Activity for Markus Kilås
-
Markus Kilås posted a comment on discussion Help
We have moved to https://github.com/Keyfactor/signserver-ce/discussions you might get better visibility on questions there. Cheers, Markus
-
We have moved to https://github.com/Keyfactor/signserver-ce/discussions you might get better visibility on questions there. Cheers, Markus
-
SignServer Community 6.0 is released
-
SignServer Community 6.0 is released
-
SignServer Community 6.0 is released
-
Hi Sanawar, That looks like a different issue. Note that we have moved to https://github.com/Keyfactor/signserver-ce/discussions/ as forum. Consider posting a question there instead. Cheers, Markus
-
SignServer Community 5.11.1 is released
-
SignServer Community 5.10.0 is released
-
Please see the questions in https://sourceforge.net/p/signserver/discussion/668766/thread/b8ec3efea8/ and additionally can you show what command you are using to start the container as well as the output from the beginning of the startup of the container as it is there it could be an error message about missing keystore files etc. Note: We have moved to the signserver-ce GitHub Discussions forums for this type of questions. So you might get a quicker response in the new forum: https://github.com/Keyfactor/signserver-ce/discussions...
-
Hi Jonathan, I am not completely sure but maybe somebody else more familiar with the container can correct me. But my interpretation is that in this scenario you need to have a proxy in front of SignServer and which is configured for TLS client authentication and that it should somehow forward the certificate to SignServer. Then the SignServer AdminWeb (for instance) will see this certificate that is already verified by the proxy and let you in (assuming the admin rule allows it). In this case SignServer...
-
Some follow up questions: Are you prompted to choose a certificate when clicking the "Use TLS client certificate" link? With "added the certificate" you mean that you have imported your certificate a private key into the web browser from for instance a PKCS#12/PFX keystore file, right? Is you client certificate issued from a CA for which the CA certificate has been added to the truststore in the application server? Note: We have moved to the signserver-ce GitHub Discussions forums for this type of...
-
We are pleased to announce the release of SignServer Community 5.9.1. Release highlights include: More frequent releases Code signing with post-quantum cryptography Azure Key Vault support DNSSEC support For more information Read the full SignServer 5.9.1 Release Notes Visit the SignServer project on signserver.org. From now on, our main discussion forum is on GitHub, see SignServer Discussions on GitHub. Cheers, Markus
-
We are pleased to announce the release of SignServer Community 5.9.1. Release highlights include: * More frequent releases * Code signing with post-quantum cryptography * Azure Key Vault support * DNSSEC support For more information Read the full SignServer 5.9.1 Release Notes Visit the SignServer project on signserver.org. From now on, our main discussion forum is on GitHub, see SignServer Discussions on GitHub. Cheers, Markus
-
Hi again Serhii, The delay was a bit longer then expected but now finally the new version is available! Also additionally going forward we are aiming for much more frequent releases. And as you might have seen from the release announcement already, we are starting to use GitHub Discussions. You can find a discussion about the release here: https://github.com/Keyfactor/signserver-ce/discussions/2 Cheers, Markus
-
SignServer Community 5.9.1 is released
-
Thanks for getting back and confirming! Cheers, Markus
-
Hi Michel, I think you have identified the issue with the error message: FileNotFoundException: /opt/primekey/secrets/external/tls/cas/ManagementCA.crt (Permission denied) This is the path inside the container to the CA that should be trusted. You are mounting this from /home/fang/.step/certs/root_ca.crt on your host but for some reason it can not be read inside the container. This could be a permissions issue like if the process in the container runs with a different user ID then the owner of the...
-
Hi sysmartem, I am not aware of a way of doing exactly this out of the box. However, there are some possibilities but would require some development: 1. The first that comes to mind is that there is a type of workers called Dispatchers that will not do any signing by themselves but instead send the request to an other signer based on some criteria. If there Were a Dispatcher that could choose signer based on IP address then this could have been an option. Unfortunately today dispatching can only...
-
Hi Chetan, There are currently no specific installation procedures for Windows and the instructions use some Linux/Unix commands. However, there are not that many commands to execute so it should not be to much work to translate those Linux specific ones to Windows ones if anyone would like to draft a tutorial or similar and share. Otherwise if there are any specific parts of the installation guide you need help with so please reach out here and I am sure there will be some that knows how to do that...
