Skip to main content
Skip table of contents

Setup Steps Overview (recommended)

The following provides some example initial setup steps, recommended for setting up the Software Appliance.

After logging into the Software Appliance for the first time, we recommend the following setup steps.

Step 1 - Add a new user account

Create a user account, by adding either a client certificate user account or an OAuth user account.

Step 2 - Remove the OTP User

The person who manages the virtual machines and thus can see the OTP/TTY is, in many cases, not the person who manages the Software Appliance. Therefore, you should remove the Initial OTP User to avoid security issues.
After the new User Account is added, log in again with the new User Account. Now you can delete the Initial OTP User.

In the Actions column of the User Accounts table, click Remove:




When prompted, click Remove to confirm the action.

Step 3 - Configure a Hardware Security Module (HSM)

You can configure a Hardware Security Module (HSM) to store and protect your cryptographic keys. Optionally, you can use the software-based SoftHSM implementation for demonstration or testing purposes.

Attention!

Configuring an HSM for the Software Appliance is irrevocable. To change an HSM configuration, you need to reset the Software Appliance.

For instructions on how to configure the HSM, see:

Step 4 - Configure the SignServer Application

Next, create a Crypto Token in SignServer and connect it to the configured HSM. For more information, refer to the SignServer Documentation on Crypto Tokens.

The following provides some example steps for creating a Crypto Token in SignServer and generate a test key.

You need to select a TLS client certificate to be able to connect to SignServer Admin Web. If you have not selected a TLS client certificate when your browser requested it, you may need to restart your browser.

Create Crypto Token and Test Key

Follow the example steps below to create a Crypto Token and a test key in SignServer. For more information, refer to the SignServer Documentation on Crypto Tokens and available properties.

To create a Crypto Token and generate a test key in SignServer, do the following.

  1. On the SignServer Software Appliance Overview page, click Admin Web for SignServer listed in the Application Overview.
  2. In SignServer, click Add at the bottom of the page.
  3. On the Add Worker/Load Configuration page, select From Template as Method.
  4. Select p11ng-crypto.properties and click Next.
  5. On the next page, click Apply to create the worker. A new worker entry named "CryptoTokenP11NG1 (1)" should now be visible on the Worker Overview page.
  6. Click "CryptoTokenP11NG1 (1)" to configure the worker. The worker status and token status should be displayed as Offline.
  7. Next, configure the Crypto Token to access the correct PKCS#11 slot. Click Configuration to see the currently configured worker properties.
  8. Configure the appropriate properties, for example:
    • SLOTLABELTYPE: How to reference your PKCS#11 slot, by number ("SLOT_NUMBER") or index ("SLOT_INDEX").
    • SLOTLABELVALUE: The slot number or index of the slot you want to connect to.
  9. To configure the PKCS#11 slot pin, click Add at the bottom of the page. Add a new property named PIN to the Crypto Token properties and set the PIN of the slot you want to connect to.
  10. To test your configuration, click Crypto Token and then Activate. On the next page, enter the PKCS#11 slot PIN in the Authentication Code field and click Activate.
    If correctly entered, you will be redirected to the worker overview page.
  11. Next, to create a test key for the Crypto Token, select the worker name "CryptoTokenP11NG1 (1).
  12. Click the Crypto Token tab to list keys that are available in the Crypto Token.
  13. Select Generate Key and specify the following before clicking Generate.
    • New Key Alias: testkey0
    • Key Algorithm: Choose a key algorithm that is available on your HSM.
    • Key Specification: Choose a key specification that is available on your HSM.
    • Click Generate.
  14. Click Status Summary to check for errors. The Worker status and Token status should now both be Active.

You have now created a Crypto Token and a test key and the Crypto Token can now be used by your SignServer workers. For more information, refer to the SignServer Documentation on Crypto Tokens and available properties.

Step 5 - Renew the TLS certificate

This may be necessary to comply with your company's security regulations, for example, to remove the security warning in the browser address bar. For instructions on how to renew the TLS certificate, see /wiki/spaces/SAD/pages/371392670.



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.