Skip to main content
Skip table of contents

SignServer Release Notes Summary

The following summary lists release notes for all SignServer versions.

For detailed information on features and improvements implemented per release, see the SignServer Release Notes. The SignServer Release Notes also include a change log, listing all issues resolved in the release.

SignServer 6.2


This release extends the SignServer REST API with new endpoints for management of SignServer workers. SignServer 6.2 also supports Microsoft CAB file signing and HSM integration for post-quantum signing. Several improvements and error corrections are also included. 

  • Post-Quantum Signing with HSM Support: SignServer supports the Dilithium and SPHINCS+ NIST post-quantum candidate algorithms since SignServer 6.0. SignServer 6.2 now introduces support for the use of a hardware security module (HSM) with support for the Dilithium algorithm. Since Dilithium is not part of the PKCS11 standard, it requires an HSM vendor-defined extension in the PKCS11 interface. For information about supported HSM vendors and models, contact Keyfactor.

    Signatures by SignServer using the Dilithium algorithm integrated with an HSM may also be verified using the post-quantum verifier app on GitHub. For more information and instructions, see Post-Quantum Code Signing How-to.

    Note that the NIST post-quantum candidate algorithm is suitable for non-production use only. NIST standardization is planned for completion in 2024 and the Dilithium algorithm can be used for proof-of-concept (PoC) and post-quantum transition preparation activities until then.

  • REST API Extensions: The REST API in SignServer 6.2 has been extended with new endpoints and methods for managing SignServer Workers from external systems. The new methods can typically be used for automating SignServer setup as part of DevOps processes.
    The API extensions enable use cases such as creating or reconfiguring Crypto Tokens and Signers in SignServer. Initiating signing operations through the REST API has been supported since SignServer 6.0. For more information about the SignServer REST API, see SignServer REST Interface.

  • Cabinet (CAB) File Support: The SignServer MS Authenticode Signer is now extended with support for signing Microsoft cabinet (CAB) files.

Deprecation of DSA Algorithm: The use of the DSA algorithm in SignServer is deprecated as of SignServer 6.2. DSA algorithm support is scheduled to be removed in an upcoming release, and users are advised to use other algorithms in its place.

SignServer 6.1


This release introduces support for Fortanix Data Security Manager (DSM) and includes improvements and error corrections. In addition, Bouncy Castle has been upgraded to 1.74.

  • Fortanix DSM Support: In SignServer 6.1, a new Fortanix Crypto Token is introduced to support Fortanix Data Security Manager (DSM) Cloud HSM. The integration between SignServer and Fortanix DSM uses the Fortanix DSM REST API, see FortanixCryptoToken. For more information on the algorithms supported with Fortanix DSM, see FortanixCryptoToken Algorithm Support

SignServer 6.0


 JULY 2023

This maintenance release resolves an issue discovered in SignServer that prevented usage of the OpenPGP Signer in combination with the P11NG crypto token.

Deployment options only include SignServer Hardware Appliance.

SignServer 6.0

 JUNE 2023

This release includes advancements in IoT security,  post-quantum readiness, and improved interoperability.

  • REST Interface: SignServer 6 includes a REST interface for signing operations. The REST interface supports all existing authorizers. Future versions of SignServer will extend the functionality of the SignServer REST interface and new integrations are recommended to use the REST interface rather than SOAP/HTTP.
  • Post-Quantum Readiness: SignServer 6 adds support for the Dilithium candidate algorithm in CMS Signer. The final standard for the Dilithium algorithm is planned to be released by NIST during 2024 and the candidate algorithm shall not be used for production purposes. Still, with the support for the Dilithium candidate algorithm in SignServer, customers can prepare for the transition to quantum-safe algorithms. The Keyfactor Post Quantum Signature Verifier App on GitHub has been extended with support for the Dilithium candidate algorithm and can be used to test algorithms. For more information, see the guide Post-Quantum Code Signing How-to.
  • CMS re-signing: In SignServer 6 the Extended CMS Signer supports CMS re-signing. This enables using a combination of multiple algorithms in CMS signing. By signing data with one algorithm and then applying the output from the first signing operation as input in a second operation targeting an Extended CMS Signer configured for re-signing using a different algorithm, the output of the second signing operation will contain two signatures using different signing algorithms. CMS re-signing can be used for crypto-agile CMS signing in general and specifically in the transition to post-quantum algorithms. The decision to validate one or both signatures is made wherever the signature is used, for example in a secure firmware update scenario.   
Technology upgrades

As a new major version the technology stack supported by SignServer 6 includes some important updates compared to SignServer 5. SignServer 6 supports running on Java 17 in addition to Java 11. Running on WildFly 26 as the application server is also supported and the SignServer use of application server is based on JEE8. Bouncy Castle has been upgraded to version 1.73.

