### SignumUtil Setup and Verification Example Source: https://docs.keyfactor.com/signserver/latest/macos Example of successfully setting up SignumUtil with a SignServer instance and verifying the connection. This command also saves the configuration. ```bash % signum-util signserversetup -c /tmp/dss10_client1.p12 -u localhost:443 SignServer Test completed, able to connect to instance [localhost:443] with certificate [/tmp/dss10_client1.p12]. New configuration saved successfully, some changes to system settings might require restarting SignumService. Please run [signum-util service --restart], [systemctl restart SignumService] or equivalent with appropiate permissions. ``` -------------------------------- ### Install and Start WildFly 38 on CentOS Source: https://docs.keyfactor.com/signserver-software/latest/application-server-setup Use these commands to unzip WildFly, navigate to its directory, and start the standalone server. Ensure you have WildFly downloaded. ```bash unzip wildfly-38.0.0.Final.zip cd wildfly-38.0.0.Final ./bin/standalone.sh ``` -------------------------------- ### Start CloudHSM Client Source: https://docs.keyfactor.com/signserver-cloud/latest/restoring-hsm-backup-to-new-instance Start the CloudHSM client service. Use either the 'start' command or the 'service' command depending on your system's init system. ```bash # sudo start cloudhsm-client ``` ```bash # sudo service cloudhsm-client start ``` -------------------------------- ### Install Service with Properties Source: https://docs.keyfactor.com/signserver/latest/renewaltimedservice Use this command to install a service by applying properties defined in a configuration file. Ensure the configuration file path is correct. ```bash $ bin/signserver setproperties configuration.properties ``` ```bash $ bin/signserver setproperties doc/sample-configs/signerstatusreport.properties =========================================== Executing Command on host : localhost =========================================== Configuring properties as defined in the file : doc/sample-configs/signerstatusreport.properties Setting the property ACTIVE to TRUE for worker 2 Setting the property INTERVAL to 10 for worker 2 Setting the global property WORKER2.CLASSPATH to org.signserver.server.timedservices.SignerStatusReportTimedService with scope GLOB. Setting the property WORKERS to PDFSigner1 for worker 2 Setting the property NAME to SignerStatusReporter for worker 2 Setting the property OUTPUTFILE to /tmp/statusreport for worker 2 $ bin/signserver reload 2 =========================================== Executing Command on host : localhost =========================================== SignServer reloaded successfully Current configuration is now activated ``` -------------------------------- ### Start WildFly Source: https://docs.keyfactor.com/signserver-cloud/latest/appendix-a-migrate-from-sdk3-to-sdk5 After completing the migration steps, start the WildFly service. ```bash systemctl start wildfly ``` -------------------------------- ### HSM Login Syntax Example Source: https://docs.keyfactor.com/signserver-cloud/latest/activate-cluster Example demonstrating the syntax for logging into the HSM with different user types, usernames, and passwords. ```bash aws-cloudhsm> loginHSM CO admin ``` -------------------------------- ### Verify SignumUtil Setup and Configuration Source: https://docs.keyfactor.com/signserver/latest/linux-agent After setup, you can verify the connection and view the stored configuration. Restarting the SignumService might be necessary for changes to take effect. ```bash % signum-util signserversetup -c /tmp/dss10_client1.p12 -u localhost:443 SignServer Test completed, able to connect to instance [localhost:443] with certificate [/tmp/dss10_client1.p12]. New configuration saved successfully, some changes to system settings might require restarting SignumService. Please run [signum-util service --restart], [systemctl