Skip to main content
Skip table of contents

SignServer 5.11 Release Notes


The SignServer team is pleased to announce the release of SignServer 5.11.1. (SignServer 5.11.0 was an internal release, not generally available for customers).

This release includes a new OS-independent TimeMonitor mechanism and Google Cloud KMS support among other features. Starting with this release, the P11NG crypto token is recommended for all use cases on all platforms. This release also upgrades Bouncy Castle to 1.72.

Deployment options include SignServer Hardware ApplianceSignServer Software Appliance, and SignServer Cloud.


OS Independent TimeMonitor

SignServer TimeMonitor is utilized in time-stamping use cases to monitor the difference between the local time and the time of an external NTP server to avoid issuing timestamps if the time difference exceeds a configured value. With SignServer 5.11, SNTP is by default supported natively, enabling using the SignServer TimeMonitor feature without the need for ntpdate and ntpq commands in the operating system. This new mode of operation for TimeMonitor also supports the use of multiple time servers for redundancy. For customers running SignServer on operating systems with the ntpdate and ntpq commands, it is still possible to configure SignServer to use these as per the legacy functionality. For more information, see SignServer TimeMonitor Overview.

Full-featured P11NG as recommended PKCS#11 Crypto Token for new deployments

As of SignServer 5.11, P11NG is the recommended crypto token for new deployments of all use cases on all deployment types. P11NG was first introduced in SignServer 4.3 as an alternative PKCS#11 crypto token for certain functionality not supported by the Java SunPKCS11 provider. The functionality supported by the P11NG provider has evolved over time and now includes key wrapping, EdDSA algorithm support, and various Cloud HSM options. For more information, see the documentation on how to Migrate from SunPKCS11 to P11NG

Google Cloud KMS Support

SignServer 5.11 includes support for Google Cloud KMS as HSM, expanding the SignServer Cloud HSM support beyond the previously supported AWS and Azure Cloud HSM options. The support for Google Cloud KMS is based on the use of the P11NG PKCS#11 crypto token.

Keyfactor branded user interface

The Keyfactor branded web user interface is now available per default for all new deployments and all existing deployments upgraded to SignServer 5.11.


Deprecation of old WildFly versions

As of SignServer 5.11, the use of WildFly versions 9, 10, and 11 is deprecated.

Deprecation of SignServerWS/ValidationWS

As of SignServer 5.11, the use of SignServerWS/ValidationWS is deprecated. 

Deprecation of XAdESSigner

As of SignServer 5.11, the use of XAdESSigner is deprecated. Use of AdES Signer is recommended for XAdES signatures.

Deprecation of OOXML Signer

As of SignServer 5.11, the use of OOXML Signer is deprecated.

Deprecation of ODF Signer

As of SignServer 5.11, the use of ODF Signer is deprecated.

Deprecation of Certificate Validation Framework

As of SignServer 5.11, the use of Certificate Validation Framework is deprecated.

Deprecation of Crypto Token definition in Signers

As of SignServer 5.11, the use of Crypto Token definitions in Signers is deprecated. Customers with legacy Signer configurations including Crypto Token definitions are advised to separate the Crypto Token configuration into a Crypto Token worker and update the Signer configurations with a reference to the Crypto Token worker.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

SignServer 5.11 is included in SignServer Hardware Appliance 3.11, SignServer Software Appliance 2.3, and SignServer Cloud 1.13.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.11, refer to our JIRA Issue Tracker.

Issues Resolved in 5.11.1

Released December 2022

Bug Fixes

DSS-2533 - Regression: TSA_URL is not working in PDFSigner

DSS-2534 - Regression: Error page about connecting using certificate displayed blank

Issues Resolved in 5.11

Internal Release December 2022

New Features

DSS-825 - Implement internal SNTP client instead of executing the NTP commands in TimeMonitor

DSS-1902 - Support for building on Java 11

DSS-2428 - Add support for specifying RSA public exponent also with P11NG crypto token

DSS-2450 - Add option for MSAuthCode signatures to replace existing signatures

DSS-2469 - Support for running the web tests against a remote SignServer (of any packaging type)

DSS-2478 - GCP KMS PKCS#11 support in SignServer based on P11NG

DSS-2491 - Add support for Ed25519 on Utimaco (HSM custom mode)

DSS-2500 - Add support for SHA384withECDSA and SHA512withECDSA in MRTDSODSigner

DSS-2517 - Rebranded SignServer CE UI theme


DSS-1942 - Remove WildFly remoting output from when running AdminCLI

DSS-2289 - Include class name in error message for incorrect time source

DSS-2315 - Update BC deprecated reference

DSS-2383 - Remove worker name from error messages from SODProcessServlet

DSS-2492 - Web UI hardening

DSS-2499 - P11NG-tool uses deprecated "which" command

DSS-2501 - Synchronize default P11 library definitions with EJBCA

DSS-2505 - Add parameter to specify self-signed DN when generating key pair with P11NG-tool

DSS-2507 - Add TRUSTANCHORS property to AdES Signer template

DSS-2508 - Clarify input format for PlainSigner in legacy client-side hashing mode with RSASSA-PKCS1_v1.5

DSS-2511 - Move TimeMonitor Manual into the normal documentation

DSS-2514 - Detection of HSM vendor in P11NG

DSS-2516 - Upgrade BC to 1.72

DSS-2525 - Upgrade dependencies

Bug Fixes

DSS-1681 - Confusing error message with alias selector, noauth and key wrapping

DSS-1811 - SignClient can not be run from directory having a space character in its file name

DSS-1815 - SignDocument Command fails with CLIENTWS & WEBSERVICES protocols if host not specified

DSS-2270 - JWT Authorizer: "Unknown issuer" is incorrectly logged

DSS-2342 - Error 500 when you reload audit log page with empty value for "Displaying results" or "Entries per page"

DSS-2397 - NPE when not specifying signature algorithm and using ECDSA

DSS-2399 - NPE in JwtAuthorizer

DSS-2412- Configuring JwtAuthorizer with public key in PEM format instead of Base64 gives IllegalArgumentException instead of being listed as error

DSS-2455 - Failed key test results rendered as success message instead of failure message

DSS-2483 - EMBED_CRL is in wrong place in the PDF Signer document

DSS-2489 - Transitive dependency on older Bouncy Castle (1.64) not excluded/overridden

DSS-2496 - Can not remove global configuration properties with special characters using delete button

DSS-2503 - P11NG tool fails to generate self-signed cert for ECDSA keypair

DSS-2504 - P11NG-tool gives return code 0 with unknown key algorithm

DSS-2509 - Client HTTP interface relays on platform encoding for data submitted in URL encoded form

DSS-2523 - JArchiveSigner worker template missing in CE

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.