  • Running on Java 8 not supported: Running on Java 8 has previously been deprecated in SignServer 5 and SignServer 6 does not support running on Java 8.
  • Old application servers not supported: Running SignServer 6 on WildFly 9, 10, 11, and 14 as well as JBoss EAP 7.0, 7.1, 7.2, 7.3 is not supported.
  • OOXML signer and ODF signer not supported: The OOXML signer and ODF signer have previously been deprecated and are not supported in SignServer 6.

SignServer 5.11

SignServer 5.11.3

 APRIL 2023

This minor release includes several improvements and fixes.

Corrections have been made regarding configuration updates in shared database setups, PDF signing, the use of special characters in input file names, and more.

Improvements include library upgrades and enhancements to the use of signature algorithms in automated certificate renewals from a peer-connected EJBCA certificate authority (CA).

In addition, a new configuration option in the SignServer Administration Web user interface improves performance and speeds up the loading of SignServer Workers pages.



The SignServer release addresses performance issues in the SignServer Administration Web user interface related to the DNSSEC zone file signing. With this release, we have also added a global configuration option that allows to not display status on SignServer Workers pages, which increases UI performance.

This release is available for deployment on SignServer Hardware Appliance only.

SignServer 5.11.2


  • The SignServer 5.11.2 maintenance release provides enhanced flexibility for integration with Identity Providers using JSON Web Tokens (JWTs).
  • The SignServer 5.11.2 maintenance release release also contains improvements and error corrections related to MS Authenticode CMS Signer's compatibility with Microsoft SignTool.

SignServer 5.11.1

SignServer 5.11.0 was an internal release, not generally available for customers.


  • OS Independent TimeMonitor: SignServer TimeMonitor is utilized in time-stamping use cases to monitor the difference between the local time and the time of an external NTP server to avoid issuing timestamps if the time difference exceeds a configured value.
    With SignServer 5.11, SNTP is by default supported natively, enabling using the SignServer TimeMonitor feature without the need for ntpdate and ntpq commands in the operating system. This new mode of operation for TimeMonitor also supports the use of multiple time servers for redundancy. For customers running SignServer on operating systems with the ntpdate and ntpq commands, it is still possible to configure SignServer to use these as per the legacy functionality. For more information, see SignServer TimeMonitor Overview.
  • Full-featured P11NG as recommended PKCS#11 Crypto Token for new deployments: As of SignServer 5.11, P11NG is the recommended crypto token for new deployments of all use cases on all deployment types. P11NG was first introduced in SignServer 4.3 as an alternative PKCS#11 crypto token for certain functionality not supported by the Java SunPKCS11 provider. The functionality supported by the P11NG provider has evolved over time and now includes key wrapping, EdDSA algorithm support, and various Cloud HSM options. For more information, see the documentation on how to Migrate from SunPKCS11 to P11NG.
  • Google Cloud KMS Support: SignServer 5.11 includes support for Google Cloud KMS as HSM, expanding the SignServer Cloud HSM support beyond the previously supported AWS and Azure Cloud HSM options. The support for Google Cloud KMS is based on the use of the P11NG PKCS#11 crypto token.
  • Keyfactor branded user interface: The Keyfactor branded web user interface is now available per default for all new deployments and all existing deployments upgraded to SignServer 5.11.

SignServer 5.10


  • EdDSA Support: The Edwards-curve Digital Signature Algorithm (EdDSA) is gaining increased traction and enables a high level of security and performance even on resource-constrained devices. SignServer 5.10 introduces support for generating EdDSA signatures and the algorithms Ed25519 and Ed448 are now supported in the Plain signer, CMS signer, and Time Stamp signer. Use of the EdDSA algorithms requires utilizing the P11NG crypto token as well as HSM support for the selected algorithm.
  • Key Wrapping Support for Elliptic Curves: The SignServer key wrapping feature was previously limited to RSA keys. As of SignServer 5.10, key wrapping is supported also for EC keys. Use of the key wrapping feature requires utilizing the P11NG crypto token. For more information, see Key Wrapping.
  • Post-quantum Signing with upgraded SPHINCS+ Algorithm and new Bouncy Castle version: SignServer enables you to prepare for quantum-safe signing by using the NIST Post-Quantum Cryptography (PQC) candidate algorithm SPHINCS+ through Bouncy Castle. Using the CMS Signer and the Keystore Crypto Token together with the SPHINCS+ algorithm allows you to experiment with creating post-quantum keys and signatures. For more information, see the Post-quantum Code Signing How-to.
    SignServer 5.10 has upgraded the Bouncy Castle version to 1.71.1 which includes support for the SPHINCS+ v3.1 algorithm.

