Install SignServer

The following describes the server side installation of SignServer:

Before you install SignServer, see the following sections:

Download and Unpack SignServer

Download and unzip the latest SignServer Enterprise Edition from your PrimeKey download area or use the latest SignServer Community Edition release archive from SourceForge.

SignServer is available in the following different distributions:

  • signserver-5.x.y-bin.zip: The binary distribution. Recommended.

  • signserver-5.x.y.zip: The mixed distribution. Contains the sources and all required libraries. This distribution requires you to build SignServer before deploying, see Optional: Build SignServer.

  • signserver-5.x.y-src.tar.gz: The source-only tarball distribution. This distribution cannot be deployed without first gathering all the dependencies and then building it. If you choose this one, you are on your own.

Make sure to compare the checksums as provided on https://signserver.org/download.html, or from a by PrimeKey provided download site.

sha256sum signserver-5.x.y-bin.zip
unzip signserver-5.x.y-bin.zip

Alternatively, you can checkout the latest unstable version from the Subversion (SVN) repository. Note that as with the mixed distribution, the latest unstable version needs to be built before deploying.

Optional: Build SignServer

Skip this step if you downloaded the binary distribution (recommended) and proceed to the step Set Environment Variables.

Building SignServer is only required if you chose to download the mixed distribution, or checked out the latest SVN version, and want to build SignServer yourself before copying it to the target server.

To build SignServer, perform the following steps on your build machine.

Install Maven

For example, to install Maven in CentOS 7, run something like the following:

sudo yum install maven

Ensure Secure Maven Installation

Before running Maven (mvn) commands, ensure that you have a secure Maven installation that does not contact the Central repository over insecure HTTP. Ensure that the URL for the Central repository is specified with HTTPS (and/or use an internal repository).

For an example on how to override the default Maven settings in ~/.m2/settings.xml, refer to the sample-maven-settings-community.xml file provided in your SignServer release. To view the current settings, run:

mvn help:effective-settings

Set Edition

To set the edition (generating res/edition.properties), run:

bin/ant init

Build from Sources

To build from the sources, run:

mvn install -DskipTests

Set Environment Variables

APPSRV_HOME

Set APPSRV_HOME to point to your application server installation.

To set the APPSRV_HOME environment variable for WildFly 14, for example use:

export APPSRV_HOME=/opt/wildfly-14.0.1.Final

The APPSRV_HOME variable is used when deploying to the application server and could for example be set in your .bashrc or similar file, or be provided every time the deploy command is executed.

SIGNSERVER_NODEID

To set SIGNSERVER_NODEID to a unique ID for the server, use:

export SIGNSERVER_NODEID=node1

The SIGNSERVER_NODEID variable should be available to the application server and might need to be set in /etc/environment or similar. The variable is generally not mandatory but if not set, warnings will be printed in the log.

Configure Deployment

Deployment Properties

The file signserver_deploy.properties includes configuration settings for the application, database, and web services.

Copy conf/signserver_deploy.properties.sample to conf/signserver_deploy.properties and open it for editing in a text editor.

cp conf/signserver_deploy.properties.sample conf/signserver_deploy.properties

If using a database other than MySQL and MariaDB, update the property database.name. The following shows the default value, used for both MySQL and MariaDB:

database.name=mysql

SignServer Without Database

You can choose to install SignServer without a database management system and instead rely on SignServer to manage persistence using local files, see SignServer without Database.

To run SignServer without a database, set database.name to nodb in the signserver_deploy.properties file :

database.name=nodb

Set the location for the local file-based database:

database.nodb.location=/opt/signserver/nodb

Ensure to specify a path to a location where SignServer can write files. The default value is empty. If a relative path is used, it is most likely relative to the application server's working directory. The directory should either point to an existing SignServer file database, or be completely empty. If the directory is empty, SignServer will create the initial database structure at startup.

mkdir /opt/signserver/nodb

Audit Log Signing Properties

The file databaseprotection.properties includes configuration for audit log signing and verification that can be used in Enterprise Edition when running with database.

Copy conf/databaseprotection.properties.sample to conf/databaseprotection.properties and open it for editing in a text editor.

cp conf/databaseprotection.properties.sample conf/databaseprotection.properties

For information on how to configure for signed audit logs in the database, see Signed log.

Deploy SignServer

Run bin/ant deploy to build the configuration and deploy it to the selected application server:

bin/ant deploy

Make sure the application server is running and verify that SignServer was deployed correctly.

For example, look at the server log or for WildFly, run:

ls /opt/wildfly/standalone/deployments | grep signserver.ear*

Verify Installation and Access SignServer

To verify your SignServer installation, access one of the available user interfaces.

Public Web

To verify that SignServer is deployed and to access links to documentation and so on, point your web browser to http://localhost:8080/signserver.

Administration CLI

To test the access to the server and print the deployed version, run the following Admin CLI command:

bin/signserver getstatus brief all
Current version of server is: SignServer EE 5.0.0

Administration Web

To access the SignServer Admin Web, point your web browser to http://localhost:8080/signserver/adminweb.

To temporarily allow all valid client certificates to administer the Administration Web, run the following:

bin/signserver wsadmins -allowany

For more information, see Administration Web.