Administration GUI

ENTERPRISE This is a SignServer Enterprise feature.

The Administration GUI (AdminGUI) is deprecated and will be removed in a future version. Please, use the Administration Web instead.

The SignServer Administration GUI (AdminGUI) is one of the available interfaces to administrate SignServer. It supports configuration of workers and associated key management as well as querying the audit log and archive.

Other options for administration includes the Administration CLI, the Administration Web, and the Administration Web Services interfaces.

As a complement to the command line interface there is also a graphical user interface for managing some of the most basic administrative tasks.

The SignServer AdminGUI is built by default (unless the property admingui.enabled is set to the value "false" in signserver_deploy.properties), and can be started using the script bin/signserver-gui.

On startup, the connect to SignServer dialog offers the possibility to either connect to a locally running SignServer instance or a remote one over web services. If the "-ws" command line option is specified the later option is already selected when the dialog opens.

See also the AdminGUI part of the troubleshooting section.

Connect to SignServer dialog

First select either to connect to a local or remote instance. If a remote one is selected then also specify URL to SignServer server as well as keystore and truststore for setting up the HTTPS connection. Then click the button Connect. By clicking the button Load defaults the settings from the file default_connect.properties is loaded. The current settings are stored to connect.properties and displayed the next time the dialog is opened.

Connect to: Select to either connect to a "Local SignServer" using the EJB interface or a "Remote SignServer" using web services on the specified URL.

  • Web Service URL: Base URL to the SignServer server. Default: https://localhost:8443/signserver

  • Truststore Type: Type of the truststore. Should match the choosen truststore file (if any). Options are: Use keystore, JKS, PKCS12 or PEM. If Use keystore is choosen the trusted certificates are instead taken from the keystore and no truststore is used.

  • Truststore file path: Path to the truststore file (if any).

  • Truststore password: Password of the truststore file (if any).

  • Keystore Type: Type of the keystore. Should match the choosen keystore file path. Options are: JKS, PKCS12 or PKCS11. If PKCS11 is choosen the keystore file path should be the path to the PKCS#11 shared library file.

Main window

The SignServer Administration GUI main window consists of a menu bar, a toolbar, the working area and at the bottom a status bar. The working area consists of a left and right part where the left is a list of all configured workers and the right shows details for the selected workers (if any).

Main window: Menu bar

  • File -> Add Worker/Load Configuration…:

    Opens the dialog to import a configuration or set-up a worker manually by specifying worker parameters.

    When selecting Load from file it is possible to load a configuration file. This is equivalent of the setproperties Admin CLI command.

    Selecting Add worker enables setting up a worker from scratch by manually specifying a worker ID (the default selected will generate an ID dynamically), worker name, fully qualified class name for the implementation, and (optionally) a signer token implementation. Additional properties can be added using the table below.

    When the required parameters are given, the Next button will enable moving to the next step where additional manual editing of the resulting configuration can be made (the format is the same as the worker properties files). Clicking the Apply button from this stage will load the current configuration. The dialog can be dismissed in both states using the Cancel button.

  • File -> Export...:
    Opens the Export configuration dialog. This is the equivalent of the dumpproperties Admin CLI command. The dialog gives the option to export all workers, the selected workers or none. In addition it also gives the option to include all global configurations not related to any worker (always enabled if no workers choosen for export).

  • File -> Exit:
    Exits the SignServer Administration GUI

  • Edit -> Activate:
    Activates the selected worker(s).

  • Edit -> Deactivate:
    Deactivates the selected worker(s).

  • Edit -> Renew key...:
    Opens the Renew key dialog for the selected worker(s).

  • Edit -> Test key...:
    Opens the Test key dialog for the selected worker(s).

  • Edit -> Generate CSR...:
    Opens the Generate CSR dialog for the selected worker(s).

  • Edit -> Install certificates...:
    Opens the Install certificates dialog for the selected worker(s).

  • Edit -> Renew signer...:
    Opens the Renew signer dialog for the selected worker(s).

  • Edit -> Destroy key...:
    Opens the Remove key dialog for the selected worker and asks for a key to remove from the crypto token.

  • Edit -> Remove worker...:
    Removes the selected workers from the SignServer configuration.

  • Edit -> Reload from database...:
    Reloads the global configuration or the selected workers from the database. This is only needed if the configuration was changed from an other node and the nodes uses a shared database.

  • Edit -> Global configuration...:
    Opens the Global configuration window.

  • Edit -> Administrators...:
    Opens the Administrators window.
    Allows adding webservice administrators, auditors, and archive auditors. The administrators can be added by explicitly entering the client certificate's serial number in hexadecimal (leading zeroes and letter case is not significant) and the issuer DN with space after each comma separating DN components. If DN components contains commas, these needs to be escaped with backslashes.

    An example using a certificate issued from EJBCA with the default (as specified by EJBCA) LDAP DN order:

    C=SE, O=TestOrganization, CN=IssuingCA

    This is the reversed order compared to how the issuer DN is stored in the certificate. An example using a certificate issued from EJBCA with the Use LDAP DN order option disabled:

    CN=ReverseIssuingCA, O=TestOrganization, C=SE

    Alternatively a certificate file can be loaded, from which the serial number and issuer DN will be taken.