SignServer 5.9.1

  • AWS CloudHSM Improvements: New flexibility of the P11NG crypto token now allows P11NG to be used with SignServer for integration with AWS CloudHSM. A new setting on a worker or the crypto token can control if a certificate object is generated when a key pair is generated. When used for integration with AWS CloudHSM, the worker or crypto token must be configured not to generate certificates, using the P11NGCryptoToken property GENERATE_CERTIFICATE_OBJECT. A similar option is also available in the p11-ng tool (using the nocertificateobject flag). Further improvements to the Android (APK) signers have been made in this release making the APK signers work fully without certificates in the token and thus function with AWS CloudHSM.
  • Bouncy Castle Upgraded to Latest Version: Bouncy Castle is upgraded to version 1.71.
  • OpenPDF Upgraded to Latest Version: OpenPDF is upgraded to version 1.3.28.

SignServer 5.9.0

  • Keyfactor branded Web Interface: Meet the new face of SignServer! SignServer 5.9 includes a new web theme as SignServer is part of the Keyfactor product portfolio. The functionality offered by the web interface in previous versions is still available and the default web theme still uses PrimeKey colors. When upgrading to SignServer 5.9 from a previous version, you can select whether to enable the new theme or not. 
  • Android Signing Improvements for Cloud Deployments: Based on an improvement in SignServer APK signers it is now possible to store signing certificates in the signer rather than in the crypto token. This option is particularly valuable in deployments where the used crypto token does not support storing certificates which is the case for example in AWS CloudHSM.  To store the signing certificate in the worker configuration, disable the Install in Token option, see Workers Install Certificates Page for more information.
  • Log4j Upgrade: As has been stated before, SignServer was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that SignServer handles logging through JBoss EAP/WildFly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that some of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about SignServer being vulnerable. 

SignServer 5.8.2

SignServer 5.8.2 was an internal release, not generally available for customers.

SignServer 5.8.1

  • Signed Signature Requests: SignServer 5.8.1 introduces support for Signed Signature Requests. This feature extends the request authorization capabilities of SignServer beyond client certificate and JSON Web Token (JWT) authorization. In deployment scenarios where there are mutual TLS (mTLS) hops between the client and SignServer it may not be feasible to use an mTLS connection for the closest network element to authorize the signature request. When the Signed Signature Request feature is used, a signature is added as metadata to the request by the client. Adding the signature to the request can now be done using the SignServer SignClient or by following the request format specification when generating the request from a client using the SignServer Web Services API. For more information, see Signed Request Authorizer.
  • Security Notice - Third-party Apache Santuario Library Upgrade (CVE-2021-40690): Versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
    SignServer Enterprise incorporates the Apache Santuario - XML Security for Java as a third-party library and may be affected if configured to provide XML or XAdES validators.
    As of SignServer Enterprise 5.8.1, the Apache Santuario - XML Security for Java library is updated to version 2.1.7, which includes a fix for CVE-2021-40690. After upgrading to SignServer Enterprise 5.8.1, your installation is no longer affected by this security issue.
    • Severity: Medium – There is no known exposure if XML or XAdES validators are not configured in SignServer. In addition, an attacker would need to be authorized to use configured workers if any. 
  • Security Notice - Cross-site Scripting Issue in Admin Web: During our testing with a new combination of test data and request sequence in the SignServer Admin Web interface, a cross-site scripting issue was found. By setting up a new worker where JavaScript code is used in the worker name followed by a Generate CSR request, the script in the worker name will be executed in the generate CSR step. This issue has been fixed in SignServer 5.8.1 and similar issues in other parts of Admin Web were also fixed. Two weeks after the release of SignServer 5.8.1 this issue will be reported as a CVE. 
    • Severity: Low – Only an authorized SignServer administrator could perform an attack. Any update of worker names configured in SignServer will be logged in the audit log.

SignServer 5.8.0

  • Use Information from JWT Claims in Short-Lived Signing Certificates: Customers using OAuth 2.0 or OpenID Connect in an identity provider (authorization server), integrated with SignServer using the SignServer JSON Web Token JWT Authorizer, can now use information from the JWT tokens in short-lived certificates. SignServer 5.8 supports configuring mapping rules between JWT claims and short-lived certificates, allowing user data from the JWT token to be part of the certificate used for signatures on behalf of the authorized user. For more information, see JWT Authorizer.
  • EJBCA Peer Connection in RA Mode for One-Time Keys: SignServer now allows you to set up one-time keys using an EJBCA Peer Connection in RA mode. This improves security on the CA side as the connection is initiated from EJBCA to SignServer, and therefore the network setup will not need to accept incoming connections to the CA when using one-time keys in SignServer. For more information, see Peer Systems.
  • eIDAS Advanced Level Signing Enhancements: SignServer 5.8 brings improvements for managing long-term archiving of signed documents. For eIDAS Advanced level signing using PAdES and XAdES signature formats, SignServer now supports extending the validity of a document with a previous signature. In addition, the AdES signer has been improved to handle larger signature sizes. For more information, see AdES Signer.

