Skip to main content
Skip table of contents

Generate TLS Certificates for SignServer

The default certificates for SignServer are generated upon installation and are self-signed. It is recommended to configure new certificates from a CA which EJBCA trusts. Running a script on the command line of EJBCA Cloud can make this a simple process. 

To generate new TLS certificates for SignServer, do the following:

  1. Start a shell session to the EJBCA instance:
    # ssh -i <ssh public key> ec2-user@<ip address of EJBCA instance>
    # cd /opt/PrimeKey/support
  2. Run the script titled Running this script with the -d and -i flags will generate certificates that Apache on the SignServer instance will use. In this demo environment example, our DNS and IP address for our SignServer instance are:
    • ip-172-16-2-98.ec2.internal
    Running the script passing these addresses to the command line will look like the following:
    # sudo ./ -d -d ip-172-16-2-98.ec2.internal -i -i
  3. Answer y to the prompt about copying the certificates with proper names for Apache.  This will output them to. /home/ec2-user/pem.
  4. Copy this pem folder to the SignServer instance. This should be done over a secure channel between the nodes, via SSH or whatever method meets the organizations security needs.
  5. Copy these files to /home/ec2-user/pem, then move them into the appropriate position in /etc/httpd/ssl on the SignServer node and restart apache with the following commands:
    # cd /home/ec2-user/pem
    # sudo cp * /etc/httpd/ssl/.
    # sudo service httpd restart

  6. Run the following command to allow the EJBCA Superadmin access to SignServer:

    # cd /opt/signserver
    # bin/signserver wsadmins -allowany

  7. Go to the SignServer Administrators tab and click Add.

  8. Click Load Current and add the Roles: Admin, Auditor, and Archive Auditor for the EJBCA SuperAdmin, and then click Add.

  9. On the SignServer Administrators tab, change the Current Setting: Allow any to Only Listed by clicking Switch to "Only Listed".

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.