diff --git a/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/exception/ErrorMessage.java b/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/exception/ErrorMessage.java
index 20c9778103..e87d6a7658 100644
--- a/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/exception/ErrorMessage.java
+++ b/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/exception/ErrorMessage.java
@@ -104,7 +104,6 @@ public enum ErrorMessage implements DeviationProvider {
     IMPORTED_CERTIFICATE_ALREADY_EXISTS("certificate_already_exists", "The imported certificate already exists"),
     CERTIFICATE_IMPORT_FAILED("certificate_import_failed", "Cannot import TLS certificate"),
 
-
     SIGNER_PROXY_ERROR("signer_proxy_error", "Signer proxy exception"),
 
     SIGNING_KEY_ACTION_NOT_POSSIBLE("signing_key_action_not_possible", "Signing key action not possible"),
@@ -132,7 +131,6 @@ public enum ErrorMessage implements DeviationProvider {
     TOKEN_PIN_FINAL_TRY("token_pin_final_try", "Tries left: 1"),
     TOKEN_INCORRECT_PIN_FORMAT("token_incorrect_pin_format", "Incorrect PIN format"),
     TOKEN_ACTION_NOT_POSSIBLE("token_action_not_possible", "Token action not possible"),
-    TOKEN_FETCH_FAILED("token_fetch_failed", "Error getting tokens"),
 
     MALFORMED_ANCHOR("malformed_anchor", "Malformed anchor file"),
     TRUSTED_ANCHOR_VERIFICATION_FAILED("trusted_anchor_verification_failed", "Trusted anchor file verification failed"),
diff --git a/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java b/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java
index 4902b00caa..1512da8054 100644
--- a/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java
+++ b/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java
@@ -30,6 +30,7 @@
 import ee.ria.xroad.common.crypto.identifier.SignMechanism;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.SignerProxy;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
@@ -46,52 +47,52 @@ public interface SignerProxyFacade {
     /**
      * {@link SignerProxy#initSoftwareToken(char[])}
      */
-    void initSoftwareToken(char[] password) throws Exception;
+    void initSoftwareToken(char[] password) throws SignerException;
 
     /**
      * {@link SignerProxy#getTokens()}
      */
-    List<TokenInfo> getTokens() throws Exception;
+    List<TokenInfo> getTokens() throws SignerException;
 
     /**
      * {@link SignerProxy#getToken(String)}
      */
-    TokenInfo getToken(String tokenId) throws Exception;
+    TokenInfo getToken(String tokenId) throws SignerException;
 
     /**
      * {@link SignerProxy#activateToken(String, char[])}
      */
-    void activateToken(String tokenId, char[] password) throws Exception;
+    void activateToken(String tokenId, char[] password) throws SignerException;
 
     /**
      * {@link SignerProxy#deactivateToken(String)}
      */
-    void deactivateToken(String tokenId) throws Exception;
+    void deactivateToken(String tokenId) throws SignerException;
 
     /**
      * {@link SignerProxy#generateKey(String, String, KeyAlgorithm)}
      */
-    KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) throws Exception;
+    KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) throws SignerException;
 
     /**
      * {@link SignerProxy#generateSelfSignedCert(String, ClientId.Conf, KeyUsageInfo, String, Date, Date)}
      */
     byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId, KeyUsageInfo keyUsage,
-                                  String commonName, Date notBefore, Date notAfter) throws Exception;
+                                  String commonName, Date notBefore, Date notAfter) throws SignerException;
 
     /**
      * {@link SignerProxy#deleteKey(String, boolean)}
      */
-    void deleteKey(String keyId, boolean deleteFromToken) throws Exception;
+    void deleteKey(String keyId, boolean deleteFromToken) throws SignerException;
 
     /**
      * {ling {@link SignerProxy#getSignMechanism(String)}}
      */
-    SignMechanism getSignMechanism(String keyId) throws Exception;
+    SignMechanism getSignMechanism(String keyId) throws SignerException;
 
     /**
      * {@link SignerProxy#sign(String, SignAlgorithm, byte[])}
      */
-    byte[] sign(String keyId, SignAlgorithm signatureAlgorithmId, byte[] digest) throws Exception;
+    byte[] sign(String keyId, SignAlgorithm signatureAlgorithmId, byte[] digest) throws SignerException;
 
 }
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
index dcaf00d4bc..675993c377 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java
@@ -30,6 +30,7 @@
 import ee.ria.xroad.common.crypto.identifier.SignMechanism;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.SignerProxy;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
@@ -69,42 +70,42 @@ public void destroy() {
     /**
      * {@link SignerProxy#initSoftwareToken(char[])}
      */
-    public void initSoftwareToken(char[] password) throws Exception {
+    public void initSoftwareToken(char[] password) throws SignerException {
         SignerProxy.initSoftwareToken(password);
     }
 
     /**
      * {@link SignerProxy#getTokens()}
      */
-    public List<TokenInfo> getTokens() throws Exception {
+    public List<TokenInfo> getTokens() throws SignerException {
         return SignerProxy.getTokens();
     }
 
     /**
      * {@link SignerProxy#getToken(String)}
      */
-    public TokenInfo getToken(String tokenId) throws Exception {
+    public TokenInfo getToken(String tokenId) throws SignerException {
         return SignerProxy.getToken(tokenId);
     }
 
     /**
      * {@link SignerProxy#activateToken(String, char[])}
      */
-    public void activateToken(String tokenId, char[] password) throws Exception {
+    public void activateToken(String tokenId, char[] password) throws SignerException {
         SignerProxy.activateToken(tokenId, password);
     }
 
     /**
      * {@link SignerProxy#deactivateToken(String)}
      */
-    public void deactivateToken(String tokenId) throws Exception {
+    public void deactivateToken(String tokenId) throws SignerException {
         SignerProxy.deactivateToken(tokenId);
     }
 
     /**
      * {@link SignerProxy#generateKey(String, String, KeyAlgorithm)}
      */
-    public KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) throws Exception {
+    public KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) throws SignerException {
         return SignerProxy.generateKey(tokenId, keyLabel, algorithm);
     }
 
@@ -112,7 +113,7 @@ public KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm algorit
      * {@link SignerProxy#generateSelfSignedCert(String, ClientId.Conf, KeyUsageInfo, String, Date, Date)}
      */
     public byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId, KeyUsageInfo keyUsage,
-                                         String commonName, Date notBefore, Date notAfter) throws Exception {
+                                         String commonName, Date notBefore, Date notAfter) throws SignerException {
         return SignerProxy.generateSelfSignedCert(keyId, memberId, keyUsage,
                 commonName, notBefore, notAfter);
     }
@@ -120,21 +121,21 @@ public byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId, KeyUs
     /**
      * {@link SignerProxy#deleteKey(String, boolean)}
      */
-    public void deleteKey(String keyId, boolean deleteFromToken) throws Exception {
+    public void deleteKey(String keyId, boolean deleteFromToken) throws SignerException {
         SignerProxy.deleteKey(keyId, deleteFromToken);
     }
 
     /**
      * {ling {@link SignerProxy#getSignMechanism(String)}}
      */
-    public SignMechanism getSignMechanism(String keyId) throws Exception {
+    public SignMechanism getSignMechanism(String keyId) throws SignerException {
         return SignerProxy.getSignMechanism(keyId);
     }
 
     /**
      * {@link SignerProxy#sign(String, SignAlgorithm, byte[])}
      */
-    public byte[] sign(String keyId, SignAlgorithm signatureAlgorithmId, byte[] digest) throws Exception {
+    public byte[] sign(String keyId, SignAlgorithm signatureAlgorithmId, byte[] digest) throws SignerException {
         return SignerProxy.sign(keyId, signatureAlgorithmId, digest);
     }
 }
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java
index c1ec538119..5ad24a19e9 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java
@@ -31,6 +31,7 @@
 import ee.ria.xroad.common.crypto.identifier.SignAlgorithm;
 import ee.ria.xroad.common.crypto.identifier.SignMechanism;
 import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
@@ -104,15 +105,23 @@ public void initSoftwareToken(char[] password) {
     }
 
     @Override
-    public List<TokenInfo> getTokens() throws Exception {
-        final String response = restTemplate.getForObject("/getTokens", String.class);
-        return parseTokenInfoList(response);
+    public List<TokenInfo> getTokens() throws SignerException {
+        try {
+            final String response = restTemplate.getForObject("/getTokens", String.class);
+            return parseTokenInfoList(response);
+        } catch (Exception e) {
+            throw new SignerException(e.getMessage(), e);
+        }
     }
 
     @Override
-    public TokenInfo getToken(String tokenId) throws Exception {
-        final String response = restTemplate.getForObject("/getToken/{tokenId}", String.class, tokenId);
-        return parseTokenInfo(response);
+    public TokenInfo getToken(String tokenId) throws SignerException {
+        try {
+            final String response = restTemplate.getForObject("/getToken/{tokenId}", String.class, tokenId);
+            return parseTokenInfo(response);
+        } catch (Exception e) {
+            throw new SignerException(e.getMessage(), e);
+        }
     }
 
     private List<TokenInfo> parseTokenInfoList(String tokenListString) throws JsonProcessingException {
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/AbstractTokenConsumer.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/AbstractTokenConsumer.java
index 7929f2fa92..758dd96515 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/AbstractTokenConsumer.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/AbstractTokenConsumer.java
@@ -27,35 +27,30 @@
 
 package org.niis.xroad.cs.admin.core.service;
 
-import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.exception.SignerException;
 
 import org.niis.xroad.common.exception.NotFoundException;
+import org.niis.xroad.common.exception.SignerProxyException;
 import org.niis.xroad.cs.admin.api.facade.SignerProxyFacade;
-import org.niis.xroad.cs.admin.core.exception.SignerProxyException;
 
 import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.SIGNER_PROXY_ERROR;
 import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.TOKEN_NOT_FOUND;
 
 
 public abstract class AbstractTokenConsumer {
-    private static final String TOKEN_NOT_FOUND_FAULT_CODE = "Signer.TokenNotFound";
 
     protected abstract SignerProxyFacade getSignerProxyFacade();
 
     protected ee.ria.xroad.signer.protocol.dto.TokenInfo getToken(String tokenId) {
         try {
             return getSignerProxyFacade().getToken(tokenId);
-        } catch (CodedException codedException) {
-            if (causedByNotFound(codedException)) {
+        } catch (SignerException signerException) {
+            if (signerException.isCausedByTokenNotFound()) {
                 throw new NotFoundException(TOKEN_NOT_FOUND);
             }
-            throw new SignerProxyException(SIGNER_PROXY_ERROR, codedException, codedException.getFaultCode());
+            throw new SignerProxyException(SIGNER_PROXY_ERROR, signerException, signerException.getFaultCode());
         } catch (Exception exception) {
             throw new SignerProxyException(SIGNER_PROXY_ERROR, exception);
         }
     }
-
-    private boolean causedByNotFound(CodedException codedException) {
-        return TOKEN_NOT_FOUND_FAULT_CODE.equals(codedException.getFaultCode());
-    }
 }
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImpl.java
index a40fbcd9cd..13e1dd46ff 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImpl.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImpl.java
@@ -37,6 +37,7 @@
 import jakarta.transaction.Transactional;
 import lombok.RequiredArgsConstructor;
 import org.niis.xroad.common.exception.NotFoundException;
+import org.niis.xroad.common.exception.SignerProxyException;
 import org.niis.xroad.common.exception.ValidationFailureException;
 import org.niis.xroad.cs.admin.api.domain.ConfigurationSigningKey;
 import org.niis.xroad.cs.admin.api.domain.ConfigurationSigningKeyWithDetails;
@@ -52,7 +53,6 @@
 import org.niis.xroad.cs.admin.core.entity.ConfigurationSourceEntity;
 import org.niis.xroad.cs.admin.core.entity.mapper.ConfigurationSigningKeyMapper;
 import org.niis.xroad.cs.admin.core.entity.mapper.ConfigurationSigningKeyWithDetailsMapper;
-import org.niis.xroad.cs.admin.core.exception.SignerProxyException;
 import org.niis.xroad.cs.admin.core.exception.SigningKeyException;
 import org.niis.xroad.cs.admin.core.repository.ConfigurationSigningKeyRepository;
 import org.niis.xroad.cs.admin.core.repository.ConfigurationSourceRepository;
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/InitializationServiceImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/InitializationServiceImpl.java
index e1e44fe95d..fc2ce9efe5 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/InitializationServiceImpl.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/InitializationServiceImpl.java
@@ -32,6 +32,7 @@
 import ee.ria.xroad.common.util.process.ProcessFailedException;
 import ee.ria.xroad.common.util.process.ProcessNotExecutableException;
 import ee.ria.xroad.signer.SignerProxy;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 
@@ -55,7 +56,6 @@
 import org.niis.xroad.restapi.config.audit.RestApiAuditProperty;
 import org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException;
 import org.niis.xroad.restapi.exceptions.ErrorDeviation;
-import org.niis.xroad.restapi.service.SignerNotReachableException;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Service;
@@ -63,8 +63,10 @@
 import java.util.Arrays;
 import java.util.Optional;
 
-import static ee.ria.xroad.common.ErrorCodes.X_KEY_NOT_FOUND;
 import static org.niis.xroad.common.exception.util.CommonDeviationMessage.INITIALIZATION_INTERRUPTED;
+import static org.niis.xroad.cs.admin.api.dto.TokenInitStatus.INITIALIZED;
+import static org.niis.xroad.cs.admin.api.dto.TokenInitStatus.NOT_INITIALIZED;
+import static org.niis.xroad.cs.admin.api.dto.TokenInitStatus.UNKNOWN;
 import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.INIT_ALREADY_INITIALIZED;
 import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.INIT_SIGNER_PIN_POLICY_FAILED;
 import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.INIT_SOFTWARE_TOKEN_FAILED;
@@ -90,7 +92,7 @@ public class InitializationServiceImpl implements InitializationService {
 
     @Override
     public InitializationStatusDto getInitializationStatus() {
-        TokenInitStatus initStatusInfo = getTokenInitStatusInfo();
+        TokenInitStatus initStatusInfo = isSWTokenInitialized();
         InitializationStatusDto statusDto = new InitializationStatusDto();
 
         statusDto.setInstanceIdentifier(systemParameterService.getInstanceIdentifier());
@@ -99,21 +101,6 @@ public InitializationStatusDto getInitializationStatus() {
         return statusDto;
     }
 
-    private TokenInitStatus getTokenInitStatusInfo() {
-        TokenInitStatus initStatusInfo;
-        try {
-            if (isSWTokenInitialized()) {
-                initStatusInfo = TokenInitStatus.INITIALIZED;
-            } else {
-                initStatusInfo = TokenInitStatus.NOT_INITIALIZED;
-            }
-        } catch (SignerNotReachableException notReachableException) {
-            log.info("getInitializationStatus - signer was not reachable", notReachableException);
-            initStatusInfo = TokenInitStatus.UNKNOWN;
-        }
-        return initStatusInfo;
-    }
-
     @Override
     public void initialize(InitialServerConfDto configDto) {
 
@@ -123,7 +110,7 @@ public void initialize(InitialServerConfDto configDto) {
         auditDataHelper.put(RestApiAuditProperty.INSTANCE_IDENTIFIER, configDto.getInstanceIdentifier());
         auditDataHelper.put(RestApiAuditProperty.HA_NODE, currentHaConfigStatus.getCurrentHaNodeName());
 