SignServer 5.7.0

  • PAdES Signature Format: SignServer 5.7 supports Baseline Signature Levels for PAdES as defined in ETSI EN 319 142. This includes signature levels PAdES-B, PAdES-T, PAdES-LT, and PAdES-LTA. These signature formats fulfill the requirements for Advanced Electronic Signatures as per the EU eIDAS regulation. SignServer support for PAdES signature format is implemented in the new AdES Signer. For more information, see AdES Signer.
  • XAdES Signature Format: SignServer 5.7 supports Baseline Signature Levels for XAdES as defined in ETSI EN 319 132. This includes signature levels XAdES-B, XAdES-T, XAdES-LT, and XAdES-LTA. These signature formats fulfill the requirements for Advanced Electronic Signatures as per the EU eIDAS regulation. XAdES signatures may be generated using different signature packaging modes, including ENVELOPED and DETACHED. SignServer support for XAdES signature format is implemented in the new AdES Signer. For more information, see AdES Signer.
  • Microsoft CAT File Signing: The SignServer MS Authenticode Signer now supports signing of Microsoft CAT files. The file type is automatically detected by SignServer. For more information, see MS Authenticode Signer and the Authenticode Code Signing Technical How-to.
  • RSASSA-PSS with Client-Side Hashing Supported in P11NG: SignServer 5.7 adds support for RSASSA-PSS with client-side hashing (NONEwithRSAandMGF1) similar to what has been supported in previous versions for NONEwithRSA. The RSASSA-PSS algorithm requires use of the P11NG provider (JackNJI11CryptoToken). For more information, see Client-Side Hashing.

SignServer 5.6.1

This minor release brings improvements for the SHAxWithRSAandMGF1 / RSASSA-PSS algorithms on certain Java versions. These improvements are required in certain customer deployments due to the Java Virtual Machine (JVM) implementations.

SignServer 5.6.0

  • Request Prioritization: By setting up priority levels for different signing request types, you can now ensure that the available SignServer system capacity is assigned to incoming signing requests based on your defined priority levels. The new SignServer Request Prioritization feature ensures that response times for high-priority requests can be optimized while lower priority requests may get queued. Priority levels are configured as part of the worker configuration. For more information, see Setting up Request Prioritization.
  • Authenticode Resigning: SignServer 5.6.0 introduces support for signing Microsoft Authenticode signed PE and MSI files with an additional signature. By signing application files with multiple signatures the files can be made compatible with the signing schemes of both legacy and modern Microsoft platforms. For information on configuring and signing using the SignServer MS Authenticode signer, see Authenticode Code Signing.

SignServer 5.5.0


  • Authenticode Signing of Microsoft PowerShell Scripts: SignServer Enterprise supports signing of PowerShell scripts (.ps1, .psd1, .psm1). For more information, see MS Authenticode Signer.
  • Android APK v2 and v3 Signing Schemes: SignServer Enterprise supports new Android APK signing schemes. For more information, see Setting up Android Signing.

SignServer 5.4.0


  • Azure Key Vault Support: A new Crypto Token implementation now allows storing and using the signing keys in Azure Key Vault, see AzureKeyVaultCryptoToken.
  • JSON Web Token Authorizer: A new Authorizer implementation makes it possible to allow signature requests based on the provided JSON Web Token (JWT) included in the request, see JWT Authorizer.
  • Custom Folder for Configuration: A separate signserver-custom folder, outside of the SignServer home folder, now enables easier upgrades since you no longer need to copy your old configuration. For more information, see Install SignServer.

SignServer 5.3.0


SignServer 5.2.0


  • New and Improved Client Web
  • Administration Interface Changes
  • Algorithm Drop-down Lists

SignServer 5.1.0


  • Improved Client Certificate Authorization
  • PGP Signing Support
  • Debian Package Signing Support

SignServer 5.0.0


  • Upgraded libraries and internal dependencies
  • Support for running on WildFly 14 and JBoss EAP 7
  • Initial support for running on Java 11
  • Restructured and improved installation guide and release information

SignServer 4.4.1


  • New Authorizer component for logging cookies from the request
  • Improvements to startup scripts


  • While SignServer still requires Java 7 or 8, the Client command line interface (SignClient) can now additionally also be run on Java 11.
  • Error handling improvements

SignServer 4.3.2


  • New authorizer for logging cookies from the request


  • Performance test CLI now uses SHA-256 for the time-stamp request

SignServer 4.4.0

New features and improvements

  • Support for on-demand generated one-time keys with short-lived certificates issued from EJBCA.
  • 12 other minor improvements

Bug fixes

  • Time-stamp hash algorithm used by XAdESSigner should be configurable
  • Error with MSI signing when certificate not installed in token
  • OCSP validator failed with external OCSP responder
  • Admin GUI download bundle failed to start
  • 7 other bug fixes

SignServer 4.3.1


  • Sensitive information masked in status output, configuration and logs.

Administration Web

  • New possibility to easily select 'all' in the tables.
  • Improved certificate export page.
  • Character encoding handled correctly when importing configuration.
  • A number of other minor bug fixes or improvements.

