I already installed signserver with test certificates on vmware virtual maschine with Debian OS.
Now I want to connect a usb cryptographic token and sign documents with it. Is that possible? How to do it?
Another thing I do not have adminweb so I need to do from command line.
You could download and deploy SignServer CE 5.2.0.Final.
It will have the admin web interface.
Also, if your USB token has a PKCS#11 interface (with a driver for it), it should be possible to use as a PKCS11CryptoToken crypto worker.
If the driver is not among the pre-configured built-in drivers, you would also then need to add it to conf/signserver_deploy.properties (as a cryptotoken.p11.lib.<number>.[name|file] propery pair. And re-deploy.</number>
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes. You need to setup TLS client certificate authentication.
For example you could use the sample keystores as a quick way to get started (present in res/test/dss10). There there are demo keystores and truststores that could be used with WildFly (exmplained in README.txt).
There is also a demo client keystores that could be installed in a browser (dss10_admin1,p12 for example).
When this is done, to allow initial access to the admin web UI, issue bin/signserver wsadmins -allowany from the CLI to enable access for any client certificate that was issued from by the CA of the server TLS cert.
After this, this certicate can be added as an administrator from within the web UI, and access to all be disabled.
Alternatively, one can issue bin/signserver wsadmins (and specifify the certificate either from a PEM file, or by specifying serial number and issuer DN.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You would need to configure the path the PKCS#11 library used in conf/signserver_deploy.properties (can be copied and edited from conf/signserver_deploy.properties.sample) and add an entry for your PKCS#11 library and then re-deploy. When you set a SHAREDLIBRARYNAME that is pointing to a library that is not installed, you get this message "Available library names: ", but in this case it's empty, so none of the default ones are found on your system.
Once the library is configured, you should be able to set SHAREDLIBRARYNAME on the PKCS11CryptoWorker to the one you set up for the smartcard driver.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If I good understand I need to enter path to usb drivers in signserver_deploy.properties?
Maybe do you know where to get drivers for my usb?
Usb photo attached
I have installed SafeNet Authetnification Client:
sudo dpkg -i SafenetAuthenticationClient-core-10.7.xx-0_amd64.deb
After that I found in the manual this path:
To work with CC devices in unlinked mode, enter the following string for Multi-Slot support:
for 32-bit: /usr/lib/libIDPrimePKCS11.so
for 64-bit: /usr/lib64/libIDPrimePKCS11.so
So I configured it in signserver_deploy.properties and deploy again:
cryptotoken.p11.lib.10.name=SafeNet ProtectServer Gold Emulator
cryptotoken.p11.lib.10.file=/usr/lib/libIDPrimePKCS11.so
But now I get error:
Failed: Activate failed: Failed to initialize PKCS11 provider slot '0'.: PKCS11 not found: no such algorithm: PKCS11 for provider SunPKCS11-libIDPrimePKCS11.so-slot0
I tried slot 1 too but the same error. Please see attachments.
Maybe my shared library incorrect?
Since you installed the amd64 deb package, I assume it's a 64-bit system. So, in this case it should probably be
cryptotoken.p11.lib.10.file=/usr/lib64/libIDPrimePKCS11.so
As the manual states that's the one to use for 64 bit (I think Java will probably fail to load the library using JNI if it's the wrong architecture).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If signserver doesn't support my usb token, maybe it support eToken 5110 crypto stick?
If no what I need to buy to have working sign server? I need to allow users to sign pdf's with our company signature.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Now I have this error:
Can not read private key with alias 'testkey0' from Crypto Token, got null. If the key was generated after the latest application server start then restart the application server.
How to use usb stick instead testkey0?
If I good understand I can't export private key from crypto token USB.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I already installed signserver with test certificates on vmware virtual maschine with Debian OS.
Now I want to connect a usb cryptographic token and sign documents with it. Is that possible? How to do it?
Another thing I do not have adminweb so I need to do from command line.
Hi!
You could download and deploy SignServer CE 5.2.0.Final.
It will have the admin web interface.
Also, if your USB token has a PKCS#11 interface (with a driver for it), it should be possible to use as a PKCS11CryptoToken crypto worker.
