{"id":"primekey-signserver-ce","name":"signserver-ce","homepage":"https://hub.docker.com/r/primekey/signserver-ce","repo_url":"https://hub.docker.com/r/primekey/signserver-ce","category":"security","subcategories":[],"tags":["security","infrastructure","auth","pki","certificates","x509","ca","tls"],"what_it_does":"signserver-ce is an open-source certificate signing service (“signserver”) that signs CSRs on behalf of an organization (e.g., issuing end-entity certificates) and typically exposes an administrative and/or client-facing API for submitting signing requests and retrieving results, along with supporting configuration for key material, signing policies, and authentication/authorization.","use_cases":["Issue X.509 certificates from CSRs in a controlled environment (enterprise PKI, internal services)","Automate certificate issuance for workloads/clients without manual CA operations","Centralize certificate signing workflows behind authentication and signing policy constraints","Integrate certificate issuance into CI/CD or service onboarding pipelines (where direct CA access should be avoided)"],"not_for":["Public internet-facing CA services without strong operational security controls","Use cases requiring a fully managed SaaS experience (hosting, monitoring, scaling, backups) without operational responsibility","Environments where you cannot manage CA/private key custody and signing key security"],"best_when":"You operate your own PKI and want a self-hosted signing server to issue certificates under your governance, with controlled authentication and audited signing workflows.","avoid_when":"You need a turnkey managed service with no infrastructure management, or you cannot provide secure handling of CA/signing keys and appropriate network/API hardening.","alternatives":["Smallstep-ca / step-ca (self-hosted CA)","HashiCorp Vault PKI secrets engine (with policies and auto-rotation)","EJBCA (enterprise-grade CA)","OpenSSL-based custom signing workflows (less policy-driven, more DIY)"],"af_score":24.5,"security_score":48.0,"reliability_score":35.0,"package_type":"mcp_server","discovery_source":["docker_mcp"],"priority":"low","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-04-04T19:35:43.222113+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":false,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Not determinable from provided information; commonly includes TLS client auth and/or HTTP auth, plus role-based access for signing operations"],"oauth":false,"scopes":false,"notes":"No concrete auth mechanism, scopes model, or documentation details were provided in the prompt contents, so this is assessed conservatively."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Self-hosted open-source package; costs are infrastructure/ops-driven rather than vendor pricing."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":24.5,"security_score":48.0,"reliability_score":35.0,"mcp_server_quality":0.0,"documentation_accuracy":30.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":40.0,"rate_limit_clarity":0.0,"tls_enforcement":60.0,"auth_strength":50.0,"scope_granularity":40.0,"dependency_hygiene":50.0,"secret_handling":40.0,"security_notes":"As signserver is a certificate signing service, the primary security risks are protecting CA/signing private keys, preventing unauthorized signing, and ensuring request authentication/authorization and audit logging. Concrete evidence for TLS enforcement, auth strength, scope granularity, dependency hygiene, and secret-handling practices was not included in the provided prompt, so scores are conservative.","uptime_documented":0.0,"version_stability":50.0,"breaking_changes_history":50.0,"error_recovery":40.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Signing services are sensitive: agents must not leak private keys/CA material and should treat CSR/cert handling as security-critical.","If the API exists, it may require careful handling of request uniqueness (to avoid duplicate issuance) and strict policy compliance.","Certificate issuance flows often have asynchronous processing or strict validation rules; without explicit API contracts, agents may mis-handle retry semantics or idempotency."]}}