This guide will show you how to quickly get started with SignServer in your Kubernetes cluster using Helm charts.
Prerequisites
Before you begin, you need a functioning Kubernetes cluster with kubectl and helm tools configured and ready to use. See Prerequisites.
To authenticate with SignServer Admin Web, you need to import a client certificate into your web browser. If you do not have a client certificate or a Certificate Authority (CA), you can follow the guide Issue Client Authentication Certificate using EJBCA to start a CA and issue a client certificate using EJBCA.
Quick Test Deployment
To verify your cluster setup, deploy an ephemeral SignServer instance using default settings. This starts SignServer with an in-memory H2 database. Data does not persist across restarts and this configuration is not suitable for production use.
Community Edition:
helm install signserver-ce --set image.repository=keyfactor/signserver-ce \
oci://repo.keyfactor.com/charts/signserver-ce --version x.y.z
Enterprise Edition:
helm install signserver --set imagePullSecrets[0].name=keyfactor-registry \
oci://repo.keyfactor.com/charts/signserver --version x.y.z
Wait for the pod to become ready:
kubectl get pods --watch
NAME READY STATUS RESTARTS AGE
signserver-a1b2c3d4e-5f6g7 0/1 Pending 0 0s
signserver-a1b2c3d4e-5f6g7 0/1 ContainerCreating 0 1s
signserver-a1b2c3d4e-5f6g7 0/1 Running 0 1s
signserver-a1b2c3d4e-5f6g7 1/1 Running 0 30s
Once the container is started, access SignServer using your browser and navigate to http://signserver.example.com/signserver/, in this example, http://localhost:8443/signserver/.
First-time access: By default, access to the Admin Web is restricted. Set signserver.allowAny=true on first deployment to gain initial access, then configure administrator certificates under the Administrators page and set allowAny back to false before redeploying. Leaving allowAny=true on subsequent deployments will overwrite any access restrictions you have configured. See Administrators Page for details.
SignServer displays information that client certificate authentication is require. You will need to install an issued client certificate in your web browser.
To authenticate with SignServer Admin Web, you can follow the guide Issue Client Authentication Certificate using EJBCA to start a CA and issue a client certificate using EJBCA.
Next Steps
Once you have confirmed the cluster is working, proceed to Deploy SignServer in Kubernetes.
For advanced configuration, such as HSM integration, logging, autoscaling, and the full set of deployment parameters, see: