The SignServer is an application framework performing cryptographic operations for other applications. It's intended to be used in environments where keys are supposed to be protected in hardware but it isn't possible to connect such hardware to existing enterprise applications or where the operations are considered extra sensitive so the hardware have to protected more carefully. Another usage is to provide a simplified method to provide signatures in different application managed from one location in the company.
The SignServer have been designed for high-availability and can be clustered for maximum reliability.
SignServer comes with a RFC 3161/5816 compliant Time-Stamp signer serving requests through HTTP or client-authenticated HTTPS. A MRTD (Machine Readable Travel Document, i.e. electronic passport) signer. A PDF signer that adds a signature automatically to an uploaded PDF document, ODF signer that adds a signature automatically to uploaded ODF document, OOXML Signer that adds signature automatically to an uploaded OOXML document, and a validation service used to lookup the validation of a given certificate.
|Signer||A Processable service performing signatures upon requests. This could be a ready made signer or a custom developed one.|
|Crypto Token (former Sign Token)||A Crypto Token is a name for the entity containing the private key and is responsible for its cryptographic operations. Each worker can contain a crypto token or reference a crypto token from an other worker.|
|Crypto Worker||Is a worker not performing any operations on its own and instead only hosts a Crypto Token that can be referenced by other workers.|
|Extended Crypto Token||An enhanced Crypto Token with support for symmetric key operations.|
|PKCS11CryptoToken||A Crypto Token able to communicate with Hardware Security Modules through the standard PKCS11 interface.|
|TimedService (former Service)||A TimedService is a task that is run on a timely basis, performing maintenance tasks like changing active key or generate a report.|
|Worker||A common name for Processable (Signer or other type of service) and TimedService|
|Processable||A type of worker that is used to process requests, i.e. not a TimedService.|
|Worker Configuration||Each Worker can be configured with properties specific for that worker. There are two sets of worker configuration one "Active" that is used by the signer and one "current" which is the one configured by the administrator. The current configuration isn't used in production until the administrator issues the reload command. This makes it possible for the administrator to configure multiple properties and double-check them before they are actually used.|
|Global Configuration Store||Is a dynamic store used to define available Workers and their Crypto Tokens. But other data that needs to be read globally could be set there as well. The global configuration properties are activated immediately. There are two different scopes for the store data, Global Scope and Node Scope.|
|Global Scope||Data stored in the global configuration that can be read by all nodes in the cluster.|
|Node Scope||Data that is node specific and can only be read within the same node.|
|Worker Id||Unique identifier of a worker, an integer larger than 0|
|Worker Name||A name used as a human readable synonym for a Worker Id|
|Validation Service||A Processable that checks if a certificate is valid or not. Have a Default Validation Service implementation that should work in most cases.
A Validation Service should have one or more Validators configured.
|Certificate Validator (former Validator)||A Certificate Validator is responsible for checking the status of one or more issuer's certificates. This could be as an OCSP client or a CRL checker or just looking up the status in a database.|
|Document Validator||A Document Validator is validating a signed document by checking its signature and corresponding certificate(s) and returns the validation result.|
|Authorizer||An interface that enables developers to integrate the authorization parts with existing authorization systems of who is authorized to perform requests to a Processable.|
|Time Stamp Signer||A Signer that can be used to set up a Timestamp Authority according to RFC 3161.|
|MRTD Signer||A Signer that performs signatures of MRTD (Machine Readable Travel Documents, i.e. Electronic Passports) blobs.|
|MRTD SOD Signer||A Signer that creates the complete security object (SOd) for a MRTD (Machine Readable Travel Document, i.e. Electronic Passports) by signing the data groups.|
|PDF Signer||A Signer that attaches an electronic signature signature to a PDF document.|
|XML Signer||A Signer that puts in an enveloped signature in XML documents (XMLDSig)|
|XML Validator||A Document Validator that validates signed XML documents (XMLDSig)|
|XAdES Signer||A Signer signing XML documents using XAdES|
|ODF Signer||A Signer that attaches an electronic signature to an ODF document. ODF Signer is tested with documents produced by OpenOffice.org v 3.1.0|
|ODF (Open Document Format) Document||XML-based file format for representing electronic documents such as spreadsheets, charts, presentations and word processing documents. more...|
|OOXML (Office Open XML) Document||XML-based file format for representing spreadsheets, charts, presentations and word processing documents. more...|
|OOXML Signer||A Signer that attaches an electronic signature to an OOXML document.|
|Archiver||Implementation handling archiving of a worker's response and/or request by storing it in a database or similar.|
The SignServer is a framework designed to perform different kind of cryptographic operations for different applications.
Since the 3.0 version there are three kind of processable services. Signers (used to sign or in other way process requested data). Validation Services used to verify the validity of a certificate against a set of backed issuers. The validation service can be used to simply the integration of PKIs into existing applications. In addition to processable services there also exists another concept called Timed Service (called just 'service' in 2.0 edition) which are plug-ins run at defined intervals performing maintenance or reporting routines.
The main way of communicating with the SignServer is through HTTP (web server) interface. There is also a web services (SOAP WS) interface available but that uses a special binary format for encoding the requests and responses.
The base component is called Worker which is assigned an ID, optionally a name and a configuration. A sub component is a Processable which receives and processes requests. A Processable (optionally) have access to a cryptographic token (CryptoToken) in charge of managing the keys of a Processable. A CryptoToken can be either software or hardware based.
The application is administrated through a command-line interface, where the properties and access control can be configured.
One SignServer can have multiple services for different purposes.