Skip to main content
Skip table of contents

Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access

Learn how to get started with SignServer Community as a container.

In this guide, you will learn to:

  • Install Docker

  • Pull SignServer Community container

  • Start SignServer Community container

  • Import client certificate into your browser

  • Access SignServer Administration Web


Before you begin, you need a fresh Ubuntu 22.04 LTS that already has Snap installed and ready to go.

To authenticate with SignServer Administration Web, you need to import a client certificate into your web browser. If you do not have a client certificate or a Certificate Authority (CA), you can follow the Quick Start Guide - Issue Client Authentication Certificate using EJBCA to start a CA and issue a client certificate using EJBCA.

Step 1 - Install Docker

First, install Docker runtime.

  • To install Docker runtime, in your terminal, run the following command:

    $ sudo snap install docker 

Step 2 - Pull SignServer Community container

The SignServer Community Docker container is available on Docker Hub and can be pulled straight from the command line using the docker tool.

  • To download and unpack the latest SignServer Community container image from Docker Hub, use the following command:

    $ sudo docker pull keyfactor/signserver-ce

Step 3 - Start SignServer Community container

Start the SignServer Community container as an ephemeral test instance, suitable for testing or evaluation purposes. 

  • Start the container with the container set to "localhost" and update the path to your Management CA certificate:

    $ sudo docker run -it --rm --name signserver \
        -p 80:8080 -p 443:8443 \
        -v /home/user/Downloads/ManagementCA.pem:/mnt/external/secrets/tls/cas/ManagementCA.crt \
        -h localhost \

Once the container is started, you can access SignServer using your browser and navigate to Update in the URL, in this example, update the URL to localhost: http://localhost/signserver/. 

SignServer opens displaying information that client certificate authentication is required and you will next install the previously issued client certificate in your web browser.

Step 4 - Import certificate into browser

To authenticate with SignServer Administration Web, you need to import a client certificate into your web browser. Follow the steps below to import the client certificate issued by EJBCA in the Quick Start Guide - Issue Client Authentication Certificate using EJBCA.

The procedure for importing a certificate may vary depending on the web browser you are using. This example describes how to import a certificate to Mozilla Firefox.

To import the client certificate in your browser:

  1. Open the Firefox application menu and click Settings.

  2. Go to Privacy & Security and in the Security section, click View Certificates.

  3. On the Your Certificates tab, select Import.

  4. Browse to the downloaded P12 file, select the file, and click OK.

  5. Enter the password you specified as the enrollment code when you issued the client authentication certificate, and click Sign in.

  6. Click OK to close the Firefox Certificate Manager.

The administrator certificate is now imported and installed in your browser.

Step 5 - Access SignServer

To access SignServer Administration Web​, using the previously issued client authentication certificate, do the following:

  1. In your browser, navigate to SignServer and click Use TLS client certificate.

  2. When prompted with a request for your browser to use the imported certificate, click OK to access SignServer with the certificate.

  3. A browser warning is shown since you are using a generated local server certificate and have not added the Management CA to the list of trusted roots in your certificate store. Click through the security warning, and accept the risk and continue. 

SignServer opens displaying the administration interface.

Next steps

In this guide, you learned how to start a SignServer container with client certificate authenticated access.

To learn how to deploy SignServer in Kubernetes using a Helm chart, you can follow the Tutorial - Deploy SignServer using a Helm chart.

Next, you can browse our other video tutorials on the Keyfactor Community YouTube channel.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.