restart SignumService] or equivalent with appropiate permissions. ``` ```bash % signum-util show Signum SignServer stored configuration. certificate=/tmp/dss10_client1.p12 instance_url=localhost:443 loglevel=NONE ``` ```bash % signum-util test SignServer Test completed, able to connect to instance [localhost:443] with certificate [/tmp/dss10_client1.p12]. ``` -------------------------------- ### Change Directory to New SignServer Install Source: https://docs.keyfactor.com/signserver-cloud/latest/signserver-cloud-in-place-upgrade-procedure Navigate into the new SignServer installation directory. ```bash cd /opt/signserver ``` -------------------------------- ### Example Validation Service Configuration Source: https://docs.keyfactor.com/signserver/latest/defaultvalidationservice Demonstrates a complete configuration for the Validation Service, including worker setup, cached issuers, and validator definitions with issuer-specific certificate chains. ```properties # Set up the worker -> validation service wrapper WORKER1.IMPLEMENTATION_CLASS=org.signserver.validationservice .server.ValidationServiceWorker #Uncomment and set class path to custom validation service, otherwise is default #used. #WORKER1.TYPE= # Name of Service (Optional) WORKER1.NAME=ValidationService1 # Define TestCA2 and TestCA3 as a cached for 15 seconds, TestCA1 is Not cached. WORKER1.CACHEDISSUERS=CN=TestCA2;CN=TestCA3 WORKER1.TIMEINCACHE=15 # Define a validator in charge of issuer TestCA1 and TestCA2 WORKER1.VAL1.CLASSPATH= WORKER1.VAL1.ISSUER1.CERTCHAIN=EFWAASDFADFASDFKASDKFW1231..... WORKER1.VAL1.ISSUER2.CERTCHAIN=EFWAASDFADFASDFKASDKFW1231..... # Define a validator in charge of issuer TestCA3 WORKER1.VAL2.CLASSPATH= WORKER1.VAL2.ISSUER1.CERTCHAIN=EFWAASDFADFASDFKASDKFW1231..... ``` -------------------------------- ### Start CloudHSM Client Service Source: https://docs.keyfactor.com/signserver-cloud/latest/configure-the-cloudhsm-client Start the CloudHSM client service after configuration updates. Use either the 'start' command or the 'service' command. ```bash # sudo start cloudhsm-client or # sudo service cloudhsm-client start ``` -------------------------------- ### Start cloudhsm_mgmt_util Tool Source: https://docs.keyfactor.com/signserver-cloud/latest/activate-cluster Use this command to start the AWS CloudHSM management utility. Ensure you are SSH'd into the SignServer instance. ```bash sudo /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg ``` -------------------------------- ### HTTP GET Request for GenericProcessServlet Source: https://docs.keyfactor.com/signserver/latest/client-http-interface Examples of HTTP GET requests to the GenericProcessServlet for signing or validation. Data can be sent directly or Base64 encoded. ```http http://localhost:8080/signserver/process?workerName=DemoXMLSigner&data=%3Croot%3Ehej2%3C/root%3E ``` ```http http://localhost:8080/signserver/process?workerName=DemoXMLSigner&encoding=base64&data=PGhlajI%2Bb2s8L2hlajI%2BCg%3D%3D ``` -------------------------------- ### Set Up Sample Crypto Token Source: https://docs.keyfactor.com/signserver/latest/quick-start-demo-setup-using-administration-cli Configure a keystore-based Crypto Token using a properties file. This sets up the initial token for subsequent operations. ```bash $ bin/signserver setproperties doc/sample-configs/keystore-crypto.properties ``` ```bash $ bin/signserver reload 1 ``` -------------------------------- ### HTTP GET Request for WorkerServlet Source: https://docs.keyfactor.com/signserver/latest/client-http-interface Example of an HTTP GET request to the WorkerServlet for processing data. Ensure the worker name and data are correctly encoded. ```http http://localhost:8080/signserver/worker/DemoXMLSigner?data=%3Croot%3Ehej2%3C/root%3E ``` ```http http://localhost:8080/signserver/worker/DemoXMLSigner?encoding=base64&data=PGhlajI%2Bb2s8L2hlajI%2BCg%3D%3D ``` -------------------------------- ### Set