  • View -> Refresh:
    Refreshes the information about all workers.

  • View -> Status Summary...:
    Switches to the Status Summary tab for the selected worker.

  • View -> Status Properties...:
    Switches to the Status Properties tab for the selected worker.

  • View -> Configuration...:
    Switches to the Configuration tab for the selected worker.

  • View -> Authorization...:
    Switches to the Authorization tab for the selected worker. Specify certificate serial number in hex and the Issuer DN of the client certificate. If DN components contains commas, these needs to be escaped with backslashes. Alternatively, a certificate file (PEM or DER format) can be loaded, from which the serial number and issuer DN is fetched.

  • Help -> About...:

    Opens the about box doc.

Main window: Tool bar

  • Refresh:
    Refreshes the information about all workers.

  • Activate:
    Activates the selected worker(s).

  • Deactivate:
    Deactivates the selected worker(s).

  • Renew key...:
    Opens the Renew key dialog for the selected worker(s).

  • Test key...:
    Opens the Test key dialog for the selected worker(s).

  • Generate CSR...:
    Opens the Generate CSR dialog for the selected worker(s).

  • Install certificates...:
    Opens the Install certificates dialog for the selected worker(s).

  • Renew signer...:
    Opens the Renew signer dialog for the selected worker(s).

Main window: Status Summary Tab

Displays the status summary for the selected worker in the same format as the CLI command signserver getstatus complete.

Main window: Status Properties Tab

Displays the status in properties format with the option of viewing details for some properties such as for the certificates.

  • Details...: Selecting an property and clicking this button opens a dialog box with more information for the property (if supported). Currently for certificates this opens the Certificate details dialog.

Main window: Configuration Tab

Lists all the selected worker's configuration properties and gives the ability to add, remove or edit properties.

  • Add...:
    Adds a new property to the selected worker.

  • Edit:
    Edit the selected property.

  • Remove:
    Removes the selected property.

Main window: Authorization Tab

Lists all the authorized client certificates for the selected worker. Notice that this only applies if the worker has the AUTHTYPE set to CLIENTCERT otherwise information about authorized clients might be taken from other sources. If the checkbox Allow any administrator with a valid certificate... is selected, any user with a valid certificate will be authorized. Having this enabled will override the administrators added in the list above. This is meant primarily for allowing a temporary certificate for setting up initial configuration.

  • Add...:
    Adds a new authorized client. If the option Apply changes to all selected workers is checked the client is added to all the currently selected workers. The "..." button can be used to read the values for serial number and issuer DN from a certificate file in PEM or DER format.

  • Edit...:
    Edits the selected authorized client. If the option Apply changes to all selected workers is checked the client is modified in all the currently selected workers.

  • Remove:
    Removes the selected client. If the option Apply changes to all selected workers is checked the client is modified in all the currently selected workers.

Main window: CryptoToken Tab

The CryptoToken tab is only visible when selecting a worker that either is a CryptoWorker or is a worker that has crypto token configuration. The tab allows quering of entries inside the crypto token as well as generating keys, certificate requests and importing certificates etc.

  • First:
    Go to the first search results page.

  • Previous:
    Go to the previous search results page.

  • Reload:
    Reloads the search result according the the current index and the selected number of entries per page.

  • Next:
    Go to the next search results page.

  • Displaying results:
    Displays the first row index and the last in the current result.

  • Entries per page:
    The maximum number of rows to display in one page.

  • Generate key...:
    Opens the key generation dialog. Fill in the alias of the new key that should be generated as well as the key type (i.e. RSA, DSA or ECDSA) as well as the the key specification (i.e. key length such as "2048" for RSA and DSA or curve name such as "secp256r1" for ECDSA). For RSA keys, a custom public exponent can be expressed as part of the key specification by entering a value such as "2048 exp 5" or "2048 exp 0x10001", expressing the exponent value in decimal or hexadecimal form. After filling in a key alias a new row will automatically added which allows for generating more keys.

    This dialog is different from the Renew key dialog as in this case the worker's next key property (NEXTCERTSIGNKEY) is not updated.

  • Test:
    Opens the Test key dialog for the selected entry.

  • Generate CSR...:
    Opens the Generate CSR dialog with the key aliases of the selected entries filled in.

  • Import certificates...:
    Opens the Install certificates dialog for importing certificates to the selected token entries.

    Installing certificates this way it is only possible to store the certificates in the token and the worker's current key (DEFAULTKEY) and next key (NEXTCERTSIGNKEY) properties are not updated.

  • Remove:
    Opens the Remove key dialog with the selected key aliases already filled in.

  • Details...:
    Opens the details window displaying more information about the token entry:

    • Alias: The key alias

    • Type: The type of entry, i.e. private key, secret key or trusted certificate

    • Creation date: If available the time and date the entry was created

    • Certificate: If available, the subject DN of the end entity certificate. The View button opens a window where the certificates can be inspected.