Configuration and Deployment

  • Key usage counter disabled by default in sample configuration files.
  • Fixed typos in sample configuration files.
  • Sample Systemd service file added.
  • Fixed deployment issue with Ant version 1.10.2.
  • CLI scripts for Windows updated or added were missing.


  • Fixed regression with key usage counter and signer validity checks in some situations.
  • Tokens are verified after signing to ensure the right key/certificate is used.
  • Improved error reporting in TimeMonitor when an incorrect time server is configured.
  • TimeMonitor now picks the results chosen by ntpdate when multiple are available.
  • Removed redundant 'Accuracy' field in the SignClient output.

Code Signing

  • Fixed error message in SignClient when file type could not be determined.
  • SignClient in client-side mode now properly refuses already Authenticode signed files.

SignServer 4.3.0

New features and improvements

  • SignClient Server Failover and Loadbalancing
  • Strong Algorithms by Default
  • Key Wrapping (limited support)
  • New Alternative PKCS#11 Provider (experimental)
  • Utimaco HSM in FIPS Mode Support

Bug fixes

  • Regression Worker lockup under high load when database interactions was configured.
  • SOD Signer was not including NULL parameter for RSASSA-PKCS1 signature as required by ICAO.

SignServer 4.2.2

Bug fixes

  • Signing is no longer initialized if it is going to be refused in TimeStampSigner.
  • Signing is no longer initialized if it is going to be refused in MasterListSigner.
  • An out of memory issue in the the database CLI command was fixed.

SignServer 4.2.1

New features and improvements

  • Use a signature algorithm supported by HSM for test signing
  • Tested with WildFly 10, JBoss EAP 7 and Java 8
  • Performance test tool included in Client CLI download bundle
  • Documentation improvements
  • 9 other features or improvements

Bug fixes

  • SignClient on Windows was missing some new enterprise features
  • Error after importing certificate using explicit ECC parameters
  • Issuer DN issue in Admin Web when importing admin certificate
  • Issuer DN not displayed for authorized clients in Admin Web
  • Exception on empty CRL in PDF signer
  • 18 other bug fixes

SignServer 4.2.0

Featured Features

  • Rekeying from EJBCA using Peer Connectors.
  • Client-side hashing for Authenticode and JAR signing.


  • Bouncy Castle and CESeCore libraries updated.
  • Fixed translation issues.
  • New PrimeKey logos.

Code Signing

  • Authenticode signing with client-side hashing.
  • JAR signing with client-side hashing.
  • One issue with duplicated signature names fixed for JAR signing.

Bug Fixes

  • One issue with SignClient exit code fixed.

SignServer 4.1.1


  • Legacy option to encode the time-stamp tokens as before Bouncy Castle 1.50.
  • Legacy option to not include the RFC#6211 cmsAlgorithmProtection attribute in the token.

PDF Signing

  • Issue with PDF version if digest specified as SHA-256 instead of SHA256 resolved. Fix contributed by Aziz Göktepe.

Admin Web

  • A number of translation issues fixed.

Bug fixes

  • There was 7 issues fixed.

SignServer 4.1.0

Major Features

  • A brand new administration web interface.
  • Support for signing Windows Installer (MSI) packages.

General Signing

  • Support for hashing on the client side for CMS/PKCS#7 detached signatures.

Code Signing

  • Added MSI signing support.
  • Performance: Option to disable request hashing in the Plain Signer.


  • Adapted CMS Signer to be suitable for signing ICAO Deviation Lists.


  • Added sample init.d script for running the SignServer TimeMonitor.


  • Restructured and improved documentation.
  • Improved Javadoc for the AdminWS and ClientWS interfaces.


  • Further security hardening of the web applications including Content Security Policy headers and HttpOnly cookie protection.
  • Removed a potential cross site scripting vulnerability on the public web only affecting a set up with the TimeMonitorManager and normally restricted to authenticated users only.
  • Libraries has been upgraded.

Bug Fixes

  • There was 16 issues fixed.

SignServer 4.0.2

New features

  • Support for configurable content OID in CMS signatures
  • Support for DER encoding of CMS signatures

Bug fixes

  • Master list signer was only working with certificate installed in token
  • Issues with PDF permissions when PDF version gets upgraded
  • Regression: TimeMonitor manual was not available in the SignServer manual

SignServer 4.0.1

New features

  • Support for RFC 3161 timestamps in the Authenticode signer
  • Ability to download integration CLI in the same way as the Admin GUI


  • Performance improvements
  • Additional PKCS#11 library definitions
  • Make inclusion of IssuerSerial in SigningCertificate in Time-stamp tokens optional
  • Security hardening

Bug fixes

  • A security issue
  • ClassCastException trying to test key from Admin GUI running against local SignServer instance
  • EchoWorker not working
  • Web service interface not working from client CLI distribution
  • Incorrect documentation for DispatchedAuthorizer
  • Fixes in SQL create scripts
  • Wrong icon for crypto workers in admin GUI