Up Sample Workers Source: https://docs.keyfactor.com/signserver/latest/quick-start-demo-setup-using-administration-cli Configure sample Workers using a properties file and activate them. This is a general step for setting up worker configurations. ```bash $ bin/signserver setproperties doc/sample-configs/CONFIGURATION.properties ``` ```bash $ bin/signserver reload 2 ``` -------------------------------- ### Create a Sample File for Signing Source: https://docs.keyfactor.com/signserver/latest/macos Creates a simple text file that will be used as an example for the codesign process. ```bash echo "Something cool to sign" > file.sh ``` -------------------------------- ### Install NTPd on Linux Source: https://docs.keyfactor.com/signserver/latest/set-up-a-test-time-server-with-a-simulated-time Installs the NTP daemon using yum. Ensure NTPd is installed before proceeding with configuration. ```bash $ sudo yum install ntp ``` -------------------------------- ### Prepare data for client-side hashing Source: https://docs.keyfactor.com/signserver/latest/client-rest-interface This example shows how to prepare data for client-side hashing by creating a binary hash file and then base64 encoding it. Ensure the hash algorithm matches the one configured in SignServer. ```bash $ echo "Sample" > sample.txt $ openssl dgst -sha256 -out pre-computed-hash.bin -binary sample.txt $ base64 pre-computed-hash.bin 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= ``` -------------------------------- ### Prepare SignServer for Certificate Generation Source: https://docs.keyfactor.com/signserver/latest/regenerate-tls-keys-and-certificates Gain root privileges and navigate to the support directory on the SignServer instance. ```bash sudo su - cd /opt/PrimeKey/support ``` -------------------------------- ### SNTP Tool Sample Usages Source: https://docs.keyfactor.com/signserver/latest/sntp-tool Examples demonstrating how to use the sntp-tool with different configurations. ```bash a) sntp-tool -servers ntp.example.com' ``` ```bash b) sntp-tool -servers ntp1.example.com,ntp2.example.com ``` ```bash c) sntp-tool -servers ntp.example.com -sendsamples 2 ``` ```bash d) sntp-tool -servers ntp.example.com -timeout 2000 ``` -------------------------------- ### Get Worker Configuration Source: https://docs.keyfactor.com/signserver/latest/signserver-rest-endpoints-using-curl Retrieves the configuration of workers. The GET /workers endpoint returns a summary of all workers, while GET /workers/id provides detailed configuration for a specific worker. ```APIDOC ## GET /workers ### Description Retrieves a list of all workers configured on the SignServer instance, returning their IDs and names. ### Method GET ### Endpoint /workers ### Parameters No parameters are expected for this endpoint. The request body is ignored. ### Request Example ```bash curl --location --cert dss10_admin1.p12 --cert-type p12 --pass foo123 --request GET 'https://localhost:8443/signserver/rest/v1/workers' \ --header 'X-Keyfactor-Requested-With: X' ``` ### Response #### Success Response (200) - **workers** (array) - A list of worker objects. - **id** (integer) - The unique identifier of the worker. - **name** (string) - The name of the worker. #### Response Example ```json { "workers": [ { "id": 1, "name": "CryptoTokenP12" }, { "id": 2, "name": "PlainSigner" } ] } ``` ## GET /workers/id ### Description Retrieves the detailed configuration for a specific worker identified by its ID. ### Method GET ### Endpoint /workers/{id} ### Parameters #### Path Parameters - **id** (integer) - Required - The ID of the worker to retrieve configuration for. No other parameters are expected, and the request body is ignored. ### Request Example ```bash curl --location --cert dss10_admin1.p12 --cert-type p12 --pass foo123 --request GET 'https://localhost:8443/signserver/rest/v1/workers/2' \ --header 'X-Keyfactor-Requested-With: X' ``` ### Response #### Success