    • Key specification: If available, the key length or curve used

    • Key algorithm: If available, the algorithm used for the key, i.e. RSA, DSA, ECDSA or AES etc.

Additional information might be available depending on the crypto token implementation.
Double clicking or pressing the Enter key on a selected row opens the details window as well.

Main window: Audit log

In the Audit log tab controls for querying and filter the audit log exists.

  • Current conditions:
    Lists query conditions used to filter the search results.

  • Add:
    Opens a dialog box for adding query conditions.

  • Remove:
    Removes the selected query condition.

  • First:
    Go to the first search results page.

  • Previous:
    Go to the previous search results page.

  • Reload:
    Loads or reloads the search result according the the current search condition(s), index and the selected number of entries per page.

  • Next:
    Go to the next search results page.

  • Displaying results:
    Displays the first row index and the last in the current result.

  • Entries per page:
    The maximum number of rows to display in one page.

Double clicking or pressing the Enter key on a selected row opens a window showing details for the row.

If databaseprotection.enableverify is enabled at the server side the signature of each row displayed are verified. If the verification fails for any of the rows in a page, an error message is displayed. The error message contains information about the first row that failed.

Main window: Archive

In the Archive tab controls for querying and filter the archive.

  • Current conditions:
    Lists query conditions used to filter the search results.

  • Add:
    Opens a dialog box for adding query conditions.

  • Remove:
    Removes the selected query condition.

  • First:
    Go to the first search results page.

  • Previous:
    Go to the previous search results page.

  • Reload:
    Loads or reloads the search result according the the current search condition(s), index and the selected number of entries per page.

  • Next:
    Go to the next search results page.

  • Displaying results:
    Displays the first row index and the last in the current result.

  • Entries per page:
    The maximum number of rows to display in one page.

When selection one or more rows from the search result, the Fetch selected archive data items button is enabled. Clicking this button opens a dialog allowing to select a download directory and downloading the archived data of the selected rows.

Renew key dialog

Generates new keys for all the listed workers. For this to work all workers should have the same password. Key algorithm, Key specification and New key alias must be specified if it is not taken from the worker's configuration.

Test key dialog

Test keys for all the listed workers. It is optional to either test the current key or the next key (if any) or all the keys in the keystore. For this to work all workers should have the same password. The results shows for each key the key alias, SUCCESS and the public key hash if the test signing succeeded.

Generate CSR dialog

Generates certificate signing requests (CSR:s) in PKCS#10 format for all listed signers. In the key dropdown menu either the current key (DEFAULTKEY) or the next key can be selected. It is also possible to manually enter a value in the field to generate a CSR for a specific key alias in the crypto token. Signature algorithm, subject distinguished name (DN) and Filename must be specified if not already taken from the worker's configuration. The format of the request could either be a Standard CSR file or a CSR wrapped in PKCS#7/CMS signed object created by a RequestSigner. The with the last option is that at the CA the signature of the request can be verified.

Install certificates

Installs signer certificate and certificate chains for the listed workers and if next key is chosen that key becomes the new default key.

At least one of Signer certificate and Signer certificate chain columns needs to be filled in. If a file is chosen for Signer certificate then the first certificate from that file will be used as signer certificate. It will also be added to the beginning of the certificate chain (if it is not already there). If a file is chosen for Signer certificate chain then all of the certificates from that file will be included in the certificate chain. The first certificate will be used as signer certificate (if a Signer certificate was not chosen).

If the Install in token check box is selected, the certificate chain will be imported to the worker's crypto token (if the crypto token supports this operation). When this is selected, the key alias to import the chain to in the token can be manually entered in the key column. This is currently only supported for keystore and PKCS11 crypto tokens.

  • Signer certificate: Browse for the signer certificate file in PEM format.

  • Certificate chain: Browse for the signer certificate chain file (or CA certificate(s)) in PEM format.

Renew signer dialog

Requests a Renewal worker to renew all the chosen and selected workers. The Renewal worker will generate a new key if there isn't already a next key available and then contact EJBCA using its web service interface to request a new certificate. After receiving the new certificate it is installed and the next key becomes the current default key. Notice how the Not valid after date and possibly also the Signings column changes and the Renewal checkbox gets unchecked after a successful renewal.

Remove key dialog

Enter the key alias of the key to remove from the crypto token. Note that multiple workers might be using the key. If the crypto token supports key removal the key will be deleted and it might not be possible to restore it.

Global configuration dialog

Lists all the global configuration properties and gives the ability to add, remove or edit properties.

Administrators dialog

Lists all the authorized WS administrators, auditors, archive auditors and peer systems and gives the ability to add, remove or edit them. It is also possible to get the serial number and issuer DN from a certificate file in PEM or DER format by using the From file button.

If already connected over WS, it is possible to click the Load current button to fill in the values from the currently used administrator certificate.

If the Allow any aministrator with a valid certificate is checked all administrators are given access even if they are not present in the list. This is for instance useful when first setting up the system. After adding your administrators the checkbox can be unchecked. It is recommended to add your self using the Load current button to be sure the correct information is filled in before disabling access for admins not in the list.