-        final boolean isSWTokenInitialized = TokenInitStatus.INITIALIZED == getTokenInitStatusInfo();
+        final boolean isSWTokenInitialized = TokenInitStatus.INITIALIZED == isSWTokenInitialized();
         final boolean isServerAddressInitialized = !systemParameterService.getCentralServerAddress().isEmpty();
         final boolean isInstanceIdentifierInitialized = !systemParameterService.getInstanceIdentifier().isEmpty();
         if (isSWTokenInitialized && isServerAddressInitialized && isInstanceIdentifierInitialized) {
@@ -226,20 +213,20 @@ private void generateGPGKeyPair(String identifier) {
         }
     }
 
-    private boolean isSWTokenInitialized() {
-        boolean isSWTokenInitialized = false;
+    private TokenInitStatus isSWTokenInitialized() {
+        var status = NOT_INITIALIZED;
         TokenInfo tokenInfo;
         try {
             tokenInfo = signerProxyFacade.getToken(SignerProxy.SSL_TOKEN_ID);
             if (null != tokenInfo) {
-                isSWTokenInitialized = tokenInfo.getStatus() != TokenStatusInfo.NOT_INITIALIZED;
+                status = tokenInfo.getStatus() != TokenStatusInfo.NOT_INITIALIZED ? INITIALIZED : NOT_INITIALIZED;
             }
         } catch (Exception e) {
-            if (!((e instanceof CodedException ce) && X_KEY_NOT_FOUND.equals(ce.getFaultCode()))) {
-                throw new SignerNotReachableException("could not list all tokens", e);
+            if (!(e instanceof SignerException se && se.isCausedByKeyNotFound())) {
+                status = UNKNOWN;
             }
         }
-        return isSWTokenInitialized;
+        return status;
     }
 }
 
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/TokensServiceImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/TokensServiceImpl.java
index 7eb32c438d..d810e0721a 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/TokensServiceImpl.java
+++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/TokensServiceImpl.java
@@ -32,6 +32,7 @@
 import jakarta.transaction.Transactional;
 import lombok.RequiredArgsConstructor;
 import org.niis.xroad.common.exception.ServiceException;
+import org.niis.xroad.common.exception.SignerProxyException;
 import org.niis.xroad.common.exception.ValidationFailureException;
 import org.niis.xroad.cs.admin.api.dto.TokenInfo;
 import org.niis.xroad.cs.admin.api.dto.TokenLoginRequest;
@@ -39,7 +40,6 @@
 import org.niis.xroad.cs.admin.api.service.ConfigurationSigningKeysService;
 import org.niis.xroad.cs.admin.api.service.TokensService;
 import org.niis.xroad.cs.admin.core.converter.TokenInfoMapper;
-import org.niis.xroad.cs.admin.core.exception.SignerProxyException;
 import org.niis.xroad.restapi.config.audit.AuditDataHelper;
 import org.springframework.stereotype.Service;
 
@@ -50,11 +50,11 @@
 import static ee.ria.xroad.signer.protocol.dto.TokenStatusInfo.USER_PIN_LOCKED;
 import static java.lang.Integer.parseInt;
 import static java.util.stream.Collectors.toSet;
+import static org.niis.xroad.common.exception.util.CommonDeviationMessage.TOKEN_FETCH_FAILED;
 import static org.niis.xroad.cs.admin.api.dto.PossibleTokenAction.LOGIN;
 import static org.niis.xroad.cs.admin.api.dto.PossibleTokenAction.LOGOUT;
 import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.TOKEN_ACTIVATION_FAILED;
 import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.TOKEN_DEACTIVATION_FAILED;
-import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.TOKEN_FETCH_FAILED;
 import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.TOKEN_INCORRECT_PIN_FORMAT;
 import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.TOKEN_PIN_FINAL_TRY;
 import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.TOKEN_PIN_LOCKED;
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java
index fa6ca8573d..3b00b487f9 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationSigningKeysServiceImplTest.java
@@ -30,6 +30,7 @@
 import ee.ria.xroad.common.crypto.identifier.SignMechanism;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.util.TimeUtils;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
@@ -163,7 +164,7 @@ void deleteKeyErrorGettingTokenFromSignerProxyShouldThrowException() throws Exce
         ConfigurationSigningKeyEntity signingKeyEntity = createConfigurationSigningEntity("INTERNAL", false);
         when(configurationSigningKeyRepository.findByKeyIdentifier(signingKeyEntity.getKeyIdentifier()))
                 .thenReturn(Optional.of(signingKeyEntity));
-        when(signerProxyFacade.getToken(signingKeyEntity.getTokenIdentifier())).thenThrow(new Exception());
+        when(signerProxyFacade.getToken(signingKeyEntity.getTokenIdentifier())).thenThrow(new SignerException("Error"));
 
         assertThatThrownBy(() -> configurationSigningKeysServiceImpl.deleteKey(signingKeyEntity.getKeyIdentifier()))
                 .isInstanceOf(SigningKeyException.class)
@@ -177,7 +178,7 @@ void deleteKeyErrorDeletingKeyThroughSignerShouldThrowException() throws Excepti
                 .thenReturn(Optional.of(signingKeyEntity));
         when(signerProxyFacade.getToken(signingKeyEntity.getTokenIdentifier()))
                 .thenReturn(createTokenInfo(true, true, List.of()));
-        doThrow(new Exception()).when(signerProxyFacade).deleteKey(signingKeyEntity.getKeyIdentifier(), true);
+        doThrow(new SignerException("Error")).when(signerProxyFacade).deleteKey(signingKeyEntity.getKeyIdentifier(), true);
 
         assertThatThrownBy(() -> configurationSigningKeysServiceImpl.deleteKey(signingKeyEntity.getKeyIdentifier()))
                 .isInstanceOf(SigningKeyException.class)
@@ -325,7 +326,7 @@ void activateKeyErrorGettingTokenFromSignerProxyShouldThrowException() throws Ex
         ConfigurationSigningKeyEntity signingKeyEntity = createConfigurationSigningEntity("INTERNAL", false);
         when(configurationSigningKeyRepository.findByKeyIdentifier(signingKeyEntity.getKeyIdentifier()))
                 .thenReturn(Optional.of(signingKeyEntity));
-        when(signerProxyFacade.getToken(signingKeyEntity.getTokenIdentifier())).thenThrow(new Exception());
+        when(signerProxyFacade.getToken(signingKeyEntity.getTokenIdentifier())).thenThrow(new SignerException("Error"));
 
         assertThatThrownBy(() -> configurationSigningKeysServiceImpl.activateKey(signingKeyEntity.getKeyIdentifier()))
                 .isInstanceOf(SigningKeyException.class)
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/NotificationServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/NotificationServiceImplTest.java
index 04747ff417..005e41d6d1 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/NotificationServiceImplTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/NotificationServiceImplTest.java
@@ -29,6 +29,7 @@
 
 import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.util.TimeUtils;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.KeyInfoProto;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
@@ -81,7 +82,7 @@ class NotificationServiceImplTest {
 
     @Test
     void getAlertsSignerException() throws Exception {
-        when(signerProxyFacade.getTokens()).thenThrow(new Exception());
+        when(signerProxyFacade.getTokens()).thenThrow(new SignerException("Error"));
 
         final Set<AlertInfo> alerts = notificationService.getAlerts();
 
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokensServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokensServiceImplTest.java
index 69bf0a6a7d..28c821f0cc 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokensServiceImplTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TokensServiceImplTest.java
@@ -28,6 +28,7 @@
 package org.niis.xroad.cs.admin.core.service;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.TokenInfoProto;
 import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo;
 
@@ -38,13 +39,13 @@
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.niis.xroad.common.exception.NotFoundException;
 import org.niis.xroad.common.exception.ServiceException;
+import org.niis.xroad.common.exception.SignerProxyException;
 import org.niis.xroad.common.exception.ValidationFailureException;
 import org.niis.xroad.cs.admin.api.dto.TokenInfo;
 import org.niis.xroad.cs.admin.api.dto.TokenLoginRequest;
 import org.niis.xroad.cs.admin.api.facade.SignerProxyFacade;
 import org.niis.xroad.cs.admin.api.service.ConfigurationSigningKeysService;
 import org.niis.xroad.cs.admin.core.converter.TokenInfoMapper;
-import org.niis.xroad.cs.admin.core.exception.SignerProxyException;
 import org.niis.xroad.restapi.config.audit.AuditDataHelper;
 import org.niis.xroad.restapi.config.audit.RestApiAuditProperty;
 
@@ -105,7 +106,7 @@ void getTokens() throws Exception {
 
     @Test
     void getTokensShouldThrowException() throws Exception {
-        doThrow(new Exception()).when(signerProxyFacade).getTokens();
+        doThrow(new SignerException("Error")).when(signerProxyFacade).getTokens();
 
         assertThatThrownBy(() -> tokensService.getTokens())
                 .isInstanceOf(ServiceException.class)
@@ -114,7 +115,7 @@ void getTokensShouldThrowException() throws Exception {
 
     @Test
     void loginShouldThrowWhenTokenNotFound() throws Exception {
-        when(signerProxyFacade.getToken(TOKEN_ID)).thenThrow(new CodedException("Signer.TokenNotFound"));
+        when(signerProxyFacade.getToken(TOKEN_ID)).thenThrow(new SignerException("Signer.TokenNotFound"));
 
         assertThatThrownBy(() -> tokensService.login(new TokenLoginRequest(TOKEN_ID, PASSWORD)))
                 .isInstanceOf(NotFoundException.class)
@@ -161,7 +162,7 @@ void loginShouldThrowUserPinLockedOnActivation() throws Exception {
     @Test
     void loginShouldThrowOtherException() throws Exception {
         when(signerProxyFacade.getToken(TOKEN_ID)).thenReturn(mockTokenInfo(OK));
-        doThrow(new Exception()).when(signerProxyFacade).activateToken(TOKEN_ID, PASSWORD.toCharArray());
+        doThrow(new SignerException("Error")).when(signerProxyFacade).activateToken(TOKEN_ID, PASSWORD.toCharArray());
 
         assertThatThrownBy(() -> tokensService.login(new TokenLoginRequest(TOKEN_ID, PASSWORD)))
                 .isInstanceOf(SignerProxyException.class)
@@ -227,7 +228,7 @@ void logout() throws Exception {
 
     @Test
     void logoutShouldThrowNotFound() throws Exception {
-        when(signerProxyFacade.getToken(TOKEN_ID)).thenThrow(new CodedException("Signer.TokenNotFound"));
+        when(signerProxyFacade.getToken(TOKEN_ID)).thenThrow(new SignerException("Signer.TokenNotFound"));
 
         assertThatThrownBy(() -> tokensService.logout(TOKEN_ID))
                 .isInstanceOf(NotFoundException.class)
@@ -236,7 +237,7 @@ void logoutShouldThrowNotFound() throws Exception {
 
     @Test
     void logoutShouldThrowOtherExceptionWhenGetTokenFails() throws Exception {
-        when(signerProxyFacade.getToken(TOKEN_ID)).thenThrow(new Exception());
+        when(signerProxyFacade.getToken(TOKEN_ID)).thenThrow(new SignerException("Error"));
 
         assertThatThrownBy(() -> tokensService.logout(TOKEN_ID))
                 .isInstanceOf(SignerProxyException.class)
diff --git a/src/central-server/admin-service/ui/src/components/ui/ContextualAlerts.vue b/src/central-server/admin-service/ui/src/components/ui/ContextualAlerts.vue
index facdd96f33..6730869541 100644
--- a/src/central-server/admin-service/ui/src/components/ui/ContextualAlerts.vue
+++ b/src/central-server/admin-service/ui/src/components/ui/ContextualAlerts.vue
@@ -28,12 +28,12 @@
   <div>
     <!-- Error -->
     <v-container
-      v-if="errorNotifications && errorNotifications.length > 0"
+      v-if="notifications.errorNotifications && notifications.errorNotifications.length > 0"
       fluid
       class="alerts-container px-3"
     >
       <v-alert
-        v-for="notification in errorNotifications"
+        v-for="notification in notifications.errorNotifications"
         :key="notification.timeAdded"
         v-model="notification.show"
         data-test="contextual-alert"
@@ -53,7 +53,7 @@
 
               <!-- Show localised text by id from error object -->
               <div v-else-if="notification.errorCode">
-                {{ $t('error_code.' + notification.errorCode) }}
+                {{ $t(errorCodePrefix + notification.errorCode) }}
               </div>
 
               <!-- If error doesn't have a text or localisation key then just print the error object -->
@@ -65,19 +65,17 @@
               <div v-if="notification.errorCode === 'token_weak_pin'">
                 <div>
                   {{
-                    $t(`error_code.${notification.metaData?.[0]}`) +
-                    `: ${notification.metaData?.[1]}`
+                    $t(errorCodePrefix + notification.metaData?.[0]) + ': ' + notification.metaData?.[1]
                   }}
                 </div>
                 <div>
                   {{
-                    $t(`error_code.${notification.metaData?.[2]}`) +
-                    `: ${notification.metaData?.[3]}`
+                    $t(errorCodePrefix + notification.metaData?.[2]) + ': ' + notification.metaData?.[3]
                   }}
                 </div>
               </div>
               <div v-for="meta in notification.metaData" v-else :key="meta">
-                {{ meta }}
+                {{ meta.startsWith(metaPrefix) ? $t(meta) : meta }}
               </div>
 
               <!-- Show validation errors -->
@@ -126,7 +124,8 @@
             <xrd-icon-base class="xrd-large-button-icon">
               <XrdIconCopy />
             </xrd-icon-base>
-            {{ $t('action.copyId') }}</xrd-button
+            {{ $t('action.copyId') }}
+          </xrd-button
           >
 
           <!-- Handle possible action -->
@@ -149,7 +148,9 @@
             variant="plain"
             @click="closeError(notification.timeAdded)"
           >
-            <xrd-icon-base><xrd-icon-close /></xrd-icon-base>
+            <xrd-icon-base>
+              <xrd-icon-close />
+            </xrd-icon-base>
           </v-btn>
         </template>
       </v-alert>
@@ -157,41 +158,38 @@
   </div>
 </template>
 
-<script lang="ts">
-import { defineComponent } from 'vue';
-import { mapActions, mapState } from 'pinia';
+<script lang="ts" setup>
 import { useNotifications } from '@/store/modules/notifications';
 import { toClipboard } from '@/util/helpers';
 import { Notification } from '@/ui-types';
+import { useRouter } from 'vue-router';
+
+const errorCodePrefix = 'error_code.';
+const metaPrefix = 'meta.';
+
+const notifications = useNotifications();
+const router = useRouter();
+
+function closeError(id: number): void {
+  notifications.deleteNotification(id);
+}
+
+function copyId(notification: Notification): void {
+  const id = notification.errorId;
+  if (id) {
+    toClipboard(id);
+  }
+}
+
+function routeAction(notification: Notification): void {
+  if (notification.action) {
+    router.push({
+      name: notification.action.route,
+    });
+  }
+  closeError(notification.timeAdded);
+}
 
