SignServer Enterprise
Overview
SignServer Enterprise is an on-premises signing server for code signing, time stamping, and document signing operations. Originally developed by PrimeKey alongside EJBCA, SignServer provides server-side signing services with HSM-backed key protection, supporting a broad range of signature formats and use cases. It is deployed alongside EJBCA in environments where signing operations must remain within the organisation’s own infrastructure.
Unsung has delivered SignServer implementations for UK Central Government alongside EJBCA and Keyfactor Command deployments, providing practical experience with the platform in high-assurance environments.
The Challenge
Organisations that require signing operations to remain within their own infrastructure — for regulatory, sovereignty, or security classification reasons — cannot use cloud-hosted signing services. They need an on-premises signing server that provides the same governance, HSM key protection, and audit capabilities as cloud alternatives, whilst operating entirely within their controlled environment.
Many signing use cases extend beyond code signing to include time stamping for long-term signature validity, document signing for regulatory submissions, and firmware signing for device integrity. An on-premises signing server must support this diversity of signing formats and use cases from a single platform, integrated with the organisation’s existing PKI and HSM infrastructure.
What It Does
SignServer provides server-side signing services for multiple use cases from a single platform. Code signing supports software, firmware, containers, and other artefacts using standard signing formats. Time stamping provides RFC 3161-compliant timestamps for long-term signature validity. Document signing supports PDF and other document formats for regulatory and compliance use cases.
The platform integrates with HSMs for signing key protection and works alongside EJBCA for certificate management. Policy controls govern which signing operations are permitted and who can authorise them. SignServer supports a range of signing protocols and formats, enabling integration with diverse applications and workflows. When deployed with Keyfactor Command, organisations gain visibility and lifecycle management across both their certificates and signing operations.
How Unsung Helps
Unsung designs and implements SignServer as part of integrated PKI environments, typically alongside EJBCA and Keyfactor Command. Our PKI Design & Build service covers the full architecture from CA through to signing services, including HSM integration, policy configuration, and operational procedures for key ceremonies and signing workflows.
Related Unsung Services
PKI Design & Build — Design and implementation of integrated PKI and signing environments.
Hardware Security Modules — HSM deployment and integration for signing key protection.
PKI Consultancy — Advisory on signing architecture and software supply chain security.
PKI Management & Hosting — Managed signing services including ongoing operations and key management.