Response (200) - **properties** (object) - An object containing the detailed properties of the specified worker. - **CRYPTOTOKEN** (string) - The name of the crypto token. - **AUTHTYPE** (string) - The authentication type. - **IMPLEMENTATION_CLASS** (string) - The fully qualified class name of the worker implementation. - **DEFAULTKEY** (string) - The default key alias. - **TYPE** (string) - The type of the worker. - **DISABLEKEYUSAGECOUNTER** (string) - Indicates if the key usage counter is disabled. - **NAME** (string) - The name of the worker. #### Response Example ```json { "properties": { "CRYPTOTOKEN": "CryptoTokenP12", "AUTHTYPE": "NOAUTH", "IMPLEMENTATION_CLASS": "org.signserver.module.cmssigner.PlainSigner", "DEFAULTKEY": "signer00003", "TYPE": "PROCESSABLE", "DISABLEKEYUSAGECOUNTER": "true", "NAME": "PlainSigner" } } ``` ``` -------------------------------- ### Bootstrap Galera Cluster Source: https://docs.keyfactor.com/signserver-cloud/latest/restarting-and-verifying-cluster Stop all MySQL services, then start the first node with the --wsrep-new-cluster flag. Finally, start the remaining nodes with standard service start commands. ```bash [root@node3 mysql]# service mysql stop [root@node2 mysql]# service mysql stop [root@node1 mysql]# service mysql stop [root@node1 mysql]# service mysql start --wsrep-new-cluster [root@node2 mysql]# service mysql start [root@node3 mysql]# service mysql start ``` -------------------------------- ### Create a Test File for Signing Source: https://docs.keyfactor.com/signserver/latest/linux-agent Create a simple text file named 'test.txt' to be used for signing operations. ```bash echo test > test.txt ``` -------------------------------- ### Install WildFly with Specific Layers using Galleon Source: https://docs.keyfactor.com/signserver-software/latest/wildfly-32-and-jboss-eap-8 Use the Galleon CLI to install a customized WildFly distribution to a specified directory, including essential layers for SignServer and creating a symlink for the installation. ```bash ./galleon.sh install wildfly:current#38.0.0.Final --dir=/opt/wildfly-38.0.0.Final --default-configs=standalone/standalone.xml --layers=cdi,core-tools,datasources,deployment-scanner,discovery,ee,-jsonb,ejb,elytron-oidc-client,io,jaxrs,jpa,jsf,logging,mail,management,webservices ln -snf /opt/wildfly-38.0.0.Final /opt/wildfly ``` -------------------------------- ### Set up SignumUtil with SignServer Instance Source: https://docs.keyfactor.com/signserver/latest/macos Configure the SignumUtil to connect to your SignServer deployment. Ensure SignumUtil has permissions to the certificate path. ```bash signum-util signserversetup --certificate /home/path/to/my/cert --instance_url localhost:443 ``` -------------------------------- ### Signer Status Report Worker Example 4 Source: https://docs.keyfactor.com/signserver/latest/signerstatusreportworker Example of a worker that is OFFLINE and has no certificate configured. ```xml workerName=Sod74, status=OFFLINE, ``` -------------------------------- ### Install OpenSSL PKCS11 Engine Source: https://docs.keyfactor.com/signserver/latest/linux-agent Install the necessary OpenSSL engine for PKCS11 support on Debian-based systems. ```bash sudo apt-get install libengine-pkcs11-openssl ``` -------------------------------- ### Install Certificates on SignServer Source: https://docs.keyfactor.com/signserver/latest/regenerate-tls-keys-and-certificates Copy the generated PEM and key files to the Apache SSL directory on the SignServer instance. ```bash cp *.pem /etc/httpd/ssl/. cp *.key /etc/httpd/ssl/. ``` -------------------------------- ### Start WildFly for testing Source: https://docs.keyfactor.com/signserver-software/latest/wildfly-32-and-jboss-eap-8 Run this command in a separate terminal to start WildFly for quick testing purposes. ```bash /opt/wildfly/bin/standalone.sh ``` -------------------------------- ### Examples for Verifying Audit Logs