-export default defineComponent({
-  // Component for contextual notifications
-  computed: {
-    ...mapState(useNotifications, ['errorNotifications']),
-  },
-  methods: {
-    ...mapActions(useNotifications, ['deleteNotification']),
-
-    closeError(id: number): void {
-      this.deleteNotification(id);
-    },
-    copyId(notification: Notification): void {
-      const id = notification.errorId;
-      if (id) {
-        toClipboard(id);
-      }
-    },
-
-    routeAction(notification: Notification): void {
-      if (notification.action) {
-        this.$router.push({
-          name: notification.action.route,
-        });
-      }
-      this.closeError(notification.timeAdded);
-    },
-  },
-});
 </script>
 
 <style lang="scss" scoped>
diff --git a/src/central-server/admin-service/ui/src/locales/en.json b/src/central-server/admin-service/ui/src/locales/en.json
index 21a3dabdf5..84d4017bc0 100644
--- a/src/central-server/admin-service/ui/src/locales/en.json
+++ b/src/central-server/admin-service/ui/src/locales/en.json
@@ -38,6 +38,7 @@
     "init_software_token_failed": "Software token initialization failed",
     "instance_identifier_not_set": "System parameter for instance identifier not set",
     "intermediate_ca_not_found": "Intermediate CA not found",
+    "internal_error": "Internal error. See server logs for more details",
     "invalid_certificate": "Invalid X.509 certificate",
     "invalid_member_id": "Invalid member id",
     "invalid_pagination_properties": "Pagination has invalid properties",
@@ -88,7 +89,6 @@
     "token_action_not_possible": "Token action not possible",
     "token_activation_failed": "Token activation failed",
     "token_deactivation_failed": "Token deactivation failed",
-    "token_fetch_failed": "Error getting tokens",
     "token_incorrect_pin_format": "Incorrect PIN format",
     "token_invalid_characters": "The provided pin code contains invalid characters",
     "token_pin_final_try": "Tries left: 1",
@@ -98,7 +98,6 @@
     "malformed_anchor": "Malformed anchor file",
     "trusted_anchor_verification_failed": "Trusted anchor verification failed",
     "trusted_anchor_not_found": "Trusted anchor not found",
-    "internal_error": "Internal error. See server logs for more details",
     "invalid_parameters": "Validation failure",
     "security_server_not_found": "Security server not found",
     "invalid_encoded_id": "Invalid encoded id",
diff --git a/src/central-server/admin-service/ui/src/locales/es.json b/src/central-server/admin-service/ui/src/locales/es.json
index e168234ad7..ff8b9b6176 100644
--- a/src/central-server/admin-service/ui/src/locales/es.json
+++ b/src/central-server/admin-service/ui/src/locales/es.json
@@ -88,7 +88,6 @@
     "token_action_not_possible": "Acción del token no es posible",
     "token_activation_failed": "Falló la activación del token",
     "token_deactivation_failed": "La desactivación del token falló",
-    "token_fetch_failed": "Error al obtener el token",
     "token_incorrect_pin_format": "Formato de PIN incorrecto",
     "token_invalid_characters": "El código PIN proporcionado contiene caracteres no válidos",
     "token_pin_final_try": "Intentos restantes: 1",
@@ -764,4 +763,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/common/common-admin-api/src/main/java/org/niis/xroad/restapi/exceptions/ApplicationExceptionHandler.java b/src/common/common-admin-api/src/main/java/org/niis/xroad/restapi/exceptions/ApplicationExceptionHandler.java
index 10be2a7041..a1b40bf9d1 100644
--- a/src/common/common-admin-api/src/main/java/org/niis/xroad/restapi/exceptions/ApplicationExceptionHandler.java
+++ b/src/common/common-admin-api/src/main/java/org/niis/xroad/restapi/exceptions/ApplicationExceptionHandler.java
@@ -25,13 +25,14 @@
  */
 package org.niis.xroad.restapi.exceptions;
 
+import ee.ria.xroad.signer.exception.SignerException;
+
 import jakarta.validation.ConstraintViolationException;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.niis.xroad.restapi.config.audit.AuditEventLoggingFacade;
 import org.niis.xroad.restapi.config.audit.RestApiAuditEvent;
 import org.niis.xroad.restapi.openapi.model.ErrorInfo;
-import org.niis.xroad.restapi.service.SignerNotReachableException;
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.dao.DataIntegrityViolationException;
@@ -128,9 +129,9 @@ public ResponseEntity<ErrorInfo> exception(BeanCreationException beanCreationExc
         log.error(EXCEPTION_CAUGHT, beanCreationException);
         Exception exception = beanCreationException;
         int indexOfSignerException = ExceptionUtils
-                .indexOfThrowable(beanCreationException, SignerNotReachableException.class);
+                .indexOfThrowable(beanCreationException, SignerException.class);
         if (indexOfSignerException != -1) {
-            exception = (SignerNotReachableException) ExceptionUtils
+            exception = (SignerException) ExceptionUtils
                     .getThrowables(beanCreationException)[indexOfSignerException];
         }
         return exceptionTranslator.toResponseEntity(exception, HttpStatus.INTERNAL_SERVER_ERROR);
diff --git a/src/common/common-admin-api/src/main/java/org/niis/xroad/restapi/exceptions/ExceptionTranslator.java b/src/common/common-admin-api/src/main/java/org/niis/xroad/restapi/exceptions/ExceptionTranslator.java
index e8b58ba129..2067820daf 100644
--- a/src/common/common-admin-api/src/main/java/org/niis/xroad/restapi/exceptions/ExceptionTranslator.java
+++ b/src/common/common-admin-api/src/main/java/org/niis/xroad/restapi/exceptions/ExceptionTranslator.java
@@ -26,6 +26,7 @@
 package org.niis.xroad.restapi.exceptions;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.exception.SignerException;
 
 import jakarta.validation.ConstraintViolationException;
 import org.niis.xroad.common.exception.ServiceException;
@@ -40,6 +41,7 @@
 import org.springframework.web.bind.MethodArgumentNotValidException;
 
 import java.util.HashMap;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 
@@ -53,6 +55,7 @@
 public class ExceptionTranslator {
 
     public static final String CORE_CODED_EXCEPTION_PREFIX = "core.";
+    public static final String META_PREFIX = "meta.";
 
     private final ValidationErrorHelper validationErrorHelper;
 
@@ -74,30 +77,38 @@ public ResponseEntity<ErrorInfo> toResponseEntity(Exception e, HttpStatus defaul
         HttpStatusCode status = resolveHttpStatus(e, defaultStatus);
         ErrorInfo errorDto = new ErrorInfo();
         errorDto.setStatus(status.value());
-        if (e instanceof DeviationAware errorCodedException) {
-            // add information about errors and warnings
-            if (errorCodedException.getErrorDeviation() != null) {
-                errorDto.setError(convert(errorCodedException.getErrorDeviation()));
-            }
-            if (errorCodedException.getWarningDeviations() != null) {
-                for (Deviation warning : errorCodedException.getWarningDeviations()) {
-                    errorDto.addWarningsItem(convert(warning));
+        switch (e) {
+            case DeviationAware errorCodedException -> {
+                // add information about errors and warnings
+                if (errorCodedException.getErrorDeviation() != null) {
+                    errorDto.setError(convert(errorCodedException.getErrorDeviation()));
+                }
+                if (errorCodedException.getWarningDeviations() != null) {
+                    for (Deviation warning : errorCodedException.getWarningDeviations()) {
+                        errorDto.addWarningsItem(convert(warning));
+                    }
                 }
             }
-        } else if (e instanceof CodedException ce) {
-            // map fault code and string from core CodedException
-            Deviation deviation = new ErrorDeviation(CORE_CODED_EXCEPTION_PREFIX + ce.getFaultCode(), ce.getFaultString());
-            errorDto.setError(convert(deviation));
-        } else if (e instanceof MethodArgumentNotValidException manve) {
-            errorDto.setError(validationErrorHelper.createError(manve));
-        } else if (e instanceof ConstraintViolationException cve) {
-            Map<String, List<String>> violations = new HashMap<>();
-            cve.getConstraintViolations()
-                    .forEach(constraintViolation -> violations.put(constraintViolation.getPropertyPath().toString(),
-                            List.of(constraintViolation.getMessage())));
-            errorDto.setError(new CodeWithDetails().code(ERROR_VALIDATION_FAILURE).validationErrors(violations));
+            case CodedException ce -> {
+                // map fault code and string from core CodedException
+                Deviation deviation = new ErrorDeviation(CORE_CODED_EXCEPTION_PREFIX + ce.getFaultCode(), ce.getFaultString());
+                errorDto.setError(convert(deviation));
+            }
+            case MethodArgumentNotValidException manve -> errorDto.setError(validationErrorHelper.createError(manve));
+            case ConstraintViolationException cve -> {
+                Map<String, List<String>> violations = new HashMap<>();
+                cve.getConstraintViolations()
+                        .forEach(constraintViolation -> violations.put(constraintViolation.getPropertyPath().toString(),
+                                List.of(constraintViolation.getMessage())));
+                errorDto.setError(new CodeWithDetails().code(ERROR_VALIDATION_FAILURE).validationErrors(violations));
+            }
+            default -> {
+
+            }
         }
 
+        attachCausedBySignerIfNeeded(e, errorDto);
+
         return ResponseEntity.status(status)
                 .contentType(MediaType.APPLICATION_JSON)
                 .body(errorDto);
@@ -114,10 +125,25 @@ private CodeWithDetails convert(Deviation deviation) {
         return result;
     }
 
+    private boolean isCausedBySignerException(Throwable e) {
+        return e != null && (e instanceof SignerException || isCausedBySignerException(e.getCause()));
+    }
+
+    private void attachCausedBySignerIfNeeded(Throwable e, ErrorInfo errorDto) {
+        if (isCausedBySignerException(e)) {
+            var metadata = errorDto.getError().getMetadata();
+            metadata = metadata == null ? new LinkedList<>() : new LinkedList<>(metadata);
+            metadata.add(META_PREFIX + "check_signer_logs");
+            errorDto.getError().setMetadata(metadata);
+        }
+    }
+
     public HttpStatusCode resolveHttpStatus(Exception e, HttpStatus defaultStatus) {
         if (e instanceof ServiceException se) {
             return HttpStatus.resolve(se.getHttpStatus());
         }
         return getAnnotatedResponseStatus(e, defaultStatus);
     }
+
+
 }
diff --git a/src/common/common-core/src/main/java/ee/ria/xroad/common/ErrorCodes.java b/src/common/common-core/src/main/java/ee/ria/xroad/common/ErrorCodes.java
index 9e19d2d572..a0426310e0 100644
--- a/src/common/common-core/src/main/java/ee/ria/xroad/common/ErrorCodes.java
+++ b/src/common/common-core/src/main/java/ee/ria/xroad/common/ErrorCodes.java
@@ -92,7 +92,6 @@ public final class ErrorCodes {
     public static final String X_HASHCHAIN_UNUSED_INPUTS = "HashChainUnusedInputs";
     public static final String X_INVALID_HASH_CHAIN_REF = "InvalidHashChainRef";
 
-
     // Message processing errors
 
     public static final String X_SSL_AUTH_FAILED = "SslAuthenticationFailed";
@@ -143,7 +142,6 @@ public final class ErrorCodes {
     public static final String X_ASIC_MANIFEST_NOT_FOUND =
             "AsicManifestNotFound";
 
-
     // Configuration errors
 
     public static final String X_UNKNOWN_MEMBER = "UnknownMember";
@@ -158,7 +156,6 @@ public final class ErrorCodes {
     public static final String X_ADAPTER_WSDL_NOT_FOUND = "AdapterWsdlNotFound";
     public static final String X_HW_MODULE_NON_OPERATIONAL = "HSMNonOperational";
 
-
     // Signer Errors
 
     public static final String X_KEY_NOT_FOUND = "KeyNotFound";
@@ -202,35 +199,31 @@ public final class ErrorCodes {
      */
     @SuppressWarnings("squid:S1872")
     public static CodedException translateException(Throwable ex) {
-        if (ex instanceof CodedException cex) {
-            return cex;
-        } else if (ex instanceof UnknownHostException
-                || ex instanceof MalformedURLException
-                || ex instanceof SocketException
-                || ex instanceof UnknownServiceException
-                || ex instanceof UnresolvedAddressException) {
-            return new CodedException(X_NETWORK_ERROR, ex);
-        } else if (ex instanceof IOException) {
-            return new CodedException(X_IO_ERROR, ex);
-        } else if (ex instanceof CertificateException) {
-            return new CodedException(X_INCORRECT_CERTIFICATE, ex);
-        } else if (ex instanceof SOAPException) {
-            return new CodedException(X_INVALID_SOAP, ex);
-        } else if ("org.apache.james.mime4j.MimeException".equals(ex.getClass().getName())) {
-            return new CodedException(X_MIME_PARSING_FAILED, ex);
-        } else if (ex instanceof SAXException) {
-            return new CodedException(X_INVALID_XML, ex);
-        } else if (ex instanceof UnmarshalException) {
-            return ex.getCause() != null && "org.glassfish.jaxb.runtime.api.AccessorException".equals(ex.getCause().getClass().getName())
-                    ? translateException(ex.getCause())
-                    : new CodedException(X_INTERNAL_ERROR, ex);
-        } else if ("org.glassfish.jaxb.runtime.api.AccessorException".equals(ex.getClass().getName())) {
-            return ex.getCause() instanceof CodedException
-                    ? (CodedException) ex.getCause()
-                    : new CodedException(X_INTERNAL_ERROR, ex);
-        } else { // other system exceptions.
-            return new CodedException(X_INTERNAL_ERROR, ex);
-        }
+        return switch (ex) {
+            case CodedException cex -> cex;
+            case UnknownHostException ne -> new CodedException(X_NETWORK_ERROR, ne);
+            case MalformedURLException ne -> new CodedException(X_NETWORK_ERROR, ne);
+            case SocketException ne -> new CodedException(X_NETWORK_ERROR, ne);
+            case UnknownServiceException ne -> new CodedException(X_NETWORK_ERROR, ne);
+            case UnresolvedAddressException ne -> new CodedException(X_NETWORK_ERROR, ne);
+            case IOException ioe -> new CodedException(X_IO_ERROR, ioe);
+            case CertificateException ice -> new CodedException(X_INCORRECT_CERTIFICATE, ice);
+            case SOAPException ise -> new CodedException(X_INVALID_SOAP, ise);
+            case SAXException ixe -> new CodedException(X_INVALID_XML, ixe);
+            case UnmarshalException ue when isAccessorException(ue.getCause()) -> translateException(ue.getCause());
+            case Exception me when isMimeException(me) -> new CodedException(X_MIME_PARSING_FAILED, me);
+            case Exception ae when isAccessorException(ae) && ae.getCause() instanceof CodedException cex -> cex;
+            default -> new CodedException(X_INTERNAL_ERROR, ex);
+
+        };
+    }
+
+    private static boolean isAccessorException(Throwable ex) {
+        return ex != null && ex.getClass().getName().equals("org.glassfish.jaxb.runtime.api.AccessorException");
+    }
+
+    private static boolean isMimeException(Throwable ex) {
+        return ex != null && ex.getClass().getName().equals("org.apache.james.mime4j.MimeException");
     }
 
     /**
diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/exception/SignerProxyException.java b/src/common/common-domain/src/main/java/org/niis/xroad/common/exception/SignerProxyException.java
similarity index 83%
rename from src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/exception/SignerProxyException.java
rename to src/common/common-domain/src/main/java/org/niis/xroad/common/exception/SignerProxyException.java
index c0586a9050..19fe662c0e 100644
--- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/exception/SignerProxyException.java
+++ b/src/common/common-domain/src/main/java/org/niis/xroad/common/exception/SignerProxyException.java
@@ -25,18 +25,17 @@
  * THE SOFTWARE.
  */
 
