SignServer Release Notes Summary

The following summary lists release notes for all SignServer versions.

For information on features and improvements implemented in this release, see the SignServer Release Notes. The SignServer Release Notes also include a change log, listing all issues resolved in the release and a cross-reference to our JIRA Issue Tracker for full details on issues resolved in the release.

SignServer 5.0.0


  • Upgraded libraries and internal dependencies

  • Support for running on WildFly 14 and JBoss EAP 7

  • Initial support for running on Java 11

  • Restructured and improved installation guide and release information

SignServer 4.4.1


  • New Authorizer component for logging cookies from the request

  • Improvements to startup scripts


  • While SignServer still requires Java 7 or 8, the Client command line interface (SignClient) can now additionally also be run on Java 11.

  • Error handling improvements

SignServer 4.3.2


  • New authorizer for logging cookies from the request


  • Performance test CLI now uses SHA-256 for the time-stamp request

SignServer 4.4.0

New features and improvements

  • Support for on-demand generated one-time keys with short-lived certificates issued from EJBCA.

  • 12 other minor improvements

Bug fixes

  • Time-stamp hash algorithm used by XAdESSigner should be configurable

  • Error with MSI signing when certificate not installed in token

  • OCSP validator failed with external OCSP responder

  • Admin GUI download bundle failed to start

  • 7 other bug fixes

SignServer 4.3.1


  • Sensitive information masked in status output, configuration and logs.

Administration Web

  • New possibility to easily select 'all' in the tables.

  • Improved certificate export page.

  • Character encoding handled correctly when importing configuration.

  • A number of other minor bug fixes or improvements.

Configuration and Deployment

  • Key usage counter disabled by default in sample configuration files.

  • Fixed typos in sample configuration files.

  • Sample Systemd service file added.

  • Fixed deployment issue with Ant version 1.10.2.

  • CLI scripts for Windows updated or added were missing.


  • Fixed regression with key usage counter and signer validity checks in some situations.

  • Tokens are verified after signing to ensure the right key/certificate is used.

  • Improved error reporting in TimeMonitor when an incorrect time server is configured.

  • TimeMonitor now picks the results chosen by ntpdate when multiple are available.

  • Removed redundant 'Accuracy' field in the SignClient output.

Code Signing

  • Fixed error message in SignClient when file type could not be determined.

  • SignClient in client-side mode now properly refuses already Authenticode signed files.

SignServer 4.3.0

New features and improvements

  • SignClient Server Failover and Loadbalancing

  • Strong Algorithms by Default

  • Key Wrapping (limited support)

  • New Alternative PKCS#11 Provider (experimental)

  • Utimaco HSM in FIPS Mode Support

Bug fixes

  • Regression Worker lockup under high load when database interactions was configured.

  • SOD Signer was not including NULL parameter for RSASSA-PKCS1 signature as required by ICAO.

SignServer 4.2.2

Bug fixes

  • Signing is no longer initialized if it is going to be refused in TimeStampSigner.

  • Signing is no longer initialized if it is going to be refused in MasterListSigner.

  • An out of memory issue in the the database CLI command was fixed.

SignServer 4.2.1

New features and improvements

  • Use a signature algorithm supported by HSM for test signing

  • Tested with WildFly 10, JBoss EAP 7 and Java 8

  • Performance test tool included in Client CLI download bundle

  • Documentation improvements

  • 9 other features or improvements

Bug fixes

  • SignClient on Windows was missing some new enterprise features

  • Error after importing certificate using explicit ECC parameters

  • Issuer DN issue in Admin Web when importing admin certificate

  • Issuer DN not displayed for authorized clients in Admin Web

  • Exception on empty CRL in PDF signer

  • 18 other bug fixes

SignServer 4.2.0

Featured Features

  • Rekeying from EJBCA using Peer Connectors.

  • Client-side hashing for Authenticode and JAR signing.


  • Bouncy Castle and CESeCore libraries updated.

  • Fixed translation issues.

  • New PrimeKey logos.

Code Signing

  • Authenticode signing with client-side hashing.

  • JAR signing with client-side hashing.

  • One issue with duplicated signature names fixed for JAR signing.

Bug Fixes

  • One issue with SignClient exit code fixed.

SignServer 4.1.1


  • Legacy option to encode the time-stamp tokens as before Bouncy Castle 1.50.