SignServer 4.0.0

Major new features and improvements

  • Support for large files (Enterprise Edition)
  • Major internal library updates such as CESeCore 6.4 and BouncyCastle 1.53
  • Build system changed from Ant to Maven
  • Many internal API improvements
  • Support for RFC 5816 time-stamps
  • Initial Payara 4.1 support

Bug fixes

  • Bug in BouncyCastle related to extensions in time-stamps
  • ClientWS interface did not handle X-Forwarded-For header
  • Fixed spelling typos
  • Fixed unit tests not running automatically
  • Fixed stylesheet on public web pages

SignServer 3.7.4

New feature

  • Support for qcStatements extension for Qualified Electronic Time-stamps


  • More reliable calculation of free memory in Health Check

Bug fixes

  • Fixed issue with PostgreSQL
  • Fixed archive querying when running the GUI locally
  • Fixed possible deadlock when running XML validator under high load
  • A few documentation and sample configuration fixes

SignServer 3.7.3

  • The renewsigner admin CLI command will no longer prompt for an authcode when the -authcode CLI argument is omitted, use the new -authprompt option to get an interactive prompt. When the authcode is not given (or prompted for), the command will not automatically (re)activate the token.

SignServer 3.7.2

Bug fixes

  • Performance: Cache key option now improves performance with network HSM
  • Performance: The response time is improved on some systems

SignServer 3.7.1

New features

  • Java code signing support (including Android).
  • Support for key generation with custom RSA public exponent.


  • Support for large files in Client CLI.
  • Minor performance improvements.
  • Improved output from Client CLI.
  • MRTD signing interface improvements (ePassport).
  • Administration GUI improvements.
  • Improved language in the manuals.

Bug fixes

  • Security issue in Commons Collections library.
  • Regression: Renewing keys for multiple workers at once did not fully work in the Administration GUI.
  • Bin folder can not be put in the PATH environment variable.
  • Username/password not accepted if client certificate presented.
  • The FirstActiveDispatcher logs using the dispatchees fields.
  • 24 other bug fixes.

SignServer 3.7.0

New features

  • Indivual keys. Key aliases in crypto tokens can be selected by workers at run-time based on the incoming request using the new AliasSelector interface. An implementation selecting aliases based on the authenticated user of the request is included.

Bug fixes

  • Crypto token operations in the administration GUI no requires clicking outside of the last edited input field to be able to perform the action (i.e. when generating keys).

SignServer 3.6.3

New Features and Improvements

  • Authenticode signer for portable executables (enterprise edition only).
  • CSCA Master List Signer (enterprise edition only).
  • Signer that produces plain signatures.
  • Configurable maximum upload limit.

Bug fixes

  • Key test results now displays correctly in audit log.
  • Database tables now only listed once during deployment.
  • Soft keys are now also removed directly from memory.
  • JBoss config folder directory corrected in installation instructions.
  • Dispatchers status page now lists configuration errors.

SignServer 3.6.2

Bug fixes

  • Security issue in XML workers
  • Regression: Menu command for activating workers not working properly in GUI


  • Honouring rate limiting messages in TimeMonitor
  • Updated list of 3rd party dependencies and licenses

SignServer 3.6.1

New feature

  • Added detached signature option to CMSSigner (contributed by Pablo Ruiz García)


  • Better documentation about how to specify issuer DN for clients and webservice administrators
  • Issued timestamping certificates for sample soft keystores

Bug fixes

  • Fixed KeyStoreCryptoToken to initialize key usage counter when no password is specified in configuration
  • Fixed a regression when ACCEPTEDEXTENSIONS was empty
  • Fixed EJB CLI/GUI access with JBoss AS 7 in Windows
  • Fixed an issue where timestamp responses where double base64-encoded in the log
  • Timestamp and MS authenticode timestamp signer will now check that there is only one extended key usage (timeStamping) set at configuration time instead of failing just at runtime
  • Serial numbers for administrators and clients can be entered with leading zeros and in either case for hexadecimal letters
  • Fixed an issue where installed certificate does not override certificate in keystore
  • Fixed adding authorized WS client in GUI from certificate file
  • Fixed an issue where issuer DN contains characters that needs escaping

SignServer 3.6.0

New features and improvements

  • Independent worker and crypto token configuration
  • Querying of database archive from WS and GUI
  • Support for specifying HSM slot by label
  • HSM keep alive service
  • Underlying CESeCore library upgraded
  • Separation between community and enterprise editions
  • New application: SignServer TimeMonitor (enterprise edition only)

Bug fixes

  • Fixed an error when querying the audit log without any conditions
  • Removed a duplicated invocation in the Admin GUI

SignServer 3.5.2

New features and improvements

  • Support for SHA-2 hash algorithms in PDFSigner
  • Support for using the worker servlet when running the stress test tool
  • Checksums using SHA256 are now available for the releases
  • System tests now set up trust stores in case HTTPS is used
  • System tests are now included in the binary distribution
  • Apache Santuario (XML Security) library has been updated to version 1.5.7

Bug fixes

  • An XML signer performance regression has been fixed by a dependency update
  • PDF and XAdES signers caused deadlocks under high load when using a local TSA
  • Audit log errors are now displayed in the Admin GUI
  • An environment variable is now honored in the signserver-db script again
  • Ant target for copying modules was not working for custom sub modules
  • Added note about AdminGUI login issues with smartcard if the path to DLL contains parenthesis.