-
Hi Clio, I do not believe it would be necessary to have different time-stamp signers due to different time-zones as the time value included in the time-stamp token is in UTC: "genTime is the time at which the time-stamp token has been created by the TSA. It is expressed as UTC time (Coordinated Universal Time) to reduce confusion with the local time zone use. " - https://www.rfc-editor.org/rfc/rfc3161.html Page 8 The TimeStampSigner using the LocalComputerTimeSource gets the time value from Java...
-
Hi Serhii, A certifying signature is a concept in PDF signing where the document can be locked for further modifications (for instance by the author). You can only certify a PDF once and then you can also set PDF permissions that prevents modifications or allows some modifications like filling in forms or applying additional signatures. Some PDF readers might also display a certifying signature differently (i.e. in Adobe Acrobat/Reader with a blue ribbon instead of green). By default SignServer will...
-
A new Community 5.9 release is currently being planned so hopefully there will be a more updated version available not too far into the future. Cheers, Markus
-
Hi Archil, Some quick questions: Have you also issued a client certificate from your TrustedCA and have that installed in the web browser? Does the browser prompt you to choose your certificate? Do you get an error message from the browser? Cheers, Markus
-
Hi Serhii, You can choose "SignServer Versions" on top of the documentation page to view the documentation for SignServer Community 5.2 for instance. Hopefully we get a chance to put out an updated Community version soon. Also feel free to get involved and contribute improvements. It could be bug reports, documentation improvements, installation tutorials or new features to name a few. Cheers, Markus
-
This are SignServer Enterprise available in AWS and Azure marketplaces: https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fce&ref=dtl_B078PLGJWL https://azuremarketplace.microsoft.com/en-us/marketplace/apps/primekey.signserver_enterprise_cloud?tab=Overview Cheers, Markus PrimeKey
-
This are SignServer Enterprise available in AWS and Azure marketplaces: https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fce&ref=dtl_B078PLGJWL https://azuremarketplace.microsoft.com/en-us/marketplace/apps/primekey.ejbca_enterprise_cloud_2?tab=Overview&pub_source=email&pub_status=success Cheers, Markus PrimeKey
-
Those request metadata properties where introduced for the PDFSigner in SignServer 5.7.0.Final and did not exist before that. If you did not select a version on doc.primekey.com it will display the documentation for the latest version while the local documantion will be for that version you have. Cheers, Markus
-
Hi andres, The documentation you are referring to is for the latest version of SignServer (as of now 5.8.1). There is not yet a Community version available that has this feature which was added in I believe version 5.7 or around that. You can choose which version you browse the documentation for using the "SignServer Versions" link on top of the page. For 5.2.0.Final which is the latest Community version it is this: https://doc.primekey.com/signserver520/signserver-reference/signserver-workers/signserver-signers/pdf-signer...
-
I do not think you can add a certifying signature after the document has already been signed. The certifying signature (if any) must be the first one and then you can add more normal signatures. Cheers, Markus
-
Hi Merriora, SignServer requires client certificate authentication for login to the Admin Web interface. For this you need to have a private key and a certificate issued from a CA and to configure the container to trust that CA (the TrustedCA.pem in the example). As you already have setup EJBCA you could use the CA you already have there (likely called ManagementCA) and you could even use the same client certificate (likely called SuperAdmin) or to issue a new certificate for your user. What his...
-
Hi Axel, Thanks for sharing those interesting links and the great news about your achievement. Do you want to contribute your script or the instructions for how to do the container signer with SignServer? Is there anything in SignServer you see that could be improved to make the process smoother? Cheers, Markus
-
Hi Nguyen, It looks like your keystore file does not exist. Please check that you have the file "/opt/signserver/myconfig/worker.crypto.keystore.jks". Cheers, Markus PrimeKey Solutions
-
SignServer Community on Docker Hub
-
Hi Axel, Do you have a suggestion for which scheme/standard to use for container signing? Cheers, Markus PrimeKey
-
Hi Axel, I suspect the issue could be that the UsernameAuthorizer will send an error 401/unauthorized and setting the WWW-Authenticate header causing the browser to displaye the login dialog instead of sending error 403/Forbidden. I am not completely sure what would be the correct way. As it is now it is convenient if one enters the wrong username/password to be asked again instead of directly getting the failure. Maybe this should be changed. As you have a proxy taking care of the authentication...