-package org.niis.xroad.cs.admin.core.exception;
+package org.niis.xroad.common.exception;
 
-import org.niis.xroad.common.exception.ServiceException;
-import org.niis.xroad.cs.admin.api.exception.ErrorMessage;
+import org.niis.xroad.restapi.exceptions.DeviationProvider;
 
 public class SignerProxyException extends ServiceException {
 
-    public SignerProxyException(ErrorMessage code, Object... metadata) {
+    public SignerProxyException(DeviationProvider code, Object... metadata) {
         super(code, metadata);
     }
 
-    public SignerProxyException(ErrorMessage code, Throwable cause, Object... metadata) {
+    public SignerProxyException(DeviationProvider code, Throwable cause, Object... metadata) {
         super(code, cause, metadata);
     }
 }
diff --git a/src/common/common-domain/src/main/java/org/niis/xroad/common/exception/util/CommonDeviationMessage.java b/src/common/common-domain/src/main/java/org/niis/xroad/common/exception/util/CommonDeviationMessage.java
index 3017f24728..ba8114a7d2 100644
--- a/src/common/common-domain/src/main/java/org/niis/xroad/common/exception/util/CommonDeviationMessage.java
+++ b/src/common/common-domain/src/main/java/org/niis/xroad/common/exception/util/CommonDeviationMessage.java
@@ -72,7 +72,11 @@ public enum CommonDeviationMessage implements DeviationProvider {
 
     ERROR_READING_OPENAPI_FILE("openapi_file_error", "Error reading open api definition file"),
     INITIALIZATION_INTERRUPTED("initialization_interrupted", "Initialization has been interrupted"),
-    EMAIL_SENDING_FAILED("email_sending_error", "Failed to send email"),;
+    EMAIL_SENDING_FAILED("email_sending_error", "Failed to send email"),
+
+    TOKEN_FETCH_FAILED("token_fetch_failed", "Error getting tokens"),
+    TOKEN_PIN_INCORRECT("pin_incorrect", "Entered PIN was incorrect"),
+    TOKEN_NOT_ACTIVE("token_not_active", "Token is not active");
 
     @Getter
     private final String code;
diff --git a/src/common/common-domain/src/main/java/org/niis/xroad/restapi/exceptions/DeviationCodes.java b/src/common/common-domain/src/main/java/org/niis/xroad/restapi/exceptions/DeviationCodes.java
index a93aed0c67..2bc87f26f6 100644
--- a/src/common/common-domain/src/main/java/org/niis/xroad/restapi/exceptions/DeviationCodes.java
+++ b/src/common/common-domain/src/main/java/org/niis/xroad/restapi/exceptions/DeviationCodes.java
@@ -140,7 +140,6 @@ public final class DeviationCodes {
     public static final String ERROR_SERVICE_CLIENT_NOT_FOUND = "service_client_not_found";
     public static final String ERROR_SERVICE_EXISTS = "service_already_exists";
     public static final String ERROR_SERVICE_NOT_FOUND = "service_not_found";
-    public static final String ERROR_SIGNER_NOT_REACHABLE = "signer_not_reachable";
     public static final String ERROR_SIGN_CERT_NOT_SUPPORTED = "sign_cert_not_supported";
     public static final String ERROR_SOFTWARE_TOKEN_INIT_FAILED = "software_token_init_failed";
     public static final String ERROR_TIMESTAMPING_SERVICE_NOT_FOUND = "timestamping_service_not_found";
diff --git a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
index 6f37ac8a31..e9f97a0018 100644
--- a/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
+++ b/src/common/common-rpc/src/main/java/org/niis/xroad/common/rpc/client/RpcClient.java
@@ -50,6 +50,7 @@
 import java.util.concurrent.ForkJoinPool;
 
 import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
+import static ee.ria.xroad.common.ErrorCodes.X_NETWORK_ERROR;
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
 
 @Slf4j
@@ -120,7 +121,7 @@ public <V> V execute(RpcExecution<V, C> grpcCall) throws Exception {
             return grpcCall.exec(executionContext);
         } catch (StatusRuntimeException error) {
             if (error.getStatus().getCode() == Status.Code.DEADLINE_EXCEEDED) {
-                throw CodedException.tr(SIGNER_X, "signer_client_timeout",
+                throw CodedException.tr(X_NETWORK_ERROR, "signer_client_timeout",
                                 "Signer client timed out. Deadline: " + rpcDeadlineMillis + " ms")
                         .withPrefix(SIGNER_X);
             }
diff --git a/src/proxy/core/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java b/src/proxy/core/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
index ac69ab77eb..411d3c17a6 100644
--- a/src/proxy/core/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
+++ b/src/proxy/core/src/intTest/java/org/niis/xroad/proxy/test/glue/ProxyStepDefs.java
@@ -115,7 +115,7 @@ public void certRequestIsGeneratedForTokenKey(String keyUsage, String client) th
 
 
         File csrFile = File.createTempFile("tmp", keyUsage.toLowerCase() + "_csr" + System.currentTimeMillis());
-        FileUtils.writeByteArrayToFile(csrFile, csrInfo.getCertRequest());
+        FileUtils.writeByteArrayToFile(csrFile, csrInfo.certRequest());
         putStepData(StepDataKey.DOWNLOADED_FILE, csrFile);
     }
 
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/restapi/openapi/BadRequestException.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/restapi/openapi/BadRequestException.java
index 76856d60c8..00b596b787 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/restapi/openapi/BadRequestException.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/restapi/openapi/BadRequestException.java
@@ -25,7 +25,7 @@
  */
 package org.niis.xroad.restapi.openapi;
 
-import org.niis.xroad.restapi.exceptions.DeviationAwareException;
+import org.niis.xroad.restapi.exceptions.DeviationAware;
 import org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException;
 import org.niis.xroad.restapi.exceptions.ErrorDeviation;
 import org.niis.xroad.restapi.exceptions.WarningDeviation;
@@ -43,7 +43,7 @@
 @ResponseStatus(value = HttpStatus.BAD_REQUEST)
 public class BadRequestException extends DeviationAwareRuntimeException {
 
-    public BadRequestException(DeviationAwareException e) {
+    public <TD extends Throwable & DeviationAware> BadRequestException(TD e) {
         super(e, e.getErrorDeviation(), e.getWarningDeviations());
     }
 
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/restapi/openapi/ResourceNotFoundException.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/restapi/openapi/ResourceNotFoundException.java
index fc98710fca..4b5e741ed0 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/restapi/openapi/ResourceNotFoundException.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/restapi/openapi/ResourceNotFoundException.java
@@ -25,7 +25,7 @@
  */
 package org.niis.xroad.restapi.openapi;
 
-import org.niis.xroad.restapi.exceptions.DeviationAwareException;
+import org.niis.xroad.restapi.exceptions.DeviationAware;
 import org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException;
 import org.niis.xroad.restapi.exceptions.ErrorDeviation;
 import org.springframework.http.HttpStatus;
@@ -43,7 +43,7 @@ public class ResourceNotFoundException extends DeviationAwareRuntimeException {
     public ResourceNotFoundException() {
     }
 
-    public ResourceNotFoundException(DeviationAwareException e) {
+    public <TD extends Throwable & DeviationAware> ResourceNotFoundException(TD e) {
         super(e, e.getErrorDeviation(), e.getWarningDeviations());
     }
 
diff --git a/src/common/common-admin-api/src/main/java/org/niis/xroad/restapi/service/SignerNotReachableException.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/exceptions/ErrorMessage.java
similarity index 52%
rename from src/common/common-admin-api/src/main/java/org/niis/xroad/restapi/service/SignerNotReachableException.java
rename to src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/exceptions/ErrorMessage.java
index 7694f0d13d..f51abc2bf4 100644
--- a/src/common/common-admin-api/src/main/java/org/niis/xroad/restapi/service/SignerNotReachableException.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/exceptions/ErrorMessage.java
@@ -1,20 +1,19 @@
 /*
  * The MIT License
- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
  * Copyright (c) 2018 Estonian Information System Authority (RIA),
  * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
  * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
- *
+ * <p>
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- *
+ * <p>
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- *
+ * <p>
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -23,18 +22,30 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-package org.niis.xroad.restapi.service;
+package org.niis.xroad.securityserver.restapi.exceptions;
 
-import org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException;
-import org.niis.xroad.restapi.exceptions.ErrorDeviation;
+import lombok.Getter;
+import org.niis.xroad.restapi.exceptions.DeviationProvider;
 
-import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_SIGNER_NOT_REACHABLE;
+import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_AUTH_CERT_NOT_SUPPORTED;
+import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_CERTIFICATE_NOT_FOUND;
+import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_CERTIFICATE_NOT_FOUND_WITH_ID;
+import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_CERTIFICATE_WRONG_USAGE;
+import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_SIGN_CERT_NOT_SUPPORTED;
 
-/**
- * When signer operation fails
- */
-public class SignerNotReachableException extends DeviationAwareRuntimeException {
-    public SignerNotReachableException(String msg, Throwable t) {
-        super(msg, t, new ErrorDeviation(ERROR_SIGNER_NOT_REACHABLE));
+@Getter
+public enum ErrorMessage implements DeviationProvider {
+    CERTIFICATE_WRONG_USAGE(ERROR_CERTIFICATE_WRONG_USAGE, "Certificate has wrong usage"),
+    AUTH_CERT_NOT_SUPPORTED(ERROR_AUTH_CERT_NOT_SUPPORTED, "Not supported authentication certificate"),
+    SIGN_CERT_NOT_SUPPORTED(ERROR_SIGN_CERT_NOT_SUPPORTED, "Not supported sign certificate"),
+    CERTIFICATE_NOT_FOUND(ERROR_CERTIFICATE_NOT_FOUND, "Certificate not found"),
+    CERTIFICATE_NOT_FOUND_WITH_ID(ERROR_CERTIFICATE_NOT_FOUND_WITH_ID, "Certificate not found by id");
+
+    private final String code;
+    private final String description;
+
+    ErrorMessage(final String code, final String description) {
+        this.code = code;
+        this.description = description;
     }
 }
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java
index 19f45d7b26..52fee22054 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/facade/SignerProxyFacade.java
@@ -72,77 +72,77 @@ public void destroy() {
     /**
      * {@link SignerProxy#initSoftwareToken(char[])}
      */
-    public void initSoftwareToken(char[] password) throws Exception {
+    public void initSoftwareToken(char[] password) throws SecurityException {
         SignerProxy.initSoftwareToken(password);
     }
 
     /**
      * {@link SignerProxy#getTokens()}
      */
-    public List<TokenInfo> getTokens() throws Exception {
+    public List<TokenInfo> getTokens() throws SecurityException {
         return SignerProxy.getTokens();
     }
 
     /**
      * {@link SignerProxy#getToken(String)}
      */
-    public TokenInfo getToken(String tokenId) throws Exception {
+    public TokenInfo getToken(String tokenId) throws SecurityException {
         return SignerProxy.getToken(tokenId);
     }
 
     /**
      * {@link SignerProxy#activateToken(String, char[])}
      */
-    public void activateToken(String tokenId, char[] password) throws Exception {
+    public void activateToken(String tokenId, char[] password) throws SecurityException {
         SignerProxy.activateToken(tokenId, password);
     }
 
     /**
      * {@link SignerProxy#deactivateToken(String)}
      */
-    public void deactivateToken(String tokenId) throws Exception {
+    public void deactivateToken(String tokenId) throws SecurityException {
         SignerProxy.deactivateToken(tokenId);
     }
 
     /**
      * {@link SignerProxy#setTokenFriendlyName(String, String)}
      */
-    public void setTokenFriendlyName(String tokenId, String friendlyName) throws Exception {
+    public void setTokenFriendlyName(String tokenId, String friendlyName) throws SecurityException {
         SignerProxy.setTokenFriendlyName(tokenId, friendlyName);
     }
 
     /**
      * {@link SignerProxy#setKeyFriendlyName(String, String)}
      */
-    public void setKeyFriendlyName(String keyId, String friendlyName) throws Exception {
+    public void setKeyFriendlyName(String keyId, String friendlyName) throws SecurityException {
         SignerProxy.setKeyFriendlyName(keyId, friendlyName);
     }
 
     /**
      * {@link SignerProxy#generateKey(String, String, KeyAlgorithm)}
      */
-    public KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm keyAlgorithm) throws Exception {
+    public KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm keyAlgorithm) throws SecurityException {
         return SignerProxy.generateKey(tokenId, keyLabel, keyAlgorithm);
     }
 
     /**
      * {@link SignerProxy#importCert(byte[], String, ClientId.Conf)}
      */
-    public String importCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId, boolean activate) throws Exception {
+    public String importCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId, boolean activate) throws SecurityException {
         return SignerProxy.importCert(certBytes, initialStatus, clientId, activate);
     }
 
     /**
      * {@link SignerProxy#activateCert(String)}
      */
-    public void activateCert(String certId) throws Exception {
+    public void activateCert(String certId) throws SecurityException {
         SignerProxy.activateCert(certId);
     }
 
     /**
      * {@link SignerProxy#deactivateCert(String)}
      */
-    public void deactivateCert(String certId) throws Exception {
+    public void deactivateCert(String certId) throws SecurityException {
         SignerProxy.deactivateCert(certId);
     }
 
@@ -150,7 +150,7 @@ public void deactivateCert(String certId) throws Exception {
      * {@link SignerProxy#generateCertRequest(String, ClientId.Conf, KeyUsageInfo, String, CertificateRequestFormat)}
      */
     public GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId.Conf memberId, KeyUsageInfo keyUsage,
-                                                        String subjectName, CertificateRequestFormat format) throws Exception {
+                                                        String subjectName, CertificateRequestFormat format) throws SecurityException {
         return SignerProxy.generateCertRequest(keyId, memberId, keyUsage, subjectName, format);
     }
 
@@ -160,7 +160,7 @@ public GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId.Conf
     public GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId.Conf memberId, KeyUsageInfo keyUsage,
                                                         String subjectName, String altName, CertificateRequestFormat format,
                                                         String certificateProfile)
-            throws Exception {
+            throws SecurityException {
         return SignerProxy.generateCertRequest(keyId, memberId, keyUsage, subjectName, altName, format, certificateProfile);
     }
 
@@ -168,109 +168,109 @@ public GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId.Conf
      * {@link SignerProxy#regenerateCertRequest(String, CertificateRequestFormat)}
      */
     public GeneratedCertRequestInfo regenerateCertRequest(String certRequestId, CertificateRequestFormat format)
-            throws Exception {
+            throws SecurityException {
         return SignerProxy.regenerateCertRequest(certRequestId, format);
     }
 
     /**
      * {@link SignerProxy#deleteCertRequest(String)}
      */
-    public void deleteCertRequest(String certRequestId) throws Exception {
+    public void deleteCertRequest(String certRequestId) throws SecurityException {
         SignerProxy.deleteCertRequest(certRequestId);
     }
 
     /**
      * {@link SignerProxy#deleteCert(String)}
      */
-    public void deleteCert(String certId) throws Exception {
+    public void deleteCert(String certId) throws SecurityException {
         SignerProxy.deleteCert(certId);
     }
 
