On-Premises Installation

Overview

On-premises deployment is recommended for enterprises with strict security, compliance, or regulatory requirements.

This model provides:

Recommended components:

API Layer — auth, policy enforcement, and request intake (behind TLS/mTLS)
Job Queue — e.g., RabbitMQ or Kafka for async processing
Workers / Signing Engine — stateless services that consume jobs and call HSMs
HSM / KMS — on-prem HSM (PKCS#11) or cloud KMS for key protection
Metadata & Audit Store — database (Postgres / Mongo) for policies, key metadata, and immutable audit logs
Portal / Approvals — UI for approvers and administrators

Network placement:

Place public-facing endpoints (if any) behind an ingress with WAF rules.
Use internal L2/L3 segmentation for trust boundaries; HSMs should live on a restricted management network.

Infrastructure:

Dedicated Linux hosts or an orchestrator (Kubernetes) with sufficient resources.
Recommended minimum per service: 2 CPU, 8 GB RAM (adjust per load tests).
Persistent storage (for audit logs, database, and backups).

Software & tools:

Network & security:

Compliance & validation:

Prepare hosts and networking
- Harden OS according to your baseline
- Configure NTP / time sync across all nodes
- Create service accounts and apply least privilege
Deploy platform services
- Deploy API, workers, policy store, and portal via containers or system packages
- Apply TLS and authentication middleware (mTLS where applicable)
Configure Key Storage
- Prefer generating keys inside the HSM or KMS
- If using on-prem HSM, install PKCS#11 module on agent/worker hosts and configure access
- If using cloud KMS, configure IAM roles and network connectivity
Onboard signing certificates
- Import the certificate chain into the platform
- Associate certificates with HSM-protected keys
- Enforce EKU: Code Signing when issuing certificates
Configure Policies & Quorum Approvals
- Define signing policies (time windows, allowed key usage)
- Configure approver groups and minimum counts for quorum workflows
Enable Logging, Monitoring & Alerts
- Expose health endpoints (/actuator/health/*) and Prometheus metrics
- Forward audit logs to a SIEM or centralized logging system
- Configure alerts for HSM unavailability, queue depth, and error spikes

Direct PKCS#11: Workers load PKCS#11 module and call HSM directly (low latency).
Agent-proxy: Agents near CI/CD or developer hosts act as PKCS#11 shims and forward signing requests over mTLS to central workers.
Cloud KMS: Use managed KMS for SaaS/Hybrid; bind keys to service identities and restrict key use to signing operations.

Refer to the HSM setup guide for SoftHSM examples and vendor recommendations.

After deployment, validate with the following steps:

Service health:
- curl -sS https://<api>/actuator/health | jq .
- curl -sS https://<api>/actuator/health/hsm

Test signing end-to-end (digest example):

Compute digest:

openssl dgst -sha256 -binary myapp.exe > digest.bin
base64 digest.bin > digest.txt

Submit request to the API (sync or async):

curl -sS -X POST https://<api>/api/v1/sign/digest -H "Authorization: Bearer $TOKEN" -d '{"digest":"<base64>","metadata":{"filename":"myapp.exe"}}'

Verify returned signature locally and ensure timestamp tokens are recorded if configured.

Key rotation: Plan for rotation and automated renewal; verify apps can handle rotated keys.
HA & Failover: Plan for worker autoscaling and HSM redundancy (where supported by vendor).
Backups & DR: Backup metadata and config; HSM private keys typically cannot be exported—plan HSM backups per vendor guidance.
Performance: Measure HSM signing latency and size worker pools accordingly.

See Troubleshooting for common diagnostics and commands.