Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access

Learn how to get started with SignServer Community as a container.

In this guide, you will learn to:

Install Docker
Pull SignServer Community container
Start SignServer Community container
Import client certificate into your browser
Access SignServer Administration Web

Prerequisites

For this tutorial, SignServer Community Docker container version 5.10 was used.

Before you begin, you need:

A running SignServer instance - Click to learn more

If you don’t already have SignServer installed, here are some options for you:

Download SignServer - Free and open-source SignServer Community version
- There are tutorials to help you, for example, see this one on how to run the SignServer Docker container: Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access.
Try on AWS - Free 30-day trial SignServer Cloud on AWS
Try on Azure - Free 30-day trial SignServer Cloud on Azure

A fresh Ubuntu 22.04 LTS that already has Snap installed and is ready to go.
A client certificate imported into your web browser, for authentication to the SignServer Administration Web. If you don't have a client certificate or a Certificate Authority (CA), you can follow the Quick Start Guide - Issue Client Authentication Certificate using EJBCA to start a CA and issue a client certificate using EJBCA.

Step 1 - Install Docker

First, install Docker runtime.

To install Docker runtime, in your terminal, run the following command:
CODE
```
$ sudo snap install docker 
```

Step 2 - Pull SignServer Community container

The SignServer Community Docker container is available on Docker Hub and can be pulled straight from the command line using the docker tool.

To download and unpack the latest SignServer Community container image from Docker Hub, use the following command:
CODE
```
$ sudo docker pull keyfactor/signserver-ce
```

Step 3 - Start SignServer Community container

Start the SignServer Community container as an ephemeral test instance, suitable for testing or evaluation purposes.

Start the container with the container signserver.example.com set to "localhost" and update the path to your Management CA certificate:

CODE

$ sudo docker run -it --rm --name signserver \
    -p 80:8080 -p 443:8443 \
    -v /home/user/Downloads/ManagementCA.pem:/mnt/external/secrets/tls/cas/ManagementCA.crt \
    -h localhost \
    keyfactor/signserver-ce

Once the container is started, you can access SignServer using your browser and navigate to http://signserver.example.com/signserver/. Update signserver.example.com in the URL, in this example, update the URL to localhost: http://localhost/signserver/.

SignServer opens displaying information that client certificate authentication is required and you will next install the previously issued client certificate in your web browser.

Step 4 - Import certificate into browser

To authenticate with SignServer Administration Web, you need to import a client certificate into your web browser. Follow the steps below to import the client certificate issued by EJBCA in the Quick Start Guide - Issue Client Authentication Certificate using EJBCA.

The procedure for importing a certificate may vary depending on the web browser you are using. This example describes how to import a certificate to Mozilla Firefox.

To import the client certificate in your browser:

Open the Firefox application menu and click Settings.
Go to Privacy & Security and in the Security section, click View Certificates.
On the Your Certificates tab, select Import.
Browse to the downloaded P12 file, select the file, and click OK.
Enter the password you specified as the enrollment code when you issued the client authentication certificate, and click Sign in.
Click OK to close the Firefox Certificate Manager.

The administrator certificate is now imported and installed in your browser.

Step 5 - Access SignServer

To access SignServer Administration Web, using the previously issued client authentication certificate, do the following:

In your browser, navigate to SignServer and click Use TLS client certificate.
When prompted with a request for your browser to use the imported certificate, click OK to access SignServer with the certificate.
A browser warning is shown since you are using a generated local server certificate and have not added the Management CA to the list of trusted roots in your certificate store. Click through the security warning, and accept the risk and continue.

SignServer opens displaying the administration interface.

Next steps

In this guide, you learned how to start a SignServer container with client certificate authenticated access.

Here are some next steps we recommend:

To learn how to deploy SignServer in Kubernetes using a Helm chart, you can follow the Tutorial - Deploy SignServer using a Helm chart.

If you are interested in SignServer Enterprise, read more on Keyfactor SignServer Enterprise.

If you are interested in SignServer Community, check out SignServer Community vs Enterprise or read more on signserver.org.
If you are a SignServer Enterprise customer and need support, visit the Keyfactor Support Portal.
Discuss with the SignServer Community on GitHub Discussions.