     /**
      * {@link SignerProxy#deleteKey(String, boolean)}
      */
-    public void deleteKey(String keyId, boolean deleteFromToken) throws Exception {
+    public void deleteKey(String keyId, boolean deleteFromToken) throws SecurityException {
         SignerProxy.deleteKey(keyId, deleteFromToken);
     }
 
     /**
      * {@link SignerProxy#setCertStatus(String, String)}
      */
-    public void setCertStatus(String certId, String status) throws Exception {
+    public void setCertStatus(String certId, String status) throws SecurityException {
         SignerProxy.setCertStatus(certId, status);
     }
 
     /**
      * {@link SignerProxy#setCertStatus(String, String)}
      */
-    public void setRenewedCertHash(String certId, String hash) throws Exception {
+    public void setRenewedCertHash(String certId, String hash) throws SecurityException {
         SignerProxy.setRenewedCertHash(certId, hash);
     }
 
     /**
      * {@link SignerProxy#setRenewalError(String, String)}
      */
-    public void setRenewalError(String certId, String errorMessage) throws Exception {
+    public void setRenewalError(String certId, String errorMessage) throws SecurityException {
         SignerProxy.setRenewalError(certId, errorMessage);
     }
 
     /**
      * {@link SignerProxy#setNextPlannedRenewal(String, Instant)}
      */
-    public void setNextPlannedRenewal(String certId, Instant nextRenewalTime) throws Exception {
+    public void setNextPlannedRenewal(String certId, Instant nextRenewalTime) throws SecurityException {
         SignerProxy.setNextPlannedRenewal(certId, nextRenewalTime);
     }
 
     /**
      * {@link SignerProxy#getCertForHash(String)}
      */
-    public CertificateInfo getCertForHash(String hash) throws Exception {
+    public CertificateInfo getCertForHash(String hash) throws SecurityException {
         return SignerProxy.getCertForHash(hash);
     }
 
     /**
      * {@link SignerProxy#getKeyIdForCertHash(String)}
      */
-    public KeyIdInfo getKeyIdForCertHash(String hash) throws Exception {
+    public KeyIdInfo getKeyIdForCertHash(String hash) throws SecurityException {
         return SignerProxy.getKeyIdForCertHash(hash);
     }
 
     /**
      * {@link SignerProxy#getTokenAndKeyIdForCertHash(String)}
      */
-    public TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) throws Exception {
+    public TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) throws SecurityException {
         return SignerProxy.getTokenAndKeyIdForCertHash(hash);
     }
 
     /**
      * {@link SignerProxy#getTokenAndKeyIdForCertRequestId(String)}
      */
-    public TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequestId) throws Exception {
+    public TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequestId) throws SecurityException {
         return SignerProxy.getTokenAndKeyIdForCertRequestId(certRequestId);
     }
 
     /**
      * {@link SignerProxy#getTokenForKeyId(String)}
      */
-    public TokenInfo getTokenForKeyId(String keyId) throws Exception {
+    public TokenInfo getTokenForKeyId(String keyId) throws SecurityException {
         return SignerProxy.getTokenForKeyId(keyId);
     }
 
     /**
      * {@link SignerProxy#getOcspResponses(String[])}
      */
-    public String[] getOcspResponses(String[] certHashes) throws Exception {
+    public String[] getOcspResponses(String[] certHashes) throws SecurityException {
         return SignerProxy.getOcspResponses(certHashes);
     }
 
     /**
      * {@link SignerProxy#getAuthKey(SecurityServerId)}
      */
-    public AuthKeyInfo getAuthKey(SecurityServerId serverId) throws Exception {
+    public AuthKeyInfo getAuthKey(SecurityServerId serverId) throws SecurityException {
         return SignerProxy.getAuthKey(serverId);
     }
 
-    public void updateSoftwareTokenPin(String tokenId, char[] oldPin, char[] newPin) throws Exception {
+    public void updateSoftwareTokenPin(String tokenId, char[] oldPin, char[] newPin) throws SecurityException {
         SignerProxy.updateTokenPin(tokenId, oldPin, newPin);
     }
 }
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/KeysApiController.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/KeysApiController.java
index 66c21863c7..32758ed210 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/KeysApiController.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/openapi/KeysApiController.java
@@ -157,7 +157,7 @@ public ResponseEntity<Resource> generateCsr(String keyId, CsrGenerate csrGenerat
                     csrGenerate.getCaName(),
                     csrGenerate.getSubjectFieldValues(),
                     csrFormat,
-                    csrGenerate.getAcmeOrder()).getCertRequest();
+                    csrGenerate.getAcmeOrder()).certRequest();
         } catch (WrongKeyUsageException | DnFieldHelper.InvalidDnParameterException
                  | ClientNotFoundException | CertificateAuthorityNotFoundException
                  | TokenCertificateService.AuthCertificateNotSupportedException e) {
@@ -248,11 +248,11 @@ public ResponseEntity<Resource> downloadCsr(String keyId, String csrId, CsrForma
             throw new ConflictException(e);
         }
 
-        String filename = csrFilenameCreator.createCsrFilename(csrInfo.getKeyUsage(),
-                certificateRequestFormat, csrInfo.getMemberId(),
+        String filename = csrFilenameCreator.createCsrFilename(csrInfo.keyUsage(),
+                certificateRequestFormat, csrInfo.memberId(),
                 serverConfService.getSecurityServerId());
 
-        return ControllerUtil.createAttachmentResourceResponse(csrInfo.getCertRequest(), filename);
+        return ControllerUtil.createAttachmentResourceResponse(csrInfo.certRequest(), filename);
     }
 
 }
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorker.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorker.java
index 5ec8a529f5..8101ea316d 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorker.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/AcmeClientWorker.java
@@ -306,7 +306,7 @@ private X509Certificate renewCertificate(ClientId memberId, ApprovedCAInfo appro
                                       approvedCA,
                                       keyUsage,
                                       oldX509Certificate,
-                                      generatedCertRequestInfo.getCertRequest()
+                                      generatedCertRequestInfo.certRequest()
                     );
             if (newCert == null || newCert.isEmpty()) {
                 return null;
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/GlobalConfChecker.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/GlobalConfChecker.java
index 3462ddb31c..c5ef3ae5f4 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/GlobalConfChecker.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/scheduling/GlobalConfChecker.java
@@ -35,6 +35,7 @@
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.CertUtils;
 import ee.ria.xroad.common.util.CryptoUtils;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
@@ -276,8 +277,7 @@ private void updateClientStatus(ClientType client, String status) {
         log.debug("Setting client '{}' status to '{}'", client.getIdentifier(), client.getClientStatus());
     }
 
-    private void updateAuthCertStatuses(SecurityServerId securityServerId)
-            throws Exception {
+    private void updateAuthCertStatuses(SecurityServerId securityServerId) {
         log.debug("Updating auth cert statuses");
 
         signerProxyFacade.getTokens().stream().flatMap(t -> t.getKeyInfo().stream())
@@ -285,6 +285,8 @@ private void updateAuthCertStatuses(SecurityServerId securityServerId)
                 .flatMap(k -> k.getCerts().stream()).forEach(certInfo -> {
                     try {
                         updateCertStatus(securityServerId, certInfo);
+                    } catch (SignerException se) {
+                        throw se;
                     } catch (Exception e) {
                         throw translateException(e);
                     }
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/CertificateNotFoundException.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/CertificateNotFoundException.java
index 351b3b3955..5a02e0d4b9 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/CertificateNotFoundException.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/CertificateNotFoundException.java
@@ -25,38 +25,33 @@
  */
 package org.niis.xroad.securityserver.restapi.service;
 
-import org.niis.xroad.restapi.exceptions.ErrorDeviation;
-import org.niis.xroad.restapi.service.NotFoundException;
-
-import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_CERTIFICATE_NOT_FOUND;
+import org.niis.xroad.common.exception.NotFoundException;
+import org.niis.xroad.restapi.exceptions.DeviationProvider;
+import org.niis.xroad.securityserver.restapi.exceptions.ErrorMessage;
 
 public class CertificateNotFoundException extends NotFoundException {
 
-    /**
-     * default error
-     * @return
-     */
-    private static ErrorDeviation createDefaultError() {
-        return new ErrorDeviation(ERROR_CERTIFICATE_NOT_FOUND);
+    public CertificateNotFoundException(DeviationProvider deviationProvider) {
+        super(deviationProvider);
     }
 
-    public CertificateNotFoundException(ErrorDeviation errorDeviation) {
-        super(errorDeviation);
+    public CertificateNotFoundException(DeviationProvider deviationProvider, Throwable t, Object...metadata) {
+        super(deviationProvider, t, metadata);
     }
 
-    public CertificateNotFoundException(Throwable t, ErrorDeviation errorDeviation) {
-        super(t, errorDeviation);
+    public CertificateNotFoundException(String s) {
+        super(ErrorMessage.CERTIFICATE_NOT_FOUND, s);
     }
 
-    public CertificateNotFoundException(String s) {
-        super(s, createDefaultError());
+    public CertificateNotFoundException(String s, Throwable cause) {
+        super(ErrorMessage.CERTIFICATE_NOT_FOUND, cause, s);
     }
 
     public CertificateNotFoundException() {
-        super(createDefaultError());
+        super(ErrorMessage.CERTIFICATE_NOT_FOUND);
     }
 
     public CertificateNotFoundException(Throwable t) {
-        super(t, createDefaultError());
+        super(ErrorMessage.CERTIFICATE_NOT_FOUND, t);
     }
 }
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestService.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestService.java
index fe1ffb5ef6..7e54fb240b 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestService.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestService.java
@@ -150,11 +150,11 @@ public KeyAndCertRequestInfo addKeyAndCertRequest(String tokenId, String keyLabe
         }
 
         return new KeyAndCertRequestInfo(refreshedKeyInfo,
-                csrInfo.getCertReqId(),
-                csrInfo.getCertRequest(),
-                csrInfo.getFormat(),
-                csrInfo.getMemberId(),
-                csrInfo.getKeyUsage());
+                csrInfo.certReqId(),
+                csrInfo.certRequest(),
+                csrInfo.format(),
+                csrInfo.memberId(),
+                csrInfo.keyUsage());
     }
 
     /**
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyService.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyService.java
index 81089d21be..d9844ff073 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyService.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/KeyService.java
@@ -27,6 +27,7 @@
 
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
@@ -34,12 +35,12 @@
 
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.common.exception.ServiceException;
 import org.niis.xroad.restapi.config.audit.AuditDataHelper;
 import org.niis.xroad.restapi.config.audit.AuditEventHelper;
 import org.niis.xroad.restapi.config.audit.RestApiAuditEvent;
 import org.niis.xroad.restapi.config.audit.RestApiAuditProperty;
 import org.niis.xroad.restapi.exceptions.WarningDeviation;
-import org.niis.xroad.restapi.service.SignerNotReachableException;
 import org.niis.xroad.restapi.service.UnhandledWarningsException;
 import org.niis.xroad.restapi.util.SecurityHelper;
 import org.niis.xroad.securityserver.restapi.facade.SignerProxyFacade;
@@ -52,10 +53,8 @@
 import java.util.List;
 import java.util.NoSuchElementException;
 import java.util.Optional;
-import java.util.stream.Collectors;
 
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
-import static ee.ria.xroad.common.ErrorCodes.X_KEY_NOT_FOUND;
+import static org.niis.xroad.common.exception.util.CommonDeviationMessage.INTERNAL_ERROR;
 import static org.niis.xroad.restapi.exceptions.DeviationCodes.WARNING_AUTH_KEY_REGISTERED_CERT_DETECTED;
 
 /**
@@ -114,7 +113,7 @@ public KeyInfo getKey(TokenInfo tokenInfo, String keyId) throws NoSuchElementExc
      * @throws ActionNotPossibleException if friendly name could not be updated for this key
      */
     public KeyInfo updateKeyFriendlyName(String id, String friendlyName) throws KeyNotFoundException,
-            ActionNotPossibleException {
+                                                                                ActionNotPossibleException {
 
         // check that updating friendly name is possible
         TokenInfo tokenInfo = tokenService.getTokenForKeyId(id);
@@ -128,16 +127,16 @@ public KeyInfo updateKeyFriendlyName(String id, String friendlyName) throws KeyN
         try {
             signerProxyFacade.setKeyFriendlyName(id, friendlyName);
             keyInfo = getKey(id);
-        } catch (KeyNotFoundException e) {
-            throw e;
-        } catch (CodedException e) {
-            if (isCausedByKeyNotFound(e)) {
+        } catch (SignerException e) {
+            if (e.isCausedByKeyNotFound()) {
                 throw new KeyNotFoundException(e);
             } else {
                 throw e;
             }
+        } catch (CodedException | KeyNotFoundException e) {
+            throw e;
         } catch (Exception e) {
-            throw new SignerNotReachableException("Update key friendly name failed", e);
+            throw new ServiceException(INTERNAL_ERROR, e, "Update key friendly name failed");
         }
 
         return keyInfo;
@@ -153,7 +152,7 @@ public KeyInfo updateKeyFriendlyName(String id, String friendlyName) throws KeyN
      * @throws ActionNotPossibleException if generate key was not possible for this token
      */
     public KeyInfo addKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) throws TokenNotFoundException,
-            ActionNotPossibleException {
+                                                                                          ActionNotPossibleException {
 
         // check that adding a key is possible
         TokenInfo tokenInfo = tokenService.getToken(tokenId);
@@ -167,7 +166,7 @@ public KeyInfo addKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) t
         } catch (CodedException e) {
             throw e;
         } catch (Exception other) {
-            throw new SignerNotReachableException("adding a new key failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other, "adding a new key failed");
         }
         auditDataHelper.put(RestApiAuditProperty.KEY_ID, keyInfo.getId());
         auditDataHelper.put(RestApiAuditProperty.KEY_LABEL, keyInfo.getLabel());
@@ -175,16 +174,6 @@ public KeyInfo addKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) t
         return keyInfo;
     }
 
-    static boolean isCausedByKeyNotFound(CodedException e) {
-        return KEY_NOT_FOUND_FAULT_CODE.equals(e.getFaultCode());
-    }
-
-    private static String signerFaultCode(String detail) {
-        return SIGNER_X + "." + detail;
-    }
-
-    static final String KEY_NOT_FOUND_FAULT_CODE = signerFaultCode(X_KEY_NOT_FOUND);
-
     /**
      * Deletes one key, and related CSRs and certificates. If the key is an authentication key with a registered
      * certificate, warnings are ignored and certificate is first unregistered, and the key and certificate are
@@ -195,7 +184,7 @@ private static String signerFaultCode(String detail) {
      * @throws GlobalConfOutdatedException if global conf was outdated
      */
     public void deleteKeyAndIgnoreWarnings(String keyId) throws KeyNotFoundException, ActionNotPossibleException,
-            GlobalConfOutdatedException {
+                                                                GlobalConfOutdatedException {
         try {
             deleteKey(keyId, true);
         } catch (UnhandledWarningsException e) {
@@ -218,7 +207,7 @@ public void deleteKeyAndIgnoreWarnings(String keyId) throws KeyNotFoundException
      * and ignoreWarnings was false
      */
     public void deleteKey(String keyId, Boolean ignoreWarnings) throws KeyNotFoundException, ActionNotPossibleException,
-            GlobalConfOutdatedException, UnhandledWarningsException {
+                                                                       GlobalConfOutdatedException, UnhandledWarningsException {
 