-
Hi Arut, The location should not matter. The error "Connection refused" indicates that either the application server is not running or it is not configured to use the port 4447 for remoting. See https://doc.primekey.com/signserver520/signserver-installation/application-server-setup/wildfly-10+-and-jboss-eap-7-1+#WildFly10+andJBossEAP7.1+-ConfigureTLSandHTTP . Cheers, Markus
-
Hi Ben, The SignClient timestamp command sends RFC#3161 time-stamp requests while your MSAuthCodeTimeStampSigner expects (legacy) MS Authenticode TimeStamp requests. We do not have a tool to send MS time-stamp requests, for that you could use MS SignTool.exe in Windows with some parameter to tell it to use that format or you can change to use the standard TimeStampSigner instead as it is anyway recommended to use RFC#3161 time-stamps even with Authenticode signatures nowadays. Cheers, Markus
-
Hi Frederico, Interesting test! The slow creation of workers might be because the setproperties command applies each worker property one by one and each update is written to the storage and logged etc. The plan for the future is to apply all worker properties in a worker at a time to reduce this overhead. I have also observed, especially the Workers page in AdminWeb to be slow to load with a larger number of workers (but I have not tested that large amount). I believe there is a lot of work being...
-
Hi Tarun, This looks like a multipost of https://sourceforge.net/p/signserver/discussion/668766/thread/462445893b/#68a1 . Please use only one channel. See comment there. Cheers, Markus
-
Hi Daniel, The Client Web are basically just simple HTML pages posting the upload form to SignServer. You can right click in your web browser and choose view source to see how the forms look like. You can either modify the pages in the sources of SignServer and redeploy with your changes or even in the binary version if you extract a replace the pages in lib/SignServer-core-web-5.2.0.Final.war or you could put your own web page somewhere and have it post your upload forms to SignServer in the same...
-
Hi Don, This seems to be the same question as you already asked in a different forum post here: https://sourceforge.net/p/signserver/discussion/668765/thread/fabdd73904/#49fc It is better to not start a new thread for the same topic. Please, see answer in the previous thread. For the hashing of the visible signature image etc, I do not know the exact details, but likely that needs to be put into the PDF before you hash it. Remember that for PDF signing you will hash the whole document except one...
-
Hi Phrakonkham, If you setup SignServer you can use that to sign documents of supported types. For most types of signatures you will first need a key-pair and a certificate for it. Depending on who is going to verify your document, and thus needs to be trusting your certificate, you might also need to buy a trusted certificate from a Certificate Authority (CA). Cheers, Markus PrimeKey
-
Hi PTDI, If you are going to implement client-side hashing for PDF signing you will need to take care of all the PDF parsing, preparing for signing, hashing and in the end including the signature within the PDF file. On the SignServer-side you could probably use the CMS Signer. I am not familiar with PDF libraries in .NET. Possbly there could be some variant of iText that could be used or some other library. We do not have any specific documentation for how to do client-side hashing for PDF signing...
-
Hi PTDI, If you are going to implement client-side hashing for PDF signing you will need to take care of all the PDF parsing, preparing for signing, hashing and in the end including the signature within the PDF file. I am not familiar with PDF libraries in .NET. Possbly there could be some variant of iText that could be used or some other library. We do not have any specific documentation for how to do client-side hashing for PDF signing yet. In fact we do not implement that in SignServer Enterprise...
-
Hello Emmanuel, It might be easier to check in the Admin Web interface where you can click on the worker and see the current configuration (i.e. DEFAULTKEY and NEXTCERTSIGNKEY) and even open Status properties and inspect the key/dummy certificate. If you want to use the Admin CLI then you can check the current configuration for your worker with: bin/signserver getstatus complete 1 Then generating a certificate and specifying that worker ID will use the key specified as DEFAULTKEY unless there is...
-
Hi Don, The latest SignServer documenation is available here: https://doc.primekey.com/signserver SignServer creates the signature on the server-side but if you are referring to doing the hashing on the client-side the concept is described here: https://doc.primekey.com/signserver540/signserver-reference/client-side-hashing Client-side signing of detached signatures are explain there in the beginning but if you are thinking of file formats where the signature is embedded within it (i.e. executable...
-
Hello Zafran, One worker per user can work, but the current interfaces like AdminWeb etc. are not great for very large number of workers. This is because currently all workers are loaded into memory and also displayed on one single page and also the status of each worker is checked when it is being listed so it could be slow. Hopefully this should be improved eventually. An other possible solution is to let multiple users use the same worker but somehow map them to different keys. For this we have...