SignServer 3.5.1

New features and improvements

  • Support for passing request meta data
  • Support for configuring number of certificates to include in signature
  • API for billing/accounting
  • Command to print time-stamp requests and responses
  • Improved error reporting for crypto tokens and RenewalWorker
  • Improved ability to have custom modules
  • Updated sample PKCS#11 attributes to not store the public key
  • Documentation for MRTDSODSigner
  • Made all Dispatchers work together with DispatchedAuthorizer
  • Added test configuration files and performance CLI to binary distribution
  • Improved system test configuration options
  • Always display connect dialog when starting the AdminGUI
  • Added getproperty command to AdminCLI
  • Support for setting PKCS#11 attributes without referencing a file
  • Support for generating keys for JKS soft crypto tokens

Bug fixes

  • Fixed AdminGUI smart card login failure on second attempt
  • Implemented workaround for smart card login error when multiple readers are available for which some does not have tokens present
  • Fixed a deployment issue with Clover
  • Fixed proper exist codes from Ant wrapper script
  • Fixed issue in AdminGUI when adding workers in a specific way
  • Fixed a possible networking issue with the time-stamp client
  • Corrected an error message in RenewalWorker
  • Fixed an issue when running client CLI over ClientWS with debug enabled
  • Fixed main class attribute in SignServer-Test-Performance.jar
  • Fixed an issue with a button in AdminGUI not being initially disabled
  • Fixed arguments parsing in the renewsigner command and added missing authcode argument

SignServer 3.5.0

New features and improvements

  • Support for JBoss AS 7.1, JBoss EAP 6.1 and GlassFish 3.1.
  • Support for MariaDB.
  • Support for JDK 7.
  • All worker configuration can now be done from the Admin GUI.
  • Document signer for XAdES-BES and XAdES-T contributed by Luis Maia.
  • Document validator for XAdES-BES and XAdES-T.
  • Support for different signature algorithms in XML signers.
  • Various AdminGUI/remote administration improvements.

Bug fixes

  • Empty certificate chain in setproperties call gave error.

SignServer 3.4.3

Bug fixes

  • Regression introduced in 3.4.2: test signatures were not performed as part of the getstatus command or from health check
  • Security issue in bundled library

SignServer 3.4.2

New features and improvements

  • Uses PKCS11CryptoToken from CESeCore
  • Support for starting audit log verification from a specified sequence number
  • Option to archive all X-Forwarded-For addresses
  • Option to include the ordering field in time-stamp tokens even if it has value false
  • Option to not include the signingTime CMS attribute in time-stamp signer
  • Option to cache PKCS#11 key reference to increase performance
  • Includes IssuerSerial in the SigningCertificate attribute in time-stamp signer

Bug fixes

  • HSM auto activation was not working when signed audit log was used
  • Key generation was not working with slotListIndex
  • ClientCLI over web services was not working unless includemodulesinbuild specified

SignServer 3.4.1

New features and improvements

  • Added support for IPv6 and multiple proxies in ListBasedAddressAuthorizer.
  • Support for specifying the signature algorithm in CMS signer.
  • Support for the signerCertificate attribute in the MS Authenticode time stamp signer.
  • Support for generating CSR with EDSA explicit parameters in the admin GUI and the RenewalWorker.
  • Log worker name in the worker log.
  • Easy import of issuer and serial number from certificate in admin GUI, when adding administrator rules.
  • Added an option to set the correct TSA name from the subject DN automatically for the time stamp signer.
  • All workers report themselves as offline when misconfigured.
  • Added health check rate limiter.
  • Added database setup scripts for PostgreSQL.

Bug fixes

  • ContentInfo contained a double encoded octet string in the MS Authenticode time stamp signer.
  • Unauthorized health check queries incorrectly logged.

SignServer 3.4.0

This is a major release - in total 27 features, options, bugs and stabilizations have been fixed or added. The most noteworthy changes can be seen below.

Major changes

  • Secure logging to database using CESeCore.
  • Support for querying audit log from CLI, GUI and web services.
  • Configurable which Status Repository updates to log.
  • Access group for auditors.
  • Database CLI for verifying audit log.
  • Support for PostgreSQL.

Bug fixes

  • Fixed a couple of NPE bugs.
  • Fixed logging in over webservices using a JKS keystore in the Admin GUI.
  • Fixed some randomly failing unit tests.
  • Other minor bugfixes.