         TokenInfo tokenInfo = tokenService.getTokenForKeyId(keyId);
         auditDataHelper.put(tokenInfo);
@@ -241,8 +230,9 @@ public void deleteKey(String keyId, Boolean ignoreWarnings) throws KeyNotFoundEx
         // unregister possible auth certs
         if (keyInfo.getUsage() == KeyUsageInfo.AUTHENTICATION) {
             // get list of auth certs to be unregistered
-            List<CertificateInfo> unregister = keyInfo.getCerts().stream().filter(this::shouldUnregister)
-                    .collect(Collectors.toList());
+            List<CertificateInfo> unregister = keyInfo.getCerts().stream()
+                    .filter(this::shouldUnregister)
+                    .toList();
 
             if (!unregister.isEmpty() && !ignoreWarnings) {
                 throw new UnhandledWarningsException(
@@ -265,7 +255,7 @@ public void deleteKey(String keyId, Boolean ignoreWarnings) throws KeyNotFoundEx
         } catch (CodedException e) {
             throw e;
         } catch (Exception other) {
-            throw new SignerNotReachableException("delete key failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other, "delete key failed");
         }
     }
 
@@ -300,7 +290,7 @@ private void unregisterAuthCert(CertificateInfo certificateInfo)
         } catch (GlobalConfOutdatedException | CodedException e) {
             throw e;
         } catch (Exception e) {
-            throw new SignerNotReachableException("Could not unregister auth cert", e);
+            throw new ServiceException(INTERNAL_ERROR, e, "Could not unregister auth cert");
         }
     }
 
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateService.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateService.java
index 391c0750fa..d3e2fbe76f 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateService.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateService.java
@@ -36,6 +36,7 @@
 import ee.ria.xroad.common.util.CertUtils;
 import ee.ria.xroad.common.util.CryptoUtils;
 import ee.ria.xroad.signer.SignerProxy.GeneratedCertRequestInfo;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
@@ -46,16 +47,15 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.common.acme.AcmeService;
+import org.niis.xroad.common.exception.ServiceException;
 import org.niis.xroad.restapi.config.audit.AuditDataHelper;
 import org.niis.xroad.restapi.config.audit.AuditEventHelper;
 import org.niis.xroad.restapi.config.audit.RestApiAuditEvent;
 import org.niis.xroad.restapi.config.audit.RestApiAuditProperty;
 import org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException;
-import org.niis.xroad.restapi.exceptions.ErrorDeviation;
 import org.niis.xroad.restapi.openapi.InternalServerErrorException;
-import org.niis.xroad.restapi.service.ServiceException;
-import org.niis.xroad.restapi.service.SignerNotReachableException;
 import org.niis.xroad.restapi.util.SecurityHelper;
+import org.niis.xroad.securityserver.restapi.exceptions.ErrorMessage;
 import org.niis.xroad.securityserver.restapi.facade.SignerProxyFacade;
 import org.niis.xroad.securityserver.restapi.repository.ClientRepository;
 import org.niis.xroad.signer.proto.CertificateRequestFormat;
@@ -73,18 +73,9 @@
 import java.util.Optional;
 import java.util.stream.Collectors;
 
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
-import static ee.ria.xroad.common.ErrorCodes.X_CERT_EXISTS;
-import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
-import static ee.ria.xroad.common.ErrorCodes.X_CSR_NOT_FOUND;
-import static ee.ria.xroad.common.ErrorCodes.X_INCORRECT_CERTIFICATE;
-import static ee.ria.xroad.common.ErrorCodes.X_WRONG_CERT_USAGE;
 import static ee.ria.xroad.common.util.CertUtils.getCommonName;
-import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_AUTH_CERT_NOT_SUPPORTED;
-import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_CERTIFICATE_NOT_FOUND_WITH_ID;
-import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_CERTIFICATE_WRONG_USAGE;
-import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_SIGN_CERT_NOT_SUPPORTED;
-import static org.niis.xroad.securityserver.restapi.service.KeyService.isCausedByKeyNotFound;
+import static org.niis.xroad.common.exception.util.CommonDeviationMessage.INTERNAL_ERROR;
+import static org.niis.xroad.securityserver.restapi.exceptions.ErrorMessage.CERTIFICATE_NOT_FOUND_WITH_ID;
 
 /**
  * token certificate service
@@ -212,7 +203,7 @@ public GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId.Conf
         } catch (CodedException e) {
             throw e;
         } catch (Exception e) {
-            throw new SignerNotReachableException("Generate cert request failed", e);
+            throw new ServiceException(INTERNAL_ERROR, e, "Generate cert request failed");
         }
         if (isAcmeOrder && caInfo.getAcmeServerDirectoryUrl() != null) {
             acmeOrderAndImportCert(memberId, keyUsage, subjectFieldValues, subjectAltName, caInfo, generatedCertRequestInfo);
@@ -232,7 +223,7 @@ private void acmeOrderAndImportCert(ClientId.Conf memberId,
                 ? memberId.asEncodedId()
                 : serverConfProvider.getIdentifier().getOwner().asEncodedId();
         List<X509Certificate> chain = acmeService.orderCertificateFromACMEServer(
-                subjectFieldValues.get("CN"), subjectAltName, keyUsage, caInfo, memberEncodedId, generatedCertRequestInfo.getCertRequest());
+                subjectFieldValues.get("CN"), subjectAltName, keyUsage, caInfo, memberEncodedId, generatedCertRequestInfo.certRequest());
         if (chain != null) {
             log.info("Acme order was successful, importing certificate");
             try {
@@ -296,14 +287,10 @@ public GeneratedCertRequestInfo regenerateCertRequest(String keyId, String csrId
         } catch (CodedException e) {
             throw e;
         } catch (Exception e) {
-            throw new SignerNotReachableException("Regenerate cert request failed", e);
+            throw new ServiceException(INTERNAL_ERROR, e, "Regenerate cert request failed");
         }
     }
 
-    private static String signerFaultCode(String detail) {
-        return SIGNER_X + "." + detail;
-    }
-
     /**
      * Find an existing cert from a token by it's hash
      *
@@ -316,13 +303,12 @@ public CertificateInfo getCertificateInfo(String hash) throws CertificateNotFoun
         try {
             certificateInfo = signerProxyFacade.getCertForHash(hash);
         } catch (CodedException e) {
-            if (isCausedByCertNotFound(e)) {
-                throw new CertificateNotFoundException("Certificate with hash " + hash + " " + NOT_FOUND);
-            } else {
-                throw e;
+            if (e instanceof SignerException se && se.isCausedByCertNotFound()) {
+                throw new CertificateNotFoundException("Certificate with hash " + hash + " " + NOT_FOUND, e);
             }
+            throw e;
         } catch (Exception e) {
-            throw new SignerNotReachableException("error getting certificate", e);
+            throw new ServiceException(INTERNAL_ERROR, e, "error getting certificate");
         }
         return certificateInfo;
     }
@@ -421,10 +407,10 @@ private CertificateInfo importCertificate(byte[] certificateBytes, boolean isFro
             signerProxyFacade.importCert(certBytes, certificateState, clientId, !isAuthCert);
             certificateInfo = getCertificateInfo(hash);
             setNextPlannedAcmeAutomaticRenewalDate(clientId, x509Certificate, keyUsageInfo, certificateInfo);
-        } catch (ClientNotFoundException | AccessDeniedException | AuthCertificateNotSupportedException e) {
-            throw e;
-        } catch (CodedException e) {
+        } catch (SignerException e) {
             translateCodedExceptions(e);
+        } catch (ClientNotFoundException | AccessDeniedException | AuthCertificateNotSupportedException | CodedException e) {
+            throw e;
         } catch (Exception e) {
             // something went really wrong
             throw new RuntimeException("error importing certificate", e);
@@ -524,16 +510,15 @@ private void changeCertificateActivation(String hash, boolean activate) throws C
                 signerProxyFacade.deactivateCert(certificateInfo.getId());
             }
         } catch (CodedException e) {
-            if (isCausedByCertNotFound(e)) {
+            if (e instanceof SignerException se && se.isCausedByCertNotFound()) {
                 throw new CertificateNotFoundException("Certificate with id " + certificateInfo.getId() + " "
-                        + NOT_FOUND);
+                        + NOT_FOUND, e);
             } else {
                 throw e;
             }
         } catch (Exception e) {
-            throw new SignerNotReachableException("certificate "
-                    + (activate ? "activation" : "deactivation")
-                    + " failed", e);
+            var action = activate ? "activation" : "deactivation";
+            throw new ServiceException(INTERNAL_ERROR, e, "certificate %s failed".formatted(action));
         }
     }
 
@@ -714,7 +699,7 @@ public void registerAuthCert(String hash, String securityServerAddress)
         } catch (GlobalConfOutdatedException | CodedException e) {
             throw e;
         } catch (Exception e) {
-            throw new SignerNotReachableException("Could not register auth cert", e);
+            throw new ServiceException(INTERNAL_ERROR, e, "Could not register auth cert");
         }
     }
 
@@ -748,9 +733,11 @@ private void unregisterAuthCertAndMarkForDeletion(String hash, boolean skipUnreg
         try {
             auditDataHelper.put(RestApiAuditProperty.CERT_STATUS, CertificateInfo.STATUS_DELINPROG);
             signerProxyFacade.setCertStatus(certificateInfo.getId(), CertificateInfo.STATUS_DELINPROG);
+        } catch (CodedException e) {
+            throw e;
         } catch (Exception e) {
             // this means that cert was not found (which has been handled already) or some Akka error
-            throw new SignerNotReachableException("Could not change auth cert status", e);
+            throw new ServiceException(INTERNAL_ERROR, e, "Could not change auth cert status");
         }
     }
 
@@ -825,51 +812,25 @@ private void verifyAuthCert(CertificateInfo certificateInfo)
      * @throws CsrNotFoundException
      * @throws KeyNotFoundException
      */
-    private void translateCodedExceptions(CodedException e)
+    private void translateCodedExceptions(SignerException e)
             throws CertificateAlreadyExistsException, InvalidCertificateException,
                    WrongCertificateUsageException, CsrNotFoundException,
                    KeyNotFoundException {
-        if (isCausedByDuplicateCertificate(e)) {
+        if (e.isCausedByDuplicateCertificate()) {
             throw new CertificateAlreadyExistsException(e);
-        } else if (isCausedByIncorrectCertificate(e)) {
+        } else if (e.isCausedByIncorrectCertificate()) {
             throw new InvalidCertificateException(e);
-        } else if (isCausedByCertificateWrongUsage(e)) {
+        } else if (e.isCausedByCertificateWrongUsage()) {
             throw new WrongCertificateUsageException(e);
-        } else if (isCausedByCsrNotFound(e)) {
+        } else if (e.isCausedByCsrNotFound()) {
             throw new CsrNotFoundException(e);
-        } else if (isCausedByKeyNotFound(e)) {
+        } else if (e.isCausedByKeyNotFound()) {
             throw new KeyNotFoundException(e);
         } else {
             throw e;
         }
     }
 
-    static boolean isCausedByDuplicateCertificate(CodedException e) {
-        return DUPLICATE_CERT_FAULT_CODE.equals(e.getFaultCode());
-    }
-
-    static boolean isCausedByIncorrectCertificate(CodedException e) {
-        return INCORRECT_CERT_FAULT_CODE.equals(e.getFaultCode());
-    }
-
-    static boolean isCausedByCertificateWrongUsage(CodedException e) {
-        return CERT_WRONG_USAGE_FAULT_CODE.equals(e.getFaultCode());
-    }
-
-    static boolean isCausedByCsrNotFound(CodedException e) {
-        return CSR_NOT_FOUND_FAULT_CODE.equals(e.getFaultCode());
-    }
-
-    static boolean isCausedByCertNotFound(CodedException e) {
-        return CERT_NOT_FOUND_FAULT_CODE.equals(e.getFaultCode());
-    }
-
-    static final String DUPLICATE_CERT_FAULT_CODE = signerFaultCode(X_CERT_EXISTS);
-    static final String INCORRECT_CERT_FAULT_CODE = signerFaultCode(X_INCORRECT_CERTIFICATE);
-    static final String CERT_WRONG_USAGE_FAULT_CODE = signerFaultCode(X_WRONG_CERT_USAGE);
-    static final String CSR_NOT_FOUND_FAULT_CODE = signerFaultCode(X_CSR_NOT_FOUND);
-    static final String CERT_NOT_FOUND_FAULT_CODE = signerFaultCode(X_CERT_NOT_FOUND);
-
     /**
      * Return possible actions for one cert
      *
@@ -1018,7 +979,6 @@ private void deleteCertificate(CertificateInfo certificateInfo, KeyInfo keyInfo,
 
         // audit log delete for delete cert
 
-
         if (keyInfo.isForSigning()) {
             securityHelper.verifyAuthority("DELETE_SIGN_CERT");
         } else {
@@ -1027,15 +987,13 @@ private void deleteCertificate(CertificateInfo certificateInfo, KeyInfo keyInfo,
         try {
             signerProxyFacade.deleteCert(certificateInfo.getId());
         } catch (CodedException e) {
-            if (isCausedByCertNotFound(e)) {
-                throw new CertificateNotFoundException(e, new ErrorDeviation(
-                        ERROR_CERTIFICATE_NOT_FOUND_WITH_ID,
-                        certificateInfo.getId()));
+            if (e instanceof SignerException se && se.isCausedByCertNotFound()) {
+                throw new CertificateNotFoundException(CERTIFICATE_NOT_FOUND_WITH_ID, e, certificateInfo.getId());
             } else {
                 throw e;
             }
         } catch (Exception other) {
-            throw new SignerNotReachableException("deleting a csr failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other, "deleting a csr failed");
         }
     }
 
@@ -1048,13 +1006,13 @@ public String getKeyIdForCertificateHash(String hash) throws CertificateNotFound
         try {
             return signerProxyFacade.getKeyIdForCertHash(hash).keyId();
         } catch (CodedException e) {
-            if (isCausedByCertNotFound(e)) {
-                throw new CertificateNotFoundException("Certificate with hash " + hash + " not found");
+            if (e instanceof SignerException se && se.isCausedByCertNotFound()) {
+                throw new CertificateNotFoundException("Certificate with hash " + hash + " not found", e);
             } else {
                 throw e;
             }
         } catch (Exception e) {
-            throw new SignerNotReachableException("error getting certificate", e);
+            throw new ServiceException(INTERNAL_ERROR, e, "error getting certificate");
         }
     }
 
@@ -1099,13 +1057,13 @@ public void deleteCsr(String csrId) throws KeyNotFoundException, CsrNotFoundExce
         try {
             signerProxyFacade.deleteCertRequest(csrId);
         } catch (CodedException e) {
-            if (isCausedByCsrNotFound(e)) {
+            if (e instanceof SignerException se && se.isCausedByCsrNotFound()) {
                 throw new CsrNotFoundException(e);
             } else {
                 throw e;
             }
         } catch (Exception other) {
-            throw new SignerNotReachableException("deleting a csr failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other, "deleting a csr failed");
         }
     }
 