-
Hi Natham, The web module would be running within the same application server. It is the application server that terminates the TLS connection and the certificate will be available to all modules within it so there should not be a problem there as far as I know. Cheers, Markus
-
Can you try with the latest version? As 3.7 is very old it is possible this has changed in later versions. Does the PDF verifies correctly even though the PDF has lower than 1.6 version and a SHA-256 signature? Cheers, Markus PrimeKey Solutions
-
Hi Sabrina, This is a general suggestion for troubleshooting HTTP connector issues: 1. First make sure you can access SignServer without HTTPS, i.e. on http://example.com:8080/signserver 2. Then when 1. is working, continue to try to access SignServer with HTTPS on the port that only uses server authentication, i.e. on https://example.com:8442/signserver. If you get a problem here it is related to the server certificate or that you do not have its issuer in your web browser as trusted. Also note...
-
Hi Natham, With a reverse proxy it is usual possible to have it (and the application server) configured to forward the certificate information even if it is terminated in the proxy. Especially for Apache HTTP Server the AJP protocol can be used for this. An URL that works out of the box is this: https://localhost:8443/signserver/worker/TimeStampSigner If you like an even shorter URL I suppose you would develop your own web module (.war file) that maps to "/" and which contains a Servlet that internally...
-
Hello Aninda, Thank you for sharing your findings regarding the documentation. Regarding 1. and 3., the thing is that internally there is one class KeyStoreCryptoToken which has the KEYSTORETYPE property. If you use a JKSCryptoToken then that is actually the same as KeyStoreCryptoToken+KEYSTORETYPE=JKS and if you use P12CryptoToken that is the same as KeyStoreCryptoToken+KEYSTORETYPE=PKCS12. I see that this can be confusing I am suggesting an improvement to instead mainly refer to the KeyStoreCryptoToken...
-
I don't have any more errors in the log file, just this: https://pastebin.com/CHemiLYH Hi Yoan, The log one can see this: Suppressed: java.net.ConnectException: Connexion refusée It could be that the EJB/CLI client is not able to connect to the 4447 port. This port is since WildFly 9(?) something no longer available and we have a section in the installation guide to add it back. Did you follow this step 7.? https://doc.primekey.com/signserver/signserver-installation/application-server-setup/wildfly-10+-and-jboss-eap-7-1+#WildFly10+andJBossEAP7.1+-ConfigureTLSandHTTP...
-
Hi Archil, Where to get the certificates for depends on your use case. If you have your own PKI that your users trust then you could get the certificates from your own CA. For instance it could be running EJBCA. If your users are expected to see a valid certificate in say Adobe Acrobat/Reader without having to install your CA certificate, then you need a publicly trusted certificate and those you can buy from a Certificate Authority trusted by the Reader application, i.e. GlobalSign, DigiCert etc....
-
Just one idea: Are you able to run vtl verify as the same user as you are using when running the application server? If not then there could be a permission problem trying to read the Luna configuration file (something like /etc/Chrystoki.., or /usr/safenet/lunasa). How do you start the application server? If you use systemd there could often be issue with environment variables and user etc. in that case first try by starting the application server manually in a terminal window. Cheers, Markus P...
-
Hi, Can you provide the output you got? I can see that you did not follow this, maybe it is the issue?: For WildFly 14, instead use enable-http2="false" to avoid error messages in the log. Cheers, Markus PrimeKey
-
Hi FredT, You do not need, and should not, add any provider to your Java installation for SignServer. Instead SignServer will find the Luna PKCS#11 driver at its default location during startup and you can use it when setting up a crypto worker/token and provide the library name "SafeNet Luna Client". The instructions for setting up a PKCS#11 crypto worker/token in SignServer is available here: https://doc.primekey.com/signserver/signserver-operations/worker-setup/quick-start-demo-setup-using-administration-web#QuickStartDemoSetupusingAdministrationWeb-SetupaSampleHSM(PKCS#11)CryptoToken...
