Can be disabled with --signer.tls.enabled=false. Avoids breaking existing deployments that default to TLS enabled.