Common Signer Properties
The following properties have common use among most signers:
General Signer Properties
Property | Default | Description |
|---|---|---|
INCLUDE_CERTIFICATE_LEVELS | Depends on signer | (Optional) Number of certificate levels to include. This property is supported for all signers except MRTDSODSigner, MRTDSigner, and MSAuthCodeTimeStampSigner. The property defaults to include all certificates in the chain, except for XAdESSigner, where the default is to only include one certificate (the signing certificate). Setting this to 0 (include no certificates) is not supported for TimeStampSigner. To include all certificates, specify at least the same value as the number of certificates in the certificate chain. |
NO_REQUEST_ARCHIVING | False | When set to true, instructs the signer that archiving of request data is not to be considered. This implies the signer can make optimizations such as not keeping the original request data intact while doing modifications. This is not allowed to be set to true when archivers used are configured to archive request data. |
PEERS_* | Not set | For peers systems-related properties, see the Peer Systems page. |
REQUESTDN | Not set | Subject DN to be included in a certificate signing request (CSR) by default. Used by interfaces such as the AdminWeb to have a default value already filled in as well as when doing automatic renewals using Renewal Worker or Peer Systems, for example. |
Certificate Validity Properties
By default, the SignServer checks if the signer certificate of a signer is valid before letting the signer process a request. If the signers certificate is not valid, an error message is returned.
There are two properties that can be set to disable this check:
Property | Description |
|---|---|
CHECKCERTVALIDITY | Default value is true, meaning that the validity period of the certificate will be verified before processing. Set to false to ignore if the certificate is expired or not yet valid. |
CHECKCERTPRIVATEKEYVALIDITY | Default value is true, meaning that the validity period in the PrivateKeyUsagePeriod of the certificate will be verified before processing. This is only done if this extension exists (it is optional in a certificate). Set to false to ignore the PrivateKeyUsagePeriod. |
MINREMAININGCERTVALIDITY | Default value is 0. This property defines a minimum remaining validity time required of the signing certificate. If the signing certificate expires within the number of days specified an error occurs. Set to 0 (default) to disable this check. |
Signature-Limiting Properties
By default, SignServer keeps track of the number of signings performed with each key by holding counters in the database that are updated for each signing. The following worker properties control the key usage counter:
Property | Description |
|---|---|
DISABLEKEYUSAGECOUNTER | By default, all key usages are counted, but by specifying this as true, key usages performed by this worker will not be counted. Disabling the key usage counter can improve performance, as it means less database transaction. However, if you have requirements on the number of allowed signings for one worker, ensure not to use the same key with another worker for which the counter is disabled, as those uses will then be missed. The key usage counter cannot be disabled for a worker if KEYUSAGELIMIT is also specified. |
KEYUSAGELIMIT | Specifies the number of signatures allowed to be created with the same key by this worker. After the limit has been reached, the worker is considered offline. Default: The counter is per key and not per worker. Thus, if multiple workers share the same key, they will all increment the counter. This also means that the worker will be active again after it has gotten a new certificate/key. |