-
SignServer 5.2.0.Final released
-
That looks right. Thanks for sharing the solution! Cheers, Markus
-
Then I tried to verify the signature with openssl, but it failed (I do not know how to verify the signature): openssl cms -verify -inform pem -certfile cert_signer.pem -in signed.p7s -nointern Error reading S/MIME message 140580128023936:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: CMS I think the output from the CMSSigner is in binary format. Try removing the "-inform pem" from the cms -verify command or use "-inform DER". Cheers, Markus
-
Hi Yoan, The EJB error indicates that SignServer has not started up correctly in the application server. Please see the /opt/wildfly/standalone/log/server.log for the errors. When SignServer has been deployed one of the last messages in the log should say that it has started up, if not try to locate the first error message during the application server startup. Cheers, Markus PrimeKey Solutions
-
Hi cesar, After installing the latest SignServer version (https://doc.primekey.com/signserver/signserver-installation) you can have a look at the quick start demo guide for how to setup a PDF signer: https://doc.primekey.com/signserver/signserver-operations/worker-setup/quick-start-demo-setup-using-administration-web Cheers, Markus PrimeKey Solutions
-
Hej Fredrik! That should be the right instructions yes, and we use WildFly 14.0.1.Final a lot so should not be the issue if it is configured correctly. The "Auditor not authorized to resource." you can get when opening the Audit Log page. You would not see this on any other page. Can you paste the stacktrace that you get in the terminal? Admin Web is not available in SignServer Community 5.0, it was first made available in 5.2.0.Beta1, is that the one you are trying? Cheers, Markus
-
Hi winofchina, I am not aware of any publicly trusted CA that issues certificates that are both for SSL/TLS server certificates and document signing and at the same time also trusted both in the web browsers and in PDF readers. I would imagine the requirements from the web browser root programs and probably also Adobe's root program would prohibit that combination. On the other hand I am not sure why you would like to have one certificate for this two different usages? Normally you would have one...
-
Hi Venkatesh, Your CryptoTokenP12 points out a keystore file with the KEYSTOREPATH worker property. You will need the password for that keystore file. Unless it is one of the sample keystores you get with SignSever then I can not know what the password is. If it one of the sample ones, try with "foo123". Or if it is a keystore you got from EJBCA then the password would be what you configured your end entity with. Cheers, Markus
-
Hi Bernard, For WildFly the location is: APPSRV_HOME/standalone/log/server.log Refusing to create initial database structure as the folder is not empty: / The error indicates that you are setting up SignServer with the "NoDB" option. In that case you need to make sure your conf/signserver_deploy.properties has a path to an empty folder where SignServer will put its data: database.nodb.location=/opt/signserver/nodb After changing this file you will need to deploy SignServer again: bin/ant deploy Cheers,...
-
Hi Zafran, Yes, you can do client-side hashing with the PlainSigner if you configure it with the signature algorithm NONEwithRSA or NONEwithECDSA. Note that for ECDSA it is easy as the data to send is the hash while for RSA you need to prepend the hash with an ASN.1 structure describing the hash algorithm (see RFC#3447). This is described under Plain Signatures on https://doc.primekey.com/signserver/signserver-reference/client-side-hashing . There is also an example of RSA PKCS#1 signing in one of...
-
Hi BSamontanes, Looks like the application server has not deployed SignServer. Please check the server log. There should be a SignServer startup log entry near the end if everything is okey otherwise it is likely a configuration issue of the application server. Cheers, Markus PrimeKey Solutions
-
SQLFeatureNotSupportedException: Method org.postgresql.jdbc.PgPreparedStatement.setCharacterStream(int, Reader, long) is not yet implemented. This looks like it could be JDBC driver issue. Maybe you need an other version of the postgresql driver? Cheers, Markus
-
Hi Shekhor, Are you sure the certificate is for the key with alias "tigerit" in slot 2? If you use the SignServer Admin GUI or Admin Web (v5.2+) you can look at the key entry in the CryptoToken tab and see the public key and then compare that with the public key in the certificate you installed. How did you generate they key and issued the certificate for it? Cheers, Markus PrimeKey Solutions
-
If you look at the CryptoToken tab of your CryptoTokenP12 worker can you see that you have a key with alias "jioroad"? It looks like it is not there with the error message "No key available for purpose: jioroad" Also if you have made some changes to you CryptoTokenP12 worker you could try to reload your CryptoTokenP12 worker by selecting it and using "Reload" or "Reload from database". Cheers, Markus
-
Hi Venkatesh, In SignServer you will need to first make sure you have setup a crypto worker and configured it to use either a keystore crypto token or a PKCS#11 crypto token where you will have you keys. Then you can add a TimeStampSigner. You then need to generate the key-pair that you would like to use and to generate a certificate signing request (CSR) for it to bring to EJBCA. In EJBCA you will need to make sure you have configured a certificate profile appropriate for time-stamping. From my...
