I have a requirement to create multiple signers using SignServer.
I was wondering if every signer requires a unique certificate or can a single certificate be used for all the signers?
And can I create certificates using SignServer because I can't find anything like that in their documents. If No, what is the suggested way to create certificates from a server side application?
Thanks in Advance
Last edit: Riaz Raza 2016-11-25
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Multiple signers can share the same key-pair and certificate. Simply point them to the same crypto token and key and configure the same certificate for them.
Certificates are not intended to be created by SignServer. After generating a key-pair you can get a certificate signing request (CSR) that you can bring to a Certificate Authority (CA) which can issue a certificate for you.
For testing, or in case you don't have a CA in your organization and if you don't want to buy a certificate from a commercial CA, you can set up your own PKI using software like EJBCA (ejbca.org) or OpenSSL.
Hi Markus:
Regarding this: "Multiple signers can share the same key-pair and certificate. Simply point them to the same crypto token and key and configure the same certificate for them"
If you share the keypair and certificate when you sign a PDF the Common Name will be the same for every signer. in case no, how to archive that.
Thanks.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The Common Name (CN) is part of the certificate so if every signer/worker in SignServer share the same certificate they will also use that CN. From the outside it will look like all signatures are made by the same entity (the owner of that single certificate).
If you instead want the signatures to be different for each user of SignServer then you would have to use different certificates.
Regards,
Markus
PrimeKey Solutions
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I have a requirement to create multiple signers using SignServer.
I was wondering if every signer requires a unique certificate or can a single certificate be used for all the signers?
And can I create certificates using SignServer because I can't find anything like that in their documents. If No, what is the suggested way to create certificates from a server side application?
Thanks in Advance
Last edit: Riaz Raza 2016-11-25
Hi Riaz Raza,
Multiple signers can share the same key-pair and certificate. Simply point them to the same crypto token and key and configure the same certificate for them.
Certificates are not intended to be created by SignServer. After generating a key-pair you can get a certificate signing request (CSR) that you can bring to a Certificate Authority (CA) which can issue a certificate for you.
For testing, or in case you don't have a CA in your organization and if you don't want to buy a certificate from a commercial CA, you can set up your own PKI using software like EJBCA (ejbca.org) or OpenSSL.
Regards,
Markus Kilås
PrimeKey Solutions
Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information.
https://www.primekey.se/technologies/products-overview/
https://www.primekey.se/service-support/support/
Hi Markus:
Regarding this: "Multiple signers can share the same key-pair and certificate. Simply point them to the same crypto token and key and configure the same certificate for them"
If you share the keypair and certificate when you sign a PDF the Common Name will be the same for every signer. in case no, how to archive that.
Thanks.
Hi David,
The Common Name (CN) is part of the certificate so if every signer/worker in SignServer share the same certificate they will also use that CN. From the outside it will look like all signatures are made by the same entity (the owner of that single certificate).
If you instead want the signatures to be different for each user of SignServer then you would have to use different certificates.
Regards,
Markus
PrimeKey Solutions