@@ -1147,7 +1105,7 @@ public void orderAcmeCertificate(String caName, String csrId, KeyUsageInfo keyUs
                     keyUsage,
                     caInfo,
                     memberId,
-                    generatedCertRequestInfo.getCertRequest());
+                    generatedCertRequestInfo.certRequest());
             if (chain != null) {
                 try {
                     importCertificate(chain.get(0).getEncoded(), false);
@@ -1178,7 +1136,7 @@ private CertRequestInfo getCsr(KeyInfo keyInfo, String csrId) throws CsrNotFound
      */
     public static class WrongCertificateUsageException extends ServiceException {
         public WrongCertificateUsageException(Throwable t) {
-            super(t, new ErrorDeviation(ERROR_CERTIFICATE_WRONG_USAGE));
+            super(ErrorMessage.CERTIFICATE_WRONG_USAGE, t);
         }
     }
 
@@ -1187,7 +1145,7 @@ public WrongCertificateUsageException(Throwable t) {
      */
     public static class AuthCertificateNotSupportedException extends ServiceException {
         public AuthCertificateNotSupportedException(String msg) {
-            super(msg, new ErrorDeviation(ERROR_AUTH_CERT_NOT_SUPPORTED));
+            super(ErrorMessage.AUTH_CERT_NOT_SUPPORTED, msg);
         }
     }
 
@@ -1196,7 +1154,7 @@ public AuthCertificateNotSupportedException(String msg) {
      */
     public static class SignCertificateNotSupportedException extends ServiceException {
         public SignCertificateNotSupportedException(String msg) {
-            super(msg, new ErrorDeviation(ERROR_SIGN_CERT_NOT_SUPPORTED));
+            super(ErrorMessage.SIGN_CERT_NOT_SUPPORTED, msg);
         }
     }
 }
diff --git a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenService.java b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenService.java
index 2e32716b6c..60bb9e75af 100644
--- a/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenService.java
+++ b/src/security-server/admin-service/application/src/main/java/org/niis/xroad/securityserver/restapi/service/TokenService.java
@@ -27,6 +27,7 @@
 
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.conf.serverconf.model.ClientType;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
@@ -35,11 +36,9 @@
 
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.niis.xroad.common.exception.ServiceException;
 import org.niis.xroad.restapi.config.audit.AuditDataHelper;
 import org.niis.xroad.restapi.config.audit.RestApiAuditProperty;
-import org.niis.xroad.restapi.exceptions.ErrorDeviation;
-import org.niis.xroad.restapi.service.ServiceException;
-import org.niis.xroad.restapi.service.SignerNotReachableException;
 import org.niis.xroad.securityserver.restapi.dto.TokenInitStatusInfo;
 import org.niis.xroad.securityserver.restapi.facade.SignerProxyFacade;
 import org.springframework.security.access.prepost.PreAuthorize;
@@ -50,16 +49,11 @@
 import java.util.Optional;
 import java.util.function.Predicate;
 
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
-import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
-import static ee.ria.xroad.common.ErrorCodes.X_CSR_NOT_FOUND;
-import static ee.ria.xroad.common.ErrorCodes.X_KEY_NOT_FOUND;
-import static ee.ria.xroad.common.ErrorCodes.X_LOGIN_FAILED;
-import static ee.ria.xroad.common.ErrorCodes.X_PIN_INCORRECT;
-import static ee.ria.xroad.common.ErrorCodes.X_TOKEN_NOT_FOUND;
 import static java.util.stream.Collectors.toList;
-import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_PIN_INCORRECT;
-import static org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_TOKEN_NOT_ACTIVE;
+import static org.niis.xroad.common.exception.util.CommonDeviationMessage.INTERNAL_ERROR;
+import static org.niis.xroad.common.exception.util.CommonDeviationMessage.TOKEN_FETCH_FAILED;
+import static org.niis.xroad.common.exception.util.CommonDeviationMessage.TOKEN_NOT_ACTIVE;
+import static org.niis.xroad.common.exception.util.CommonDeviationMessage.TOKEN_PIN_INCORRECT;
 
 /**
  * Service that handles tokens
@@ -85,7 +79,7 @@ public List<TokenInfo> getAllTokens() {
         try {
             return signerProxyFacade.getTokens();
         } catch (Exception e) {
-            throw new SignerNotReachableException("could not list all tokens", e);
+            throw new ServiceException(TOKEN_FETCH_FAILED, e);
         }
     }
 
@@ -142,7 +136,7 @@ private List<CertificateInfo> getCertificates(ClientType clientType, boolean onl
      * @throws ActionNotPossibleException if token activation was not possible
      */
     public void activateToken(String id, char[] password) throws
-            TokenNotFoundException, PinIncorrectException, ActionNotPossibleException {
+                                                          TokenNotFoundException, PinIncorrectException, ActionNotPossibleException {
 
         // check that action is possible
         TokenInfo tokenInfo = getToken(id);
@@ -153,16 +147,18 @@ public void activateToken(String id, char[] password) throws
                 tokenInfo);
         try {
             signerProxyFacade.activateToken(id, password);
-        } catch (CodedException e) {
-            if (isCausedByTokenNotFound(e)) {
+        } catch (SignerException e) {
+            if (e.isCausedByTokenNotFound()) {
                 throw new TokenNotFoundException(e);
-            } else if (isCausedByIncorrectPin(e)) {
+            } else if (e.isCausedByIncorrectPin()) {
                 throw new PinIncorrectException(e);
             } else {
                 throw e;
             }
+        } catch (CodedException ce) {
+            throw ce;
         } catch (Exception other) {
-            throw new SignerNotReachableException("token activation failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other);
         }
     }
 
@@ -185,14 +181,16 @@ public void deactivateToken(String id) throws TokenNotFoundException, ActionNotP
 
         try {
             signerProxyFacade.deactivateToken(id);
-        } catch (CodedException e) {
-            if (isCausedByTokenNotFound(e)) {
+        } catch (SignerException e) {
+            if (e.isCausedByTokenNotFound()) {
                 throw new TokenNotFoundException(e);
             } else {
                 throw e;
             }
+        } catch (CodedException ce) {
+            throw ce;
         } catch (Exception other) {
-            throw new SignerNotReachableException("token deactivation failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other);
         }
     }
 
@@ -205,14 +203,16 @@ public void deactivateToken(String id) throws TokenNotFoundException, ActionNotP
     public TokenInfo getToken(String id) throws TokenNotFoundException {
         try {
             return signerProxyFacade.getToken(id);
-        } catch (CodedException e) {
-            if (isCausedByTokenNotFound(e)) {
+        } catch (SignerException e) {
+            if (e.isCausedByTokenNotFound()) {
                 throw new TokenNotFoundException(e);
             } else {
                 throw e;
             }
+        } catch (CodedException ce) {
+            throw ce;
         } catch (Exception other) {
-            throw new SignerNotReachableException("get token failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other);
         }
     }
 
@@ -224,7 +224,7 @@ public TokenInfo getToken(String id) throws TokenNotFoundException {
      * @throws TokenNotFoundException if token was not found
      */
     public TokenInfo updateTokenFriendlyName(String tokenId, String friendlyName) throws TokenNotFoundException,
-            ActionNotPossibleException {
+                                                                                         ActionNotPossibleException {
 
         // check that updating friendly name is possible
         TokenInfo tokenInfo = getToken(tokenId);
@@ -236,68 +236,36 @@ public TokenInfo updateTokenFriendlyName(String tokenId, String friendlyName) th
         try {
             signerProxyFacade.setTokenFriendlyName(tokenId, friendlyName);
             tokenInfo = signerProxyFacade.getToken(tokenId);
-        } catch (CodedException e) {
-            if (isCausedByTokenNotFound(e)) {
+        } catch (SignerException e) {
+            if (e.isCausedByTokenNotFound()) {
                 throw new TokenNotFoundException(e);
             } else {
                 throw e;
             }
+        } catch (CodedException ce) {
+            throw ce;
         } catch (Exception other) {
-            throw new SignerNotReachableException("update token friendly name failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other);
         }
         return tokenInfo;
     }
 
-    private boolean isCausedByIncorrectPin(CodedException e) {
-        if (PIN_INCORRECT_FAULT_CODE.equals(e.getFaultCode())) {
-            return true;
-        } else if (LOGIN_FAILED_FAULT_CODE.equals(e.getFaultCode())) {
-            // only way to detect HSM pin incorrect is by matching to codedException
-            // fault string.
-            return CKR_PIN_INCORRECT_MESSAGE.equals(e.getFaultString());
-        }
-        return false;
-    }
-
-    static boolean isCausedByTokenNotFound(CodedException e) {
-        return TOKEN_NOT_FOUND_FAULT_CODE.equals(e.getFaultCode());
-    }
-
-    static boolean isCausedByKeyNotFound(CodedException e) {
-        return KEY_NOT_FOUND_FAULT_CODE.equals(e.getFaultCode());
-    }
-
-    static boolean isCausedByCertNotFound(CodedException e) {
-        return CERT_NOT_FOUND_FAULT_CODE.equals(e.getFaultCode());
-    }
-
-    static boolean isCausedByCsrNotFound(CodedException e) {
-        return CSR_NOT_FOUND_FAULT_CODE.equals(e.getFaultCode());
-    }
-
-    // detect a couple of CodedException error codes from core
-    static final String PIN_INCORRECT_FAULT_CODE = SIGNER_X + "." + X_PIN_INCORRECT;
-    static final String TOKEN_NOT_FOUND_FAULT_CODE = SIGNER_X + "." + X_TOKEN_NOT_FOUND;
-    static final String KEY_NOT_FOUND_FAULT_CODE = SIGNER_X + "." + X_KEY_NOT_FOUND;
-    static final String CERT_NOT_FOUND_FAULT_CODE = SIGNER_X + "." + X_CERT_NOT_FOUND;
-    static final String CSR_NOT_FOUND_FAULT_CODE = SIGNER_X + "." + X_CSR_NOT_FOUND;
-    static final String LOGIN_FAILED_FAULT_CODE = SIGNER_X + "." + X_LOGIN_FAILED;
-    static final String CKR_PIN_INCORRECT_MESSAGE = "Login failed: CKR_PIN_INCORRECT";
-
     /**
      * Get TokenInfo for key id
      */
     public TokenInfo getTokenForKeyId(String keyId) throws KeyNotFoundException {
         try {
             return signerProxyFacade.getTokenForKeyId(keyId);
-        } catch (CodedException e) {
-            if (isCausedByKeyNotFound(e)) {
+        } catch (SignerException e) {
+            if (e.isCausedByKeyNotFound()) {
                 throw new KeyNotFoundException(e);
             } else {
                 throw e;
             }
+        } catch (CodedException ce) {
+            throw ce;
         } catch (Exception other) {
-            throw new SignerNotReachableException("getTokenForKeyId failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other);
         }
     }
 
@@ -305,19 +273,21 @@ public TokenInfo getTokenForKeyId(String keyId) throws KeyNotFoundException {
      * Get TokenInfoAndKeyId for certificate hash
      */
     public TokenInfoAndKeyId getTokenAndKeyIdForCertificateHash(String hash) throws KeyNotFoundException,
-            CertificateNotFoundException {
+                                                                                    CertificateNotFoundException {
         try {
             return signerProxyFacade.getTokenAndKeyIdForCertHash(hash);
-        } catch (CodedException e) {
-            if (isCausedByKeyNotFound(e)) {
+        } catch (SignerException e) {
+            if (e.isCausedByKeyNotFound()) {
                 throw new KeyNotFoundException(e);
-            } else if (isCausedByCertNotFound(e)) {
+            } else if (e.isCausedByCertNotFound()) {
                 throw new CertificateNotFoundException(e);
             } else {
                 throw e;
             }
+        } catch (CodedException ce) {
+            throw ce;
         } catch (Exception other) {
-            throw new SignerNotReachableException("getTokenAndKeyIdForCertHash failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other);
         }
     }
 
@@ -353,7 +323,7 @@ public TokenInitStatusInfo getSoftwareTokenInitStatus() {
             } else {
                 return TokenInitStatusInfo.NOT_INITIALIZED;
             }
-        } catch (SignerNotReachableException e) {
+        } catch (SignerException | ServiceException e) {
             log.error("Could not get software token status from signer", e);
             return TokenInitStatusInfo.UNKNOWN;
         }
@@ -363,19 +333,21 @@ public TokenInitStatusInfo getSoftwareTokenInitStatus() {
      * Get TokenInfoAndKeyId for csr id
      */
     public TokenInfoAndKeyId getTokenAndKeyIdForCertificateRequestId(String csrId) throws KeyNotFoundException,
-            CsrNotFoundException {
+                                                                                          CsrNotFoundException {
         try {
             return signerProxyFacade.getTokenAndKeyIdForCertRequestId(csrId);
-        } catch (CodedException e) {
-            if (isCausedByKeyNotFound(e)) {
+        } catch (SignerException e) {
+            if (e.isCausedByKeyNotFound()) {
                 throw new KeyNotFoundException(e);
-            } else if (isCausedByCsrNotFound(e)) {
+            } else if (e.isCausedByCsrNotFound()) {
                 throw new CsrNotFoundException(e);
             } else {
                 throw e;
             }
+        } catch (CodedException ce) {
+            throw ce;
         } catch (Exception other) {
-            throw new SignerNotReachableException("getTokenAndKeyIdForCertHash failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other);
         }
     }
 
@@ -399,9 +371,10 @@ public boolean hasHardwareTokens() {
      * @throws TokenNotFoundException token not found
      * @throws PinIncorrectException incorrect pin
      */
-    public void updateSoftwareTokenPin(String tokenId, String oldPin, String newPin) throws TokenNotFoundException,
-            PinIncorrectException, ActionNotPossibleException, InvalidCharactersException,
-            WeakPinException {
+    public void updateSoftwareTokenPin(String tokenId, String oldPin, String newPin)
+            throws TokenNotFoundException, PinIncorrectException,
+                   ActionNotPossibleException, InvalidCharactersException,
+                   WeakPinException {
         TokenInfo tokenInfo = getToken(tokenId);
 
         auditDataHelper.put(tokenInfo);
@@ -412,38 +385,30 @@ public void updateSoftwareTokenPin(String tokenId, String oldPin, String newPin)
         tokenPinValidator.validateSoftwareTokenPin(newPinCharArray);
         try {
             signerProxyFacade.updateSoftwareTokenPin(tokenId, oldPin.toCharArray(), newPinCharArray);
-        } catch (CodedException ce) {
-            if (isCausedByTokenNotFound(ce)) {
-                throw new TokenNotFoundException(ce);
-            } else if (isCausedByIncorrectPin(ce)) {
-                throw new PinIncorrectException(ce);
+        } catch (SignerException se) {
+            if (se.isCausedByTokenNotFound()) {
+                throw new TokenNotFoundException(se);
+            } else if (se.isCausedByIncorrectPin()) {
+                throw new PinIncorrectException(se);
             } else {
-                throw ce;
+                throw se;
             }
+        } catch (CodedException ce) {
+            throw ce;
         } catch (Exception other) {
-            throw new SignerNotReachableException("updateSoftwareTokenPin failed", other);
+            throw new ServiceException(INTERNAL_ERROR, other);
         }
     }
 
     public static class PinIncorrectException extends ServiceException {
         public PinIncorrectException(Throwable t) {
-            super(t, createError());
+            super(TOKEN_PIN_INCORRECT, t);
         }
-
-        private static ErrorDeviation createError() {
-            return new ErrorDeviation(ERROR_PIN_INCORRECT);
-        }
-
     }
 
     public static class TokenNotActiveException extends ServiceException {
         public TokenNotActiveException(Throwable t) {
-            super(t, createError());
+            super(TOKEN_NOT_ACTIVE, t);
         }
-
-        private static ErrorDeviation createError() {
-            return new ErrorDeviation(ERROR_TOKEN_NOT_ACTIVE);
-        }
-
     }
 }
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java
index 68c3d456bf..465376dc18 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java
@@ -25,11 +25,11 @@
  */
 package org.niis.xroad.securityserver.restapi.openapi;
 