-
Hi Eric, It should work regardless of paper size. That being said we have mostly been testing with A4 or letter size. One thing to keep in mind is that the scale goes from the lower left corner of the documented and it could easily happen if you change paper size that your coordinate is outside the page. With the following setting I get the image in the lower left corner for both A4 and 7.5x10" and should probably work for all dimensions: VISIBLE_SIGNATURE_RECTANGLE=0,0,100,100 Cheers, Markus PrimeKey...
-
Hi Venkatesh, Please create a new topic for this question instead of commenting on this very old thread. If you can also give a little bit more background on what you are trying to achieve. What have you already tried and what is the problem etc. Cheers, Markus
-
Hello sid, Currently only XAdES-BES and -T are supported. I am not sure if XAdES signer has been testing with multiple signatures. If you try it out please let us know how it works out. PGP signing was added in SignServer Enterprise 5.1 and is now also available in SignServer Community 5.2.0.Beta1 that you can download and try out. See https://www.signserver.org/news/signserver-5-2-0-beta1-pre-release/ The documentation for the beta has not been published online but is available within the software...
-
SignServer 5.2.0.Beta1 pre-release
-
Hello, It is not important with the name of the filerecievefile parameter just that it is encoded as a file upload. I am not so familiar with postman, maybe you can share what command you are trying. Anyway, with cURL something like this should work: curl -F workerName=PDFSigner -F file=@sample.pdf --output sample-signed.pdf http://localhost:8080/signserver/process Cheers, Markus
-
Hi Eric, Thanks for sharing, that cone for sure be useful for some. We have had some ideas for the future to maybe add a feature to SignClient where you could specify algorithm with a flag and it would take care of concatenating the right values. Or possibly this could also go into a feature in the worker itself and the algorithm could be passed as a Request Metadata parameter and this would be take care of by the worker. https://jira.primekey.se/browse/DSS-1498 Cheers, Markus
-
Hi Dineth, Signature verification of PDF files are currently not supported. To verify a PDF for instance signed with SignServer you can use a PDF reader with which supports PDF signature verification like Adobe Reader/Acrobat. Cheers, Markus
-
I think you need to provide the issuer/CA certificate in PEM format in a worker property like VAL1.ISSUER1.CERTCHAIN=... Or was that what you already did to fix the first issue? See for instance doc/sample-configs/validator.properties. Cheers, Markus
-
The PrimeKey SignServer team is proud to announce the release of SignServer 5.0.0.Final Community edition. SignServer 5 is the next generation SignServer with 48 issues resolved since SignServer Enterprise 4.4.1 and a total of 415 issues resolved since SignServer Community edition 4.0. From today you will be able to take advantage of the new server failover and load balancing functionality in the SignClient as well as leveraging the client side hashing feature for CMS/PKCS#7 detached signatures....
-
SignServer Community 5.0.0 Released
-
It means that the certificate you are using for your TimeStampSigner is not a certificate that is intended for time-stamping. When you get a certificate from your CA you need to make sure it is a time-stamping certificate which means that it needs to have a field called extended key usage timeStamping and that it must be marked as a critical extension in the certificate. Did you use any of our sample keystores and certificates or did you get the certificate from some other CA? What key are you using...
-
The PrimeKey SignServer team is pleased to announce the release of SignServer 5.0.0.Beta1 Community Edition. SignServer 5 is the next generation SignServer with 40 issues resolved since SignServer Enterprise 4.4.1 and a total of 407 issues resolved since SignServer Community Edition 4.0, some of the noteworthy listed below: General - Support for running on WildFly 14 and JBoss EAP 7. - Support for running on Java 11. - Upgraded libraries and dependencies. - Stronger algorithms by default. - Restructured...
-
That would be one of VISIBLE_SIGNATURE_CUSTOM_IMAGE_BASE64 or VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH: https://www.signserver.org/doc/current/manual/plugins.html#Worker_Properties Cheers, Markus PrimeKey Solutions
-
Hi, It has been a long time since the release of SignServer 4 and it is now time for the next major version. SignServer 5 has been under development for some time and is progressing well. Besides many of the updates that have already been released as part of SignServer Enterprise Edition, the major news is the Technology Upgrade with support for newer Java and application server versions. The plan is to have a pre-release available in the beginning of March for anyone to try out. Regards, Markus...
