Skip to main content
Skip table of contents

Extended CMS Signer

ENTERPRISE

The signer has the fully qualified class name: org.signserver.module.extendedcmssigner.ExtendedCMSSigner.

Overview

The extended CMS signer, in addition to all the features provided by the regular CMS signer, has support for timestamping.

The extended CMS signer also supports CMS re-signing, enabling signing software and firmware using multiple algorithms. It is possible to produce two signatures using different signing algorithms by signing data with one algorithm and using the output of the first signing operation as input in a second signing operation targeting an extended CMS signer configured for re-signing with a different algorithm. CMS re-signing can be used for crypto agile CMS signing in general and for transitioning from traditional to post-quantum algorithms.

Available Properties

PropertyDescription
TSA_WORKERWorker ID or name of internal timestamp signer in the same SignServer. Optional, default: none. This property cannot be combined with TSA_URL.
TSA_URLURL of external timestamp authority. Optional, default: none. This property cannot be combined with TSA_WORKER.
TSA_USERNAMELogin username used if the TSA uses HTTP Basic Auth. Optional, default: none.
TSA_PASSWORDLogin password used if the TSA uses HTTP Basic Auth. Required if TSA_USERNAME is specified. Default: none.
TSA_DIGESTALGORITHMAlgorithm for timestamp digests. Optional, default: SHA-256.
SIGNING_MODE

Mode to use when signing. Optional, default: NEW

  • NEW
  • APPEND

Signing Mode

CMS re-signing enables signing software and firmware using multiple algorithms. Using the signing mode append, it is possible to produce two signatures using different signing algorithms by signing data with one algorithm and using the output of the first signing operation as input in a second signing operation targeting an extended CMS signer configured for re-signing with a different algorithm. CMS re-signing can be used for crypto agile CMS signing in general and for transitioning from traditional to post-quantum algorithms.

The following signing modes are available:

  • NEW: A new CMS signature is calculated based on the digest of the input data.
  • APPEND: An additional signature is calculated based on the existing message digest in input data, which must be an existing CMS structure.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close