# Sample crypto worker configuration using P11NG PKCS11 CryptoToken. # Type of worker and implementation WORKERGENID1.TYPE=PROCESSABLE WORKERGENID1.IMPLEMENTATION_CLASS=org.signserver.module.signumsigner.SignumSigner WORKERGENID1.AUTHTYPE=org.signserver.server.managed.ManagedAuthorizer # Uses a HSM or smart card through PKCS#11: WORKERGENID1.CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.p11ng.common.cryptotoken.P11NGCryptoToken # Name for other workers to reference this worker: WORKERGENID1.NAME=CryptoTokenP11NG1 # Exposes the worker through the Managed REST API WORKERGENID1.MANAGED_VISIBLE=true # Name of the PKCS#11 shared library to use: # The samples below corresponds to the ones set by default in the deploy # configuration. # To add new definitions or customize existing ones, see # conf/signserver_deploy.properties.sample. WORKERGENID1.SHAREDLIBRARYNAME=SafeNet ProtectServer Gold #WORKERGENID1.SHAREDLIBRARYNAME=SafeNet ProtectServer Gold Emulator #WORKERGENID1.SHAREDLIBRARYNAME=SoftHSM #WORKERGENID1.SHAREDLIBRARYNAME=SafeNet Luna Client #WORKERGENID1.SHAREDLIBRARYNAME=SafeNet Luna SA #WORKERGENID1.SHAREDLIBRARYNAME=SafeNet Luna PCI #WORKERGENID1.SHAREDLIBRARYNAME=Utimaco #WORKERGENID1.SHAREDLIBRARYNAME=nCipher #WORKERGENID1.SHAREDLIBRARYNAME=OpenSC #WORKERGENID1.SHAREDLIBRARYNAME=P11 Proxy # Method for pointing out which slot to use: WORKERGENID1.SLOTLABELTYPE=SLOT_NUMBER #WORKERGENID1.SLOTLABELTYPE=SLOT_INDEX # Which slot to use: WORKERGENID1.SLOTLABELVALUE=1 #WORKERGENID1.SLOTLABELVALUE=0 # If the key usage counter is disabled WORKERGENID1.DISABLEKEYUSAGECOUNTER=true # Optional password of the slot. If specified the token is "auto-activated". #WORKERGENID1.PIN=foo123 # Signature algorithm for the dummy certificate stored in HSM # as part of key generation WORKERGENID1.SELFSIGNED_SIGNATUREALGORITHM= #WORKERGENID1.SELFSIGNED_SIGNATUREALGORITHM=SHA256withRSA # Optional PKCS#11 attributes used for key generation WORKERGENID1.ATTRIBUTE.PUBLIC.RSA.CKA_ENCRYPT = false WORKERGENID1.ATTRIBUTE.PUBLIC.RSA.CKA_VERIFY = true WORKERGENID1.ATTRIBUTE.PUBLIC.RSA.CKA_WRAP = false WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_SIGN = true WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_PRIVATE = true WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_SENSITIVE = true WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_EXTRACTABLE = false WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_DECRYPT = false WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_UNWRAP = false #WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_ALLOWED_MECHANISMS=CKM_RSA_PKCS, CKM_SHA256_RSA_PKCS, CKM_SHA384_RSA_PKCS, CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS, CKM_SHA384_RSA_PKCS_PSS, CKM_SHA512_RSA_PKCS_PSS #WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_ALLOWED_MECHANISMS=CKM_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS, CKM_SHA384_RSA_PKCS_PSS, CKM_SHA512_RSA_PKCS_PSS # If the signer should by default use client-side hashing (the request data # to the signer is implied to be the pre-computed digest), this requires # the ACCEPTED_HASH_DIGEST_ALGORITHMS property to be set WORKERGENID1.CLIENTSIDEHASHING=true # If the signer should allow overriding whether the request is using a client- # side digest or not (by a request metadata parameter) #WORKERGENID1.ALLOW_CLIENTSIDEHASHING_OVERRIDE=true # Accepted digest hash algorithms used when the request is using a client-side # hash, this is required if any of CLIENTSIDEHASHING, # or ALLOW_CLIENTSIDEHASHING_OVERRIDE is defined and set to "true" WORKERGENID1.ACCEPTED_HASH_DIGEST_ALGORITHMS=SHA-256,SHA-384,SHA-512 # If a default key is configured, activation is tested by using the default key. If there is no configured default key, # the activation is tested by a test connection to the HSM. #WORKERGENID1.DEFAULTKEY=testkey0 #WORKERGENID1.DEFAULTKEY=