-
Hi Minh, Not sure I understand where you mean. Screenshot? Cheers, Markus
-
Hi Ayman, Please do not multipost [1]. https://sourceforge.net/p/signserver/discussion/668766/thread/62dd7807e7/?limit=25#050e Cheers, Markus [1] https://en.wikipedia.org/wiki/Crossposting
-
Hi Ayman, Please do not multipost [1]. If you are running SignServer on Windows your SIGNSERVER_HOME folder is normally not "/opt/signserver". It is likely something with Windows path like c:\my-signserver. You also need to update the KEYSTOREPATH in your crypto token so it points at the correct dss10_keystore.p12 location in your environment. Unrelated to the error but your APPSRV_HOME is likely also incorrect and should more like your JBOSS_HOME. Cheers, Markus [1] https://en.wikipedia.org/wik...
-
Hi Eric, The error message seems to be related to the key alias which does not necessarly have to be the same as the CN part of the subject DN. Those are two different things. I just tested both with PKCS11 and Keystore crypto token and I did not see any issues with having a key alias containing spaces (additionally the Subject DN also got spaces in the dummy certificate generated by SignServer when the key was created: "CN=Soft key with space,L=SignServer_DUMMY_CERT,C=SE". I tested with the latest...
-
Yes, this looks like a datasource, database driver or account issue. There could also be a message about this earlier in the startup of the application server. Cheers, Markus PrimeKey Solutions
-
No problem, please share if you find a solution. Contributions also in terms of integration guides, how-tos etc are always welcome and if generic/useful enough could be added to the documentation.
-
Hi Wongsakorn, SignServer CE uses SunPKCS11 for accessing the HSM. SunPKCS11 has requirements on the objects in the HSM. See: https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#KeyStoreRestrictions In short: There needs to be both a private key object and a certificate object for the key to be visible in SignServer (Java). The objects are linked by having the same CKA_ID and the label needs to be on the certificate object. You get this all by default when you generate the...
-
Hi Minh, Please do not multipost. It is enough to ask the question in one of the forums. Discussion can continue in https://sourceforge.net/p/signserver/discussion/668766/thread/f05d6d5b9a/ . Cheers, Markus
-
Hi Minh, If you enabled debug logging for SignServer in your application server, you can see from the output when SignServer starts which libraries that could not be found. It could look like this: 11:28:58,100 DEBUG [org.signserver.common.PKCS11Settings] (ServerService Thread Pool -- 57) Adding: /opt/ETcpsdk/lib/linux-x86_64/libcryptoki.so for P11 name: SafeNet ProtectSe rver Gold, with index: 11 11:28:58,100 DEBUG [org.signserver.common.PKCS11Settings] (ServerService Thread Pool -- 57) Library...
-
Hi Obay, Do you have "includemodulesinbuild=true" in conf/signserver_deploy.properties? Otherwise that module might not be available. Please also check the IMPLEMENTATION_CLASS worker property of worker 16 so that it does not have any extra whitespaces (i.e. blank space or new lines). Cheers, Markus PrimeKey Solutions
-
Hi Wongsakorn, I think some are putting an Apache HTTP Server as reverse proxy in front of SignServer inorder to support LDAP or Active Directory authentication. SignServer would then only get the user name from the proxy and you can use the UsernameAuthorizer (instead of UsernamePasswordAuthorizer) in that case. See https://download.primekey.se/docs/SignServer-Enterprise/4.4.0/Username_Authorizer.html and https://download.primekey.se/docs/SignServer-Enterprise/4.4.0/Apache_HTTP_Server_as_Reverse_Proxy.html....
-
The counter is per key. So if multiple users use the same key (and have the key usage counter enabled) they will all increase the counter. The counter is stored in the database with one row for each key with a hash of the public key as one column and the counter value as the other column. Cheers, Markus
-
Hi Miguel, It looks like a file path issue. Do you have the SIGNSERVER_HOME environment variable set? If that is the case it might need some escaping/quotation marks in there. You can also try unsetting that property as it should not be needed. Cheers, Markus PrimeKey Solutions
-
Hi Erbay, I can not see that you have configured any users. For testing you can for instance add "USER.ERBAY=foo123", to have a user erbay with the password foo123. See: https://www.signserver.org/doc/4.0.0/manual/commonconf.html#Usernamepassword-based_authentication Regards, Markus PrimeKey Solutions Save time and money with an Enterprise support subscription. Please see www.primekey.com for more information. https://www.primekey.com/products/software/
1 >