Skip to main content
Skip table of contents

Fresh Installation

The following provides some example steps for the initial setup that are recommended for setting up the Next Generation Hardware Appliance.

After logging into the Appliance for the first time, we recommend the following setup steps.

Step 1 - Add a New User Account

Create a user account, by adding either a client certificate user account or an OAuth user account.

Step 2 - Remove the OTP User

As the Next Generation Hardware Appliance is often managed by different people, the Initial OTP User should be removed to avoid security issues.
After the new User Account has been added, log in again with the new User Account.
You can now delete the Initial OTP User.

To remove the OTP user, see the following guide.

Step 3 - Configure a Hardware Security Module (HSM)

You can configure a Hardware Security Module (HSM) to store and protect your cryptographic keys.

For instructions on how to configure the HSM, see:

Step 4 - Configure the Application

Configure the SignServer Application

Next, create a Crypto Token in SignServer and connect it to the configured HSM. For more information, refer to the SignServer Documentation on Crypto Tokens.

The following provides some example steps for creating a Crypto Token in SignServer and generate a test key.

You need to select a TLS client certificate to be able to connect to SignServer Admin Web. If you have not selected a TLS client certificate when your browser requested it, you may need to restart your browser.

Create Crypto Token and Test Key

Follow the example steps below to create a Crypto Token and a test key in SignServer. For more information, refer to the SignServer Documentation on Crypto Tokens and Available Properties.

To create a Crypto Token and generate a test key in SignServer, do the following.

  1. On the Next Generation Hardware Appliance Overview page, click Admin Web for SignServer listed in the Application Overview.

  2. In SignServer, click Add at the bottom of the page.

  3. On the Add Worker/Load Configuration page, select From Template as Method.

  4. Select p11ng-crypto.properties and click Next.

  5. On the next page, click Apply to create the worker. A new worker entry named "CryptoTokenP11NG1 (1)" should now be visible on the Worker Overview page.

  6. Click CryptoTokenP11NG1 (1) to configure the worker. The worker status and token status should be displayed as Offline.

  7. Next, configure the Crypto Token to access the correct PKCS#11 slot.
    Click Configuration to see the currently configured worker properties.

  8. Configure the appropriate properties, for example:

    • SLOTLABELTYPE: How to reference your PKCS#11 slot, by number ("SLOT_NUMBER") or index ("SLOT_INDEX").

    • SLOTLABELVALUE: The slot number or index of the slot you want to connect to.

  9. To configure the PKCS#11 slot pin, click Add at the bottom of the page. Add a new property named PIN to the Crypto Token properties and set the PIN of the slot you want to connect to.

  10. To test your configuration, click Crypto Token and then Activate. On the next page, enter the PKCS#11 slot PIN in the Authentication Code field and click Activate.
    If correctly entered, you will be redirected to the worker overview page.

  11. Next, to create a test key for the Crypto Token, select the worker name "CryptoTokenP11NG1 (1).

  12. Click the Crypto Token tab to list keys that are available in the Crypto Token.

  13. Select Generate Key and specify the following before clicking Generate.

    • New Key Alias: testkey0

    • Key Algorithm: Choose a key algorithm that is available on your HSM.

    • Key Specification: Choose a key specification that is available on your HSM.

    • Click Generate.

  14. Click Status Summary to check for errors. The Worker status and Token status should now both be Active.

You have now created a Crypto Token and a test key and the Crypto Token can now be used by your SignServer workers. For more information, refer to the SignServer Documentation on Crypto Tokens and Available Properties.

Step 5 - Renew the TLS Certificate

This may be necessary to comply with your company's security regulations, for example, to remove the security warning in the browser address bar. For instructions on how to renew the TLS certificate, see Managing TLS Certificates.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close