SignServer 3.3.0

This is a major release - in total 57 features, options, bugs and stabilizations have been fixed or added. The most noteworthy changes can be seen below.

Major changes

  • New client web services API
  • MS Authenticode time-stamp signer
  • Support for archiving of time-stamp requests
  • Logging of all changes to service components
  • Stress test tool for measuring performance
  • Dropped support for JBoss 4.2.x.
  • Dropped support for cluster class loader
  • Dropped support for WSRA
  • Upgrade of internal cryptographic library
  • Many more minor improvements

Bug fixes

  • Fixed the Renewal worker which required a trust store password even when a trust store was not used
  • Fixed an NPE when trying to activate a worker of type Dispatcher
  • Fixed archiving that could not be done twice for the same document
  • Fixed printing of server version from CLI
  • Fixed system tests that could not be compiled after opening the project with NetBeans IDE 7.2
  • Fixed StatusPropertiesWorker so that it no longer requires a cryptotoken to be configured
  • Fixed Address Authorizers to return HTTP 403 (forbidden) and not HTTP 401 (unauthorized) as before.

SignServer 3.2.4

New features and improvements

  • Installation script contributed by Antoine Louiset
  • Add test cases for TimeStampSigner with other key algorithms than RSA
  • Improved feature list at

Bug fixes

  • Using worker id does not work in Client CLI
  • JBoss 5 throws NPE on shutdown of SignServer
  • Renewal worker does not use the requested DN in certificate request
  • StatusPropertiesWorker requires a cryptotoken to be configured

SignServer 3.2.3

Major new features and improvements

  • Support for SignServer without database
  • Configurable to disable the key usage counter
  • Signer certificate check in Health check for all Signers
  • Check that the timestamp signer certificate is included in the certificate chain
  • Health check response of TimeStampSigner now considers status of time source
  • Down-for-maintenance support in Health check
  • Support for supplying filename as request metadata

Bug fixes

  • Client CLI only supported 10 arguments on Windows
  • Null value was inserted when removing last wsadmin on Oracle
  • PDF Signature could not be larger than 15000 bytes
  • Sample configuration for renewal worker not functional
  • Various documentation updates.

SignServer 3.2.2

Major new features and improvements

  • Support for denying timestamp requests unless the time source is considered in sync
  • Support for dispatching timestamp requests to different timestamp units/signers
  • Support for accessing workers using the /worker/* URL pattern gives easier filtering with a proxy
  • Signer's status report can now be offered by a worker and not just a timed service
  • The log field PROCESS_SUCCESS can now have the value "false" if a request failed
  • Hostname displayed in title bar of AdminGUI simplifies when managing multiple servers

Bug fixes

  • Build failure on W7 X64
  • Sample code using web services should use HTTPS
  • URL for documentation only working with JBoss 4.

SignServer 3.2.1

Major new features and improvements

  • Improve servlet error handling
  • Deploy documentation with application
  • Improved API for archiving
  • Support for signing PDFs with document restrictions
  • Support for PDF permissions enforcement
  • Support for modifying PDF permissions
  • Support for setting a PDF permissions password
  • Refuse to certify PDFs already certified and refuse to sign when signing is not allowed

Bug fixes

  • Remote EJB worker interface could not be used with ECC with explicit parameters
  • Warnings printed on STDERR
  • Web service interface did not log XFORWARDEDFOR headers
  • Typo in sample configuration for PDFSigner
  • Setting healthcheck properties had no effect
  • CRL download should close streams correctly and allow for caching
  • Supplied username and password ignored in SigningAndValidationWS
  • Unit tests failed in certain situations
  • Ant target for testing individual tests did not work
  • Switching application server type did not update
  • JavaDoc failed to build.

SignServer 3.2.0

This is a major release - in total 49 features, options, bugs and stabilizations have been fixed or added. The most noteworthy changes can be seen below.

Major new features and improvements

  • Administration Web Service (WS) interface
  • Administration GUI desktop application
  • Client command line interface (CLI)
  • Support for GlassFish Server 2.1.1
  • Support for JBoss Application Server 5.1.0
  • Support for Oracle Database
  • Semi-automatic key generation and certificate renewal from EJBCA
  • Improved audit and transaction logging
  • Improved project structure dividing the modules in sub-projects
  • Front page listing all demo web pages

Known Issues

  • Web services no longer work on JBoss 4 if HTTPS is not used as JBoss 4 rewrites the end point URL in the WSDL file to always start with "https://" (since DSS-327).

SignServer 3.1.5

This is just a minor maintenance release preparing for the upcoming 3.2 release - in total 7 features, options, bugs and stabilizations have been fixed or added. The most noteworthy changes can be seen below.

New features and improvements

  • Support for HTTPS in the SigningAndValidation API
  • Harden the PDF Signer against PDF signature collisions
  • Function in the build script for create source-only release archives

Bug fixes

  • Problem in a unit test for certain dates
  • NPE in TimeStampSigner if certificate is missing

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.