If the driver is not among the pre-configured built-in drivers, you would also then need to add it to conf/signserver_deploy.properties (as a cryptotoken.p11.lib.<number>.[name|file] propery pair. And re-deploy.</number>
Hello, I already upgraded to 5.2.0 final, but now not working on 8443 port:
Not Logged In
Client certificate authentication required
Use TLS client certificate
Yes. You need to setup TLS client certificate authentication.
For example you could use the sample keystores as a quick way to get started (present in res/test/dss10). There there are demo keystores and truststores that could be used with WildFly (exmplained in README.txt).
There is also a demo client keystores that could be installed in a browser (dss10_admin1,p12 for example).
When this is done, to allow initial access to the admin web UI, issue bin/signserver wsadmins -allowany from the CLI to enable access for any client certificate that was issued from by the CA of the server TLS cert.
After this, this certicate can be added as an administrator from within the web UI, and access to all be disabled.
Alternatively, one can issue bin/signserver wsadmins (and specifify the certificate either from a PEM file, or by specifying serial number and issuer DN.
Thanks.
After installing user cert to computer and opening 8443 port on server firewall I have admin web working.
Now I adding new worker and don't know what I need to enter to configuration file.
I attached usb to maschine.
Please see attachments.
You would need to configure the path the PKCS#11 library used in conf/signserver_deploy.properties (can be copied and edited from conf/signserver_deploy.properties.sample) and add an entry for your PKCS#11 library and then re-deploy. When you set a SHAREDLIBRARYNAME that is pointing to a library that is not installed, you get this message "Available library names: ", but in this case it's empty, so none of the default ones are found on your system.
Once the library is configured, you should be able to set SHAREDLIBRARYNAME on the PKCS11CryptoWorker to the one you set up for the smartcard driver.
If I good understand I need to enter path to usb drivers in signserver_deploy.properties?
Maybe do you know where to get drivers for my usb?
Usb photo attached
Hello Marcus @malu9369,
I have installed SafeNet Authetnification Client:
sudo dpkg -i SafenetAuthenticationClient-core-10.7.xx-0_amd64.deb
After that I found in the manual this path:
To work with CC devices in unlinked mode, enter the following string for Multi-Slot support:
for 32-bit: /usr/lib/libIDPrimePKCS11.so
for 64-bit: /usr/lib64/libIDPrimePKCS11.so
So I configured it in signserver_deploy.properties and deploy again:
cryptotoken.p11.lib.10.name=SafeNet ProtectServer Gold Emulator
cryptotoken.p11.lib.10.file=/usr/lib/libIDPrimePKCS11.so
But now I get error:
Failed: Activate failed: Failed to initialize PKCS11 provider slot '0'.: PKCS11 not found: no such algorithm: PKCS11 for provider SunPKCS11-libIDPrimePKCS11.so-slot0
I tried slot 1 too but the same error. Please see attachments.
Maybe my shared library incorrect?
Since you installed the amd64 deb package, I assume it's a 64-bit system. So, in this case it should probably be
cryptotoken.p11.lib.10.file=/usr/lib64/libIDPrimePKCS11.so
As the manual states that's the one to use for 64 bit (I think Java will probably fail to load the library using JNI if it's the wrong architecture).
I thought it too but here is no lib64 dir.
Attached
@malu9369 Maybe do you have ideas?
Hello Marcus @malu9369 ,
If signserver doesn't support my usb token, maybe it support eToken 5110 crypto stick?
If no what I need to buy to have working sign server? I need to allow users to sign pdf's with our company signature.
Hello Marcus @malu9369,
I have some news. I know that slot is 0 and now I have another error:
Failed: Activate failed: Failed to initialize PKCS11 provider slot '0'.: load failed: CKR_PIN_INCORRECT
Now I have this error:
Can not read private key with alias 'testkey0' from Crypto Token, got null. If the key was generated after the latest application server start then restart the application server.
How to use usb stick instead testkey0?
If I good understand I can't export private key from crypto token USB.
How to set up default key if my usb privatekey label is empty? Attached
Help
I have installed signserver on centos linux following the instruction https://github.com/blink38/signserver. I had problems creating a worker