorization tab and click Add

8. Click Load Current and Submit

9. Click Submit to make the administrator certificate authorized

10. Open a new private browser window and go to http://signserver.primekey.training:8080/signserver/

clientweb/genericdirect.xhtml

11. In the Worker Name field enter FirstActiveDispatcher

12. In the Input Data field enter XML data such as:

<document>Authorization Test</document>

13. Click Submit. You should get an authorization error because the request was sent over HTTP

14. Open a new private browser window and go to https://signserver.primekey.training:8443/signserver/

clientweb/genericdirect.xhtml

15. In the Worker Name field enter FirstActiveDispatcher

16. In the Input Data field enter XML data such as:

<document>Authorization Test</document>

17. Click Submit. You should now get a signed response because the request was sent over TLS
authenticated with the adminisitrator certificate

© 2022 PrimeKey 47 (47)