  • Legacy option to not include the RFC#6211 cmsAlgorithmProtection attribute in the token.

PDF Signing

  • Issue with PDF version if digest specified as SHA-256 instead of SHA256 resolved. Fix contributed by Aziz Göktepe.

Admin Web

  • A number of translation issues fixed.

Bug fixes

  • There was 7 issues fixed.

SignServer 4.1.0

Major Features

  • A brand new administration web interface.

  • Support for signing Windows Installer (MSI) packages.

General Signing

  • Support for hashing on the client side for CMS/PKCS#7 detached signatures.

Code Signing

  • Added MSI signing support.

  • Performance: Option to disable request hashing in the Plain Signer.


  • Adapted CMS Signer to be suitable for signing ICAO Deviation Lists.


  • Added sample init.d script for running the SignServer TimeMonitor.


  • Restructured and improved documentation.

  • Improved Javadoc for the AdminWS and ClientWS interfaces.


  • Further security hardening of the web applications including Content Security Policy headers and HttpOnly cookie protection.

  • Removed a potential cross site scripting vulnerability on the public web only affecting a set up with the TimeMonitorManager and normally restricted to authenticated users only.

  • Libraries has been upgraded.

Bug Fixes

  • There was 16 issues fixed.

SignServer 4.0.2

New features

  • Support for configurable content OID in CMS signatures

  • Support for DER encoding of CMS signatures

Bug fixes

  • Master list signer was only working with certificate installed in token

  • Issues with PDF permissions when PDF version gets upgraded

  • Regression: TimeMonitor manual was not available in the SignServer manual

SignServer 4.0.1

New features

  • Support for RFC 3161 timestamps in the Authenticode signer

  • Ability to download integration CLI in the same way as the Admin GUI


  • Performance improvements

  • Additional PKCS#11 library definitions

  • Make inclusion of IssuerSerial in SigningCertificate in Time-stamp tokens optional

  • Security hardening

Bug fixes

  • A security issue

  • ClassCastException trying to test key from Admin GUI running against local SignServer instance

  • EchoWorker not working

  • Web service interface not working from client CLI distribution

  • Incorrect documentation for DispatchedAuthorizer

  • Fixes in SQL create scripts

  • Wrong icon for crypto workers in admin GUI

SignServer 4.0.0

Major new features and improvements

  • Support for large files (Enterprise Edition)

  • Major internal library updates such as CESeCore 6.4 and BouncyCastle 1.53

  • Build system changed from Ant to Maven

  • Many internal API improvements

  • Support for RFC 5816 time-stamps

  • Initial Payara 4.1 support

Bug fixes

  • Bug in BouncyCastle related to extensions in time-stamps

  • ClientWS interface did not handle X-Forwarded-For header

  • Fixed spelling typos

  • Fixed unit tests not running automatically

  • Fixed stylesheet on public web pages

SignServer 3.7.4

New feature

  • Support for qcStatements extension for Qualified Electronic Time-stamps


  • More reliable calculation of free memory in Health Check

Bug fixes

  • Fixed issue with PostgreSQL

  • Fixed archive querying when running the GUI locally

  • Fixed possible deadlock when running XML validator under high load

  • A few documentation and sample configuration fixes

SignServer 3.7.3

  • The renewsigner admin CLI command will no longer prompt for an authcode when the -authcode CLI argument is omitted, use the new -authprompt option to get an interactive prompt. When the authcode is not given (or prompted for), the command will not automatically (re)activate the token.

SignServer 3.7.2

Bug fixes

  • Performance: Cache key option now improves performance with network HSM

  • Performance: The response time is improved on some systems

SignServer 3.7.1

New features

  • Java code signing support (including Android).

  • Support for key generation with custom RSA public exponent.


  • Support for large files in Client CLI.

  • Minor performance improvements.

  • Improved output from Client CLI.

  • MRTD signing interface improvements (ePassport).

  • Administration GUI improvements.

  • Improved language in the manuals.

Bug fixes

  • Security issue in Commons Collections library.

  • Regression: Renewing keys for multiple workers at once did not fully work in the Administration GUI.

  • Bin folder can not be put in the PATH environment variable.

  • Username/password not accepted if client certificate presented.

