I built a SignServer environment on a RedHat 6.4 box;
the DB is Oracle 11 RAC, an instance on a dedicated Red Hat cluster.
SignServer is configured to product timestamps by means of a AEP HSM.
I made a number of timestamps to test the speed of the environment;
I saw that the field archivedata.archivedata contains a Base64 part,
but I could not to read its content using an ASN1 editor.
1) Could somebody please tell me if is there a way to read this B64 string
(in the field archivedata.archivedata )?
2) I would like to be sure that the server is REALLY using the HSM to product timestamp,
and not the default keystore which come with the base installation. Is it possible
to find this information in some field.table of the DB, or is there any other way
to show which certificate is SS using to sign timestamps ?
3) In which other field/table I can find the certificate SS is using to sign timestamps?
Thank you very much
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
1) For the archivedata you would have to base64-decode the string before passing it to your ASN1 editor. It might be the case that when you use the OldDatabaseArchiver the data is actually encoded twice.
You can also use the "bin/signserver archive" Admin CLI commands to export the data first.
2) The log output normally outputs which signer certificate that where used. Also if your timestamp client requests so, the time-stamp response could contain the signer certificate and if the token is verifyable using that certificate it must have been signed by the matching private key.
3) Certificates are configured using the SIGNERCERT worker property. You can see which certificate is in used for a worker by "bin/signserver getstatus complete WORKERID".
Best regards,
Markus
PrimeKey
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi
I built a SignServer environment on a RedHat 6.4 box;
the DB is Oracle 11 RAC, an instance on a dedicated Red Hat cluster.
SignServer is configured to product timestamps by means of a AEP HSM.
I made a number of timestamps to test the speed of the environment;
I saw that the field archivedata.archivedata contains a Base64 part,
but I could not to read its content using an ASN1 editor.
1) Could somebody please tell me if is there a way to read this B64 string
(in the field archivedata.archivedata )?
2) I would like to be sure that the server is REALLY using the HSM to product timestamp,
and not the default keystore which come with the base installation. Is it possible
to find this information in some field.table of the DB, or is there any other way
to show which certificate is SS using to sign timestamps ?
3) In which other field/table I can find the certificate SS is using to sign timestamps?
Thank you very much
Hi Enrico,
1) For the archivedata you would have to base64-decode the string before passing it to your ASN1 editor. It might be the case that when you use the OldDatabaseArchiver the data is actually encoded twice.
You can also use the "bin/signserver archive" Admin CLI commands to export the data first.
2) The log output normally outputs which signer certificate that where used. Also if your timestamp client requests so, the time-stamp response could contain the signer certificate and if the token is verifyable using that certificate it must have been signed by the matching private key.
3) Certificates are configured using the SIGNERCERT worker property. You can see which certificate is in used for a worker by "bin/signserver getstatus complete WORKERID".
Best regards,
Markus
PrimeKey