-import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.signer.SignerProxy;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
@@ -69,7 +69,6 @@
 import java.util.List;
 import java.util.Set;
 
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
 import static ee.ria.xroad.common.ErrorCodes.X_CERT_EXISTS;
 import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
 import static ee.ria.xroad.common.ErrorCodes.X_CSR_NOT_FOUND;
@@ -211,8 +210,8 @@ public void importSignCertificateMissingClient() throws Exception {
     @Test
     @WithMockUser(authorities = "IMPORT_SIGN_CERT")
     public void importExistingSignCertificate() throws Exception {
-        doThrow(CodedException
-                .tr(SIGNER_X + "." + X_CERT_EXISTS, "mock code", "mock msg"))
+        doThrow(SignerException
+                .tr(X_CERT_EXISTS, "mock code", "mock msg"))
                 .when(signerProxyFacade).importCert(any(), any(), any(), anyBoolean());
         Resource body = CertificateTestUtils.getResource(CertificateTestUtils.getMockCertificateBytes());
         try {
@@ -226,8 +225,8 @@ public void importExistingSignCertificate() throws Exception {
     @Test
     @WithMockUser(authorities = "IMPORT_SIGN_CERT")
     public void importIncorrectSignCertificate() throws Exception {
-        doThrow(CodedException
-                .tr(SIGNER_X + "." + X_INCORRECT_CERTIFICATE, "mock code", "mock msg"))
+        doThrow(SignerException
+                .tr(X_INCORRECT_CERTIFICATE, "mock code", "mock msg"))
                 .when(signerProxyFacade).importCert(any(), any(), any(), anyBoolean());
         Resource body = CertificateTestUtils.getResource(CertificateTestUtils.getMockCertificateBytes());
         try {
@@ -241,8 +240,8 @@ public void importIncorrectSignCertificate() throws Exception {
     @Test
     @WithMockUser(authorities = "IMPORT_SIGN_CERT")
     public void importWrongUsageSignCertificate() throws Exception {
-        doThrow(CodedException
-                .tr(SIGNER_X + "." + X_WRONG_CERT_USAGE, "mock code", "mock msg"))
+        doThrow(SignerException
+                .tr(X_WRONG_CERT_USAGE, "mock code", "mock msg"))
                 .when(signerProxyFacade).importCert(any(), any(), any(), anyBoolean());
         Resource body = CertificateTestUtils.getResource(CertificateTestUtils.getMockCertificateBytes());
         try {
@@ -256,8 +255,8 @@ public void importWrongUsageSignCertificate() throws Exception {
     @Test
     @WithMockUser(authorities = "IMPORT_SIGN_CERT")
     public void importSignCertificateCsrMissing() throws Exception {
-        doThrow(CodedException
-                .tr(SIGNER_X + "." + X_CSR_NOT_FOUND, "mock code", "mock msg"))
+        doThrow(SignerException
+                .tr(X_CSR_NOT_FOUND, "mock code", "mock msg"))
                 .when(signerProxyFacade).importCert(any(), any(), any(), anyBoolean());
         Resource body = CertificateTestUtils.getResource(CertificateTestUtils.getMockCertificateBytes());
         try {
@@ -271,8 +270,8 @@ public void importSignCertificateCsrMissing() throws Exception {
     @Test
     @WithMockUser(authorities = "IMPORT_SIGN_CERT")
     public void importSignCertificateKeyNotFound() throws Exception {
-        doThrow(CodedException
-                .tr(SIGNER_X + "." + X_KEY_NOT_FOUND, "mock code", "mock msg"))
+        doThrow(SignerException
+                .tr(X_KEY_NOT_FOUND, "mock code", "mock msg"))
                 .when(signerProxyFacade).importCert(any(), any(), any(), anyBoolean());
         Resource body = CertificateTestUtils.getResource(CertificateTestUtils.getMockCertificateBytes());
         try {
@@ -365,8 +364,8 @@ public void getCertificateForHashUnknownPermissions() throws Exception {
     @Test
     @WithMockUser(authorities = {"VIEW_AUTH_CERT", "VIEW_SIGN_CERT"})
     public void getCertificateForHashNotFound() throws Exception {
-        doThrow(CodedException
-                .tr(SIGNER_X + "." + X_CERT_NOT_FOUND, "mock code", "mock msg"))
+        doThrow(SignerException
+                .tr(X_CERT_NOT_FOUND, "mock code", "mock msg"))
                 .when(signerProxyFacade).getCertForHash(any());
         try {
             tokenCertificatesApiController.getCertificate(UNKNOWN_CERT_HASH);
@@ -401,8 +400,8 @@ public void importCertificateFromTokenActionNotPossible() throws Exception {
     @Test
     @WithMockUser(authorities = "IMPORT_SIGN_CERT")
     public void importCertificateFromTokenHashNotFound() throws Exception {
-        doThrow(CodedException
-                .tr(SIGNER_X + "." + X_CERT_NOT_FOUND, "mock code", "mock msg"))
+        doThrow(SignerException
+                .tr(X_CERT_NOT_FOUND, "mock code", "mock msg"))
                 .when(signerProxyFacade).getCertForHash(any());
         try {
             tokenCertificatesApiController.importCertificateFromToken(MOCK_CERTIFICATE_HASH);
@@ -486,13 +485,11 @@ public void deleteCertificate() throws Exception {
     @Test
     @WithMockUser(authorities = {"DELETE_SIGN_CERT", "DELETE_AUTH_CERT"})
     public void deleteCertificateNotFound() throws Exception {
-        doThrow(CodedException
-                .tr(X_CERT_NOT_FOUND, "mock code", "mock msg")
-                .withPrefix(SIGNER_X))
+        doThrow(SignerException
+                .tr(X_CERT_NOT_FOUND, "mock code", "mock msg"))
                 .when(signerProxyFacade).getCertForHash(any());
-        doThrow(CodedException
-                .tr(X_CERT_NOT_FOUND, "mock code", "mock msg")
-                .withPrefix(SIGNER_X))
+        doThrow(SignerException
+                .tr(X_CERT_NOT_FOUND, "mock code", "mock msg"))
                 .when(signerProxyFacade).deleteCert(any());
         try {
             tokenCertificatesApiController.deleteCertificate(UNKNOWN_CERT_HASH);
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/InitializationServiceTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/InitializationServiceTest.java
index ca9fa01b51..75a8e8c687 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/InitializationServiceTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/InitializationServiceTest.java
@@ -32,6 +32,7 @@
 import ee.ria.xroad.common.util.process.ExternalProcessRunner;
 import ee.ria.xroad.common.util.process.ProcessFailedException;
 import ee.ria.xroad.common.util.process.ProcessNotExecutableException;
+import ee.ria.xroad.signer.exception.SignerException;
 
 import org.junit.Assert;
 import org.junit.Before;
@@ -272,7 +273,7 @@ public void initializeFailPreRequisites() throws Exception {
 
     @Test
     public void initializeFailToken() throws Exception {
-        doThrow(new Exception()).when(signerProxyFacade).initSoftwareToken(any());
+        doThrow(new SignerException("Error")).when(signerProxyFacade).initSoftwareToken(any());
         when(tokenService.isSoftwareTokenInitialized()).thenReturn(false);
         when(serverConfService.isServerCodeInitialized()).thenReturn(false);
         when(serverConfService.isServerOwnerInitialized()).thenReturn(false);
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java
index 925709aa63..4f8b59908e 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyAndCertificateRequestServiceIntegrationTest.java
@@ -25,12 +25,13 @@
  */
 package org.niis.xroad.securityserver.restapi.service;
 
-import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.ErrorCodes;
 import ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo;
 import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.signer.SignerProxy;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
@@ -236,7 +237,7 @@ public void csrGenerateFailureRollsBackKeyCreate() throws Exception {
     @WithMockUser(authorities = {"DELETE_KEY", "DELETE_SIGN_KEY", "DELETE_AUTH_KEY"})
     public void failedRollback() throws Exception {
         HashMap<String, String> dnParams = createCsrDnParams();
-        doThrow(new CodedException(TokenService.KEY_NOT_FOUND_FAULT_CODE))
+        doThrow(new SignerException(ErrorCodes.X_KEY_NOT_FOUND))
                 .when(signerProxyFacade).getTokenForKeyId(any());
         try {
             ClientId.Conf notFoundClient = ClientId.Conf.create("not-found", "GOV", "M1");
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyServiceTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyServiceTest.java
index 4c3403a750..a78f49f153 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyServiceTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/KeyServiceTest.java
@@ -25,7 +25,7 @@
  */
 package org.niis.xroad.securityserver.restapi.service;
 
-import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
@@ -54,7 +54,6 @@
 import java.util.List;
 import java.util.Set;
 
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
 import static ee.ria.xroad.common.ErrorCodes.X_KEY_NOT_FOUND;
 import static junit.framework.TestCase.fail;
 import static org.junit.Assert.assertEquals;
@@ -148,7 +147,7 @@ public void setup() throws Exception {
             Object[] arguments = invocation.getArguments();
             String newKeyName = (String) arguments[1];
             if ("new-friendly-name-update-fails".equals(newKeyName)) {
-                throw new CodedException(SIGNER_X + "." + X_KEY_NOT_FOUND);
+                throw new SignerException(X_KEY_NOT_FOUND);
             }
             if (arguments[0].equals(AUTH_KEY_ID)) {
                 tokenInfo = createTokenInfo(newKeyName);
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateServiceTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateServiceTest.java
index dc0caf25dd..d4a8744b0f 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateServiceTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenCertificateServiceTest.java
@@ -26,12 +26,14 @@
 package org.niis.xroad.securityserver.restapi.service;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.ErrorCodes;
 import ee.ria.xroad.common.certificateprofile.DnFieldDescription;
 import ee.ria.xroad.common.certificateprofile.impl.DnFieldDescriptionImpl;
 import ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo;
 import ee.ria.xroad.common.conf.globalconf.GlobalConfProvider;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.signer.SignerProxy;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfo;
 import ee.ria.xroad.signer.protocol.dto.CertRequestInfoProto;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
@@ -76,7 +78,6 @@
 import java.util.List;
 
 import static ee.ria.xroad.common.ErrorCodes.SERVER_CLIENTPROXY_X;
-import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
 import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
 import static ee.ria.xroad.common.ErrorCodes.X_CSR_NOT_FOUND;
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
@@ -257,7 +258,7 @@ public void setup() throws Exception {
             Object[] args = invocation.getArguments();
             String hash = (String) args[0];
             if (MISSING_CERTIFICATE_HASH.equals(hash)) {
-                throw new CodedException(TokenCertificateService.CERT_NOT_FOUND_FAULT_CODE);
+                throw new SignerException(ErrorCodes.X_CERT_NOT_FOUND);
             }
 
             return null;
@@ -267,7 +268,7 @@ public void setup() throws Exception {
             Object[] args = invocation.getArguments();
             String hash = (String) args[0];
             if (MISSING_CERTIFICATE_HASH.equals(hash)) {
-                throw new CodedException(TokenCertificateService.CERT_NOT_FOUND_FAULT_CODE);
+                throw new SignerException(ErrorCodes.X_CERT_NOT_FOUND);
             }
             return null;
         }).when(signerProxyFacade).activateCert(eq("certID"));
@@ -307,9 +308,8 @@ private void mockDeleteCertRequest() throws Exception {
             if (GOOD_CSR_ID.equals(csrId)) {
                 return null;
             } else if (SIGNER_EXCEPTION_CSR_ID.equals(csrId)) {
-                throw CodedException.tr(X_CSR_NOT_FOUND,
-                                "csr_not_found", "Certificate request '%s' not found", csrId)
-                        .withPrefix(SIGNER_X);
+                throw SignerException.tr(X_CSR_NOT_FOUND,
+                        "csr_not_found", "Certificate request '%s' not found", csrId);
             } else if (CSR_NOT_FOUND_CSR_ID.equals(csrId)) {
                 throw new CsrNotFoundException("not found");
             } else {
@@ -501,9 +501,8 @@ public void regenerateSignCsrPermission() throws Exception {
                 .regenerateCertRequest(SIGN_KEY_ID, GOOD_SIGN_CSR_ID, CertificateRequestFormat.PEM);
     }
 
-    private CodedException signerException(String code) {
-        return CodedException.tr(code, "mock-translation", "mock-message")
-                .withPrefix(SIGNER_X);
+    private SignerException signerException(String code) {
+        return SignerException.tr(code, "mock-translation", "mock-message");
     }
 
     @Test
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenServiceTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenServiceTest.java
index e52f74c8ac..85563fa58b 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenServiceTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/service/TokenServiceTest.java
@@ -26,6 +26,8 @@
 package org.niis.xroad.securityserver.restapi.service;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.ErrorCodes;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.dto.TokenInfo;
 
 import lombok.extern.slf4j.Slf4j;
@@ -82,15 +84,15 @@ public void setup() throws Exception {
             Object[] args = invocation.getArguments();
             String tokenId = (String) args[0];
             if (WRONG_SOFTTOKEN_PIN_TOKEN_ID.equals(tokenId)) {
-                throw new CodedException(TokenService.PIN_INCORRECT_FAULT_CODE);
+                throw new SignerException(ErrorCodes.X_PIN_INCORRECT);
             } else if (WRONG_HSM_PIN_TOKEN_ID.equals(tokenId)) {
-                throw new CodedException(TokenService.LOGIN_FAILED_FAULT_CODE, TokenService.CKR_PIN_INCORRECT_MESSAGE);
+                throw new SignerException(ErrorCodes.X_LOGIN_FAILED, SignerException.CKR_PIN_INCORRECT_MESSAGE);
             } else if (UNKNOWN_LOGIN_FAIL_TOKEN_ID.equals(tokenId)) {
-                throw new CodedException(TokenService.LOGIN_FAILED_FAULT_CODE, "dont know what happened");
+                throw new SignerException(ErrorCodes.X_LOGIN_FAILED, "dont know what happened");
             } else if (TOKEN_NOT_FOUND_TOKEN_ID.equals(tokenId)) {
-                throw new CodedException(TokenService.TOKEN_NOT_FOUND_FAULT_CODE, "did not find it");
+                throw new SignerException(ErrorCodes.X_TOKEN_NOT_FOUND, "did not find it");
             } else if (UNRECOGNIZED_FAULT_CODE_TOKEN_ID.equals(tokenId)) {
-                throw new CodedException("foo", "bar");
+                throw new SignerException("foo", "bar");
             } else {
                 log.debug("activate successful");
             }
@@ -102,7 +104,7 @@ public void setup() throws Exception {
             String oldPin = new String((char[]) args[1]);
             String newPin = new String((char[]) args[2]);
             if (WRONG_SOFTTOKEN_PIN_TOKEN_ID.equals(oldPin)) {
-                throw new CodedException(TokenService.PIN_INCORRECT_FAULT_CODE);
+                throw new SignerException(ErrorCodes.X_PIN_INCORRECT);
             } else {
                 log.debug("activate successful");
             }
@@ -113,9 +115,9 @@ public void setup() throws Exception {
             Object[] args