  • The FirstActiveDispatcher logs using the dispatchees fields.

  • 24 other bug fixes.

SignServer 3.7.0

New features

  • Indivual keys. Key aliases in crypto tokens can be selected by workers at run-time based on the incoming request using the new AliasSelector interface. An implementation selecting aliases based on the authenticated user of the request is included.

Bug fixes

  • Crypto token operations in the administration GUI no requires clicking outside of the last edited input field to be able to perform the action (i.e. when generating keys).

SignServer 3.6.3

New Features and Improvements

  • Authenticode signer for portable executables (enterprise edition only).

  • CSCA Master List Signer (enterprise edition only).

  • Signer that produces plain signatures.

  • Configurable maximum upload limit.

Bug fixes

  • Key test results now displays correctly in audit log.

  • Database tables now only listed once during deployment.

  • Soft keys are now also removed directly from memory.

  • JBoss config folder directory corrected in installation instructions.

  • Dispatchers status page now lists configuration errors.

SignServer 3.6.2

Bug fixes

  • Security issue in XML workers

  • Regression: Menu command for activating workers not working properly in GUI


  • Honouring rate limiting messages in TimeMonitor

  • Updated list of 3rd party dependencies and licenses

SignServer 3.6.1

New feature

  • Added detached signature option to CMSSigner (contributed by Pablo Ruiz García)


  • Better documentation about how to specify issuer DN for clients and webservice administrators

  • Issued timestamping certificates for sample soft keystores

Bug fixes

  • Fixed KeyStoreCryptoToken to initialize key usage counter when no password is specified in configuration

  • Fixed a regression when ACCEPTEDEXTENSIONS was empty

  • Fixed EJB CLI/GUI access with JBoss AS 7 in Windows

  • Fixed an issue where timestamp responses where double base64-encoded in the log

  • Timestamp and MS authenticode timestamp signer will now check that there is only one extended key usage (timeStamping) set at configuration time instead of failing just at runtime

  • Serial numbers for administrators and clients can be entered with leading zeros and in either case for hexadecimal letters

  • Fixed an issue where installed certificate does not override certificate in keystore

  • Fixed adding authorized WS client in GUI from certificate file

  • Fixed an issue where issuer DN contains characters that needs escaping

SignServer 3.6.0

New features and improvements

  • Independent worker and crypto token configuration

  • Querying of database archive from WS and GUI

  • Support for specifying HSM slot by label

  • HSM keep alive service

  • Underlying CESeCore library upgraded

  • Separation between community and enterprise editions

  • New application: SignServer TimeMonitor (enterprise edition only)

Bug fixes

  • Fixed an error when querying the audit log without any conditions

  • Removed a duplicated invocation in the Admin GUI

SignServer 3.5.2

New features and improvements

  • Support for SHA-2 hash algorithms in PDFSigner

  • Support for using the worker servlet when running the stress test tool

  • Checksums using SHA256 are now available for the releases

  • System tests now set up trust stores in case HTTPS is used

  • System tests are now included in the binary distribution

  • Apache Santuario (XML Security) library has been updated to version 1.5.7

Bug fixes

  • An XML signer performance regression has been fixed by a dependency update

  • PDF and XAdES signers caused deadlocks under high load when using a local TSA

  • Audit log errors are now displayed in the Admin GUI

  • An environment variable is now honored in the signserver-db script again

  • Ant target for copying modules was not working for custom sub modules

  • Added note about AdminGUI login issues with smartcard if the path to DLL contains parenthesis.

SignServer 3.5.1

New features and improvements

  • Support for passing request meta data

  • Support for configuring number of certificates to include in signature

  • API for billing/accounting

  • Command to print time-stamp requests and responses

  • Improved error reporting for crypto tokens and RenewalWorker

  • Improved ability to have custom modules

  • Updated sample PKCS#11 attributes to not store the public key

  • Documentation for MRTDSODSigner

  • Made all Dispatchers work together with DispatchedAuthorizer

  • Added test configuration files and performance CLI to binary distribution

  • Improved system test configuration options

  • Always display connect dialog when starting the AdminGUI

  • Added getproperty command to AdminCLI

  • Support for setting PKCS#11 attributes without referencing a file

  • Support for generating keys for JKS soft crypto tokens

Bug fixes

  • Fixed AdminGUI smart card login failure on second attempt

  • Implemented workaround for smart card login error when multiple readers are available for which some does not have tokens present

