SignServer can be deployed in Kubernetes using a Helm chart, enabling scalable, containerized signing infrastructure that is straightforward to configure and upgrade.
This documentation covers everything needed to deploy and operate SignServer in Kubernetes.
Deployment Options
A SignServer Kubernetes deployment consists of the following components:
The SignServer container is available in two editions:
-
Community Edition (CE): Free and open source, available from Docker Hub (
keyfactor/signserver-ce). Includes core signing functionality. -
Enterprise Edition (EE): Commercially supported by Keyfactor, with additional signers, HSM support, and advanced features. Requires registry credentials from Keyfactor.
For a full list of included components, see SignServer Container Set.
HSM Sidecar Containers: For production deployments, HSM sidecar containers allow SignServer to communicate with a network-attached Hardware Security Module over PKCS#11. See HSM Integration.
Scaling and Availability
SignServer container deployments can be scaled horizontally by increasing the replica count. Additional container instances distribute load and improve availability. Autoscaling based on CPU or memory utilization is also supported. See replicaCount and autoscaling in SignServer Helm Deployment Parameters.
Migration from Community to Enterprise
The SignServer Community container provides a straightforward migration path to SignServer Enterprise. The same Helm chart structure and configuration format is used for both editions. Switching to Enterprise requires updating the image reference and adding an imagePullSecret for the Keyfactor registry. No data migration is required.
In this Section