Source: https://docs.keyfactor.com/signserver/latest/database-cli Demonstrates different ways to use the `verifylog` command, including specifying nodes, offsets, and setting the optional classpath for the JDBC driver. ```bash signserver-db audit verifylog -all ``` ```bash signserver-db audit verifylog -node server1 -node server2:708 ``` ```bash OPTIONAL_CLASSPATH=/usr/share/java/mysql-connector-java.jar signserver-db audit verifylog -all ``` -------------------------------- ### Example JWT Token Source: https://docs.keyfactor.com/signserver/latest/jwt-authorizer This is an example of a Base64-encoded JWT token. It contains the header and payload, which are used for authentication. ```text eyJraWQiOiJqd3Qua2V5IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ1c2VyMSIsInVwbiI6ImR1a2UiLCJhdXRoX3RpbWUiOjE1ODM4MzAwMzcsImlzcyI6Im15LWF1dGgtc2VydmVyIiwiZ3JvdXBzIjpbInN0YWZmIiwiU2lnblNlcnZlci11c2VycyIsInJlbGVhc2UtbWFuYWdlcnMiLCJtYWlsdXNlcnMiXSwiZXhwIjoxNTgzODMxMDM3LCJpYXQiOjE1ODM4MzAwMzcsImp0aSI6IjQyIn0.Tzy6hoLKwmiQ4C7exBaEUVjH_TK6qiY6KUJUu2QLC-52QxJRXKdBXR1t6l2JqbhWm20o_yKcgp6d4n03AyX8IUGOVul5xY5nWP4Uyn_SfWznuANCXKIf9y8a99ucO4yTEtsrAw2Hiv88LSpia768m1epUXe8_fgoFxfZr8adtRkJ2mT5evHtFwbWtUTT2r3-okuQPvmUfhBrECVKYrBwrV3JlXgXGTjSz4j3XwFfdh516EhKXY8dSn4PMG4hmcnmLNJkz59sUOSTgpwgtp8JzqGBLqtsehJGSYVFDueIDCEbljEAXNgfIbUpT7PuE1IY8VyTm792RB_u_Dq5f03TEQ ``` -------------------------------- ### Create Custom Configuration Directory and File Source: https://docs.keyfactor.com/signserver-software/latest/install-signserver Set up a 'signserver-custom' directory outside the SignServer home to store configurations that override default files during upgrades. ```bash mkdir -p ../signserver-custom/conf cp conf/signserver_deploy.properties.sample ../signserver-custom/conf/signserver_deploy.properties ``` -------------------------------- ### Install MariaDB on CentOS Source: https://docs.keyfactor.com/signserver-software/latest/database-setup Use this command to install MariaDB server on a CentOS system. Ensure you have the necessary permissions. ```bash sudo yum install mariadb mariadb-server ``` -------------------------------- ### SignClient Usage Help Source: https://docs.keyfactor.com/signserver/latest/client-cli Displays the available commands and usage for the SignClient CLI. Run this from the SignServer home directory or specify the home directory via environment variables. ```bash $ bin/signclient usage: signclient ``` -------------------------------- ### Start TimeMonitor in Background Source: https://docs.keyfactor.com/signserver/latest/how-to-configure-timemonitor Starts the TimeMonitor service to run in the background. This command includes the conf/ folder on the classpath. ```bash $ bin/timemonitor-in-background.sh ``` -------------------------------- ### Install WildFly Systemd Service Files Source: https://docs.keyfactor.com/signserver-software/latest/wildfly-32-and-jboss-eap-8 Copies the necessary scripts and configuration files to set up WildFly as a systemd service. This includes the launch script, service unit file, and configuration file. ```bash cp /opt/wildfly/docs/contrib/scripts/systemd/launch.sh /opt/wildfly/bin cp /opt/wildfly/docs/contrib/scripts/systemd/wildfly.service /etc/systemd/system mkdir /etc/wildfly cp /opt/wildfly/docs/contrib/scripts/systemd/wildfly.conf /etc/wildfly systemctl daemon-reload useradd -r -s /bin/false wildfly chown -R wildfly:wildfly /opt/wildfly-38.0.0.Final/ ``` -------------------------------- ### Build SignServer with Maven Source: https://docs.keyfactor.com/signserver/latest/building-signserver-with-maven Execute this command to build all SignServer modules. Artifacts will be placed in `./lib` and module descriptors in `./mods-available`. ```bash mvn install ``` -------------------------------- ### Install SDK5 CloudHSM CLI Source: https://docs.keyfactor.com/signserver-cloud/latest/appendix-a-migrate-from-sdk3-to-sdk5 Install the new SDK5 CloudHSM CLI tool using yum and the provided URL. ```bash sudo yum install https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Amzn2023/cloudhsm-cli-latest.amzn2023.x86_64.rpm ``` -------------------------------- ### Install Java OpenJDK 17 Source: https://docs.keyfactor.com/signserver/latest/client-cli Installs Java OpenJDK 17 using yum package manager. This is a prerequisite for running SignClient. ```bash sudo yum install -y java-17-openjdk ``` -------------------------------- ### Backup System Source: https://docs.keyfactor.com/signserver-cloud/latest/cluster-replication-configuration Run this command to create a backup of the system before making configuration changes. Refer to the SignServer Cloud Backup Guide for more details. ```bash # /opt/PrimeKey/support/system_backup.sh ``` -------------------------------- ### Signer Status Report Worker Example 3 Source: https://docs.keyfactor.com/signserver/latest/signerstatusreportworker Example of a worker that is OFFLINE for reasons other than reaching its signature limit or expiring its certificate. ```xml workerName=Sod73, status=OFFLINE, validityNotBefore=2010-07-05 17:32:33 CEST, validityNotAfter=2010-09-08 17:32:33 EEST, signings=0, signLimit=100000, ``` -------------------------------- ### P11NG CLI Usage and Options Source: https://docs.keyfactor.com/signserver/latest/p11ng-cli Lists available commands and options for the p11ng-tool. Use the -action argument to specify the desired operation. ```bash p11ng-tool [options] P11NG commands -action Operation to perform. Any of: [listSlots, showInfo, listObjects, listKeyStoreEntries, generateKey, generateAndWrapKeyPair, unwrapAndSign, deleteKeyStoreEntryByAlias, deleteObjects, generateKeyPair, signPerformanceTest, unwrapPerformanceTest] -alias Key alias -attributes_file Path of file containing attributes to be used while generating key pair -libfile Shared library path -method Method to use, either pkcs11 (default) or provider -nocertificateobject Don't create a certificate object when generating a key. Default is to generate a certificate object -object Object ID (decimal) -pin User PIN -plaintext text string to sign -privatekey base64 encoded encrypted (wrapped) private key -publickey base64 encoded public key -selfcert Generate a self-signed certificate for the new key-pair -selfsigneddn Distinguished Name (DN) to use as issuer and subject DN in the self-signed certificate instead of the default one. -signaturealgorithm For sign-/unwrapPerformanceTest: Signature algorithm to use (default: SHA256withRSA) -slot Slot ID to operate on -threads For sign-/unwrapPerformanceTest: Number of stresstest threads to run (default: 1) -timelimit For sign-/unwrapPerformanceTest: Optional. Only run for the specified time (in milliseconds). -unwrapkey Label of key to unwrap with -use_cache For sign-/unwrapPerformanceTest: Whether key objects are fetched from cache instead of HSM token (default: true) -warmuptime For sign-/unwrapPerformanceTest: Don't count number of signings and response times until after this time (in milliseconds). Default=0 (no warmup time). -wrapkey Label of key to wrap with ``` -------------------------------- ### Auth0 Provider URI Example Source: https://docs.keyfactor.com/signserver/latest/set-up-openid-connect-oidc-using-auth0 Example format for the `oidc.providerUri` property in SignServer's `oidc.properties` file, pointing to your Auth0 domain. ```properties https:/// ``` -------------------------------- ### TimeMonitor Log Entries Example Source: https://docs.keyfactor.com/signserver/latest/how-to-configure-timemonitor Example log output from the TimeMonitorManager worker, indicating time synchronization status and reported state. ```log 2022-11-25 10:39:42,731 INFO Config changed to: 6e6198bc 2022-11-25 10:39:42,800 INFO Time back in calibration: offset abs(372) max accepted offset 997 2022-11-25 10:39:42,901 INFO State changed to: INSYNC,REPORTED,NONE ```