  • Fixed a deployment issue with Clover

  • Fixed proper exist codes from Ant wrapper script

  • Fixed issue in AdminGUI when adding workers in a specific way

  • Fixed a possible networking issue with the time-stamp client

  • Corrected an error message in RenewalWorker

  • Fixed an issue when running client CLI over ClientWS with debug enabled

  • Fixed main class attribute in SignServer-Test-Performance.jar

  • Fixed an issue with a button in AdminGUI not being initially disabled

  • Fixed arguments parsing in the renewsigner command and added missing authcode argument

SignServer 3.5.0

New features and improvements

  • Support for JBoss AS 7.1, JBoss EAP 6.1 and GlassFish 3.1.

  • Support for MariaDB.

  • Support for JDK 7.

  • All worker configuration can now be done from the Admin GUI.

  • Document signer for XAdES-BES and XAdES-T contributed by Luis Maia.

  • Document validator for XAdES-BES and XAdES-T.

  • Support for different signature algorithms in XML signers.

  • Various AdminGUI/remote administration improvements.

Bug fixes

  • Empty certificate chain in setproperties call gave error.

SignServer 3.4.3

Bug fixes

  • Regression introduced in 3.4.2: test signatures were not performed as part of the getstatus command or from health check

  • Security issue in bundled library

SignServer 3.4.2

New features and improvements

  • Uses PKCS11CryptoToken from CESeCore

  • Support for starting audit log verification from a specified sequence number

  • Option to archive all X-Forwarded-For addresses

  • Option to include the ordering field in time-stamp tokens even if it has value false

  • Option to not include the signingTime CMS attribute in time-stamp signer

  • Option to cache PKCS#11 key reference to increase performance

  • Includes IssuerSerial in the SigningCertificate attribute in time-stamp signer

Bug fixes

  • HSM auto activation was not working when signed audit log was used

  • Key generation was not working with slotListIndex

  • ClientCLI over web services was not working unless includemodulesinbuild specified

SignServer 3.4.1

New features and improvements

  • Added support for IPv6 and multiple proxies in ListBasedAddressAuthorizer.

  • Support for specifying the signature algorithm in CMS signer.

  • Support for the signerCertificate attribute in the MS Authenticode time stamp signer.

  • Support for generating CSR with EDSA explicit parameters in the admin GUI and the RenewalWorker.

  • Log worker name in the worker log.

  • Easy import of issuer and serial number from certificate in admin GUI, when adding administrator rules.

  • Added an option to set the correct TSA name from the subject DN automatically for the time stamp signer.

  • All workers report themselves as offline when misconfigured.

  • Added health check rate limiter.

  • Added database setup scripts for PostgreSQL.

Bug fixes

  • ContentInfo contained a double encoded octet string in the MS Authenticode time stamp signer.

  • Unauthorized health check queries incorrectly logged.

SignServer 3.4.0

This is a major release - in total 27 features, options, bugs and stabilizations have been fixed or added. The most noteworthy changes can be seen below.

Major changes

  • Secure logging to database using CESeCore.

  • Support for querying audit log from CLI, GUI and web services.

  • Configurable which Status Repository updates to log.

  • Access group for auditors.

  • Database CLI for verifying audit log.

  • Support for PostgreSQL.

Bug fixes

  • Fixed a couple of NPE bugs.

  • Fixed logging in over webservices using a JKS keystore in the Admin GUI.

  • Fixed some randomly failing unit tests.

  • Other minor bugfixes.

SignServer 3.3.0

This is a major release - in total 57 features, options, bugs and stabilizations have been fixed or added. The most noteworthy changes can be seen below.

Major changes

  • New client web services API

  • MS Authenticode time-stamp signer

  • Support for archiving of time-stamp requests

  • Logging of all changes to service components

  • Stress test tool for measuring performance

  • Dropped support for JBoss 4.2.x.

  • Dropped support for cluster class loader

  • Dropped support for WSRA

  • Upgrade of internal cryptographic library

  • Many more minor improvements

Bug fixes

  • Fixed the Renewal worker which required a trust store password even when a trust store was not used

  • Fixed an NPE when trying to activate a worker of type Dispatcher

  • Fixed archiving that could not be done twice for the same document

  • Fixed printing of server version from CLI

  • Fixed system tests that could not be compiled after opening the project with NetBeans IDE 7.2

  • Fixed StatusPropertiesWorker so that it no longer requires a cryptotoken to be configured

  • Fixed Address Authorizers to return HTTP 403 (forbidden) and not HTTP 401 (unauthorized) as before.

SignServer 3.2.4

New features and improvements

  • Installation script contributed by Antoine Louiset

  • Add test cases for TimeStampSigner with other key algorithms than RSA

  • Improved feature list at

Bug fixes

  • Using worker id does not work in Client CLI

  • JBoss 5 throws NPE on shutdown of SignServer

  • Renewal worker does not use the requested DN in certificate request

  • StatusPropertiesWorker requires a cryptotoken to be configured

SignServer 3.2.3

Major new features and improvements

  • Support for SignServer without database

  • Configurable to disable the key usage counter

  • Signer certificate check in Health check for all Signers

  • Check that the timestamp signer certificate is included in the certificate chain

  • Health check response of TimeStampSigner now considers status of time source

  • Down-for-maintenance support in Health check

  • Support for supplying filename as request metadata

Bug fixes

  • Client CLI only supported 10 arguments on Windows

  • Null value was inserted when removing last wsadmin on Oracle

  • PDF Signature could not be larger than 15000 bytes

  • Sample configuration for renewal worker not functional

  • Various documentation updates.

SignServer 3.2.2

Major new features and improvements

  • Support for denying timestamp requests unless the time source is considered in sync

  • Support for dispatching timestamp requests to different timestamp units/signers

  • Support for accessing workers using the /worker/* URL pattern gives easier filtering with a proxy

  • Signer's status report can now be offered by a worker and not just a timed service

  • The log field PROCESS_SUCCESS can now have the value "false" if a request failed

  • Hostname displayed in title bar of AdminGUI simplifies when managing multiple servers

Bug fixes

  • Build failure on W7 X64

  • Sample code using web services should use HTTPS

  • URL for documentation only working with JBoss 4.

SignServer 3.2.1

Major new features and improvements

  • Improve servlet error handling

  • Deploy documentation with application

  • Improved API for archiving

  • Support for signing PDFs with document restrictions

  • Support for PDF permissions enforcement

  • Support for modifying PDF permissions

  • Support for setting a PDF permissions password

  • Refuse to certify PDFs already certified and refuse to sign when signing is not allowed

Bug fixes

  • Remote EJB worker interface could not be used with ECC with explicit parameters

  • Warnings printed on STDERR

  • Web service interface did not log XFORWARDEDFOR headers

  • Typo in sample configuration for PDFSigner

  • Setting healthcheck properties had no effect

  • CRL download should close streams correctly and allow for caching

  • Supplied username and password ignored in SigningAndValidationWS

  • Unit tests failed in certain situations

  • Ant target for testing individual tests did not work

  • Switching application server type did not update

  • JavaDoc failed to build.

SignServer 3.2.0

This is a major release - in total 49 features, options, bugs and stabilizations have been fixed or added. The most noteworthy changes can be seen below.

Major new features and improvements

  • Administration Web Service (WS) interface

  • Administration GUI desktop application

  • Client command line interface (CLI)

  • Support for GlassFish Server 2.1.1

  • Support for JBoss Application Server 5.1.0

  • Support for Oracle Database

  • Semi-automatic key generation and certificate renewal from EJBCA

  • Improved audit and transaction logging

  • Improved project structure dividing the modules in sub-projects

  • Front page listing all demo web pages

Known Issues

  • Web services no longer work on JBoss 4 if HTTPS is not used as JBoss 4 rewrites the end point URL in the WSDL file to always start with "https://" (since DSS-327).

SignServer 3.1.5

This is just a minor maintenance release preparing for the upcoming 3.2 release - in total 7 features, options, bugs and stabilizations have been fixed or added. The most noteworthy changes can be seen below.

New features and improvements

  • Support for HTTPS in the SigningAndValidation API

  • Harden the PDF Signer against PDF signature collisions

  • Function in the build script for create source-only release archives

Bug fixes

  • Problem in a unit test for certain dates

  • NPE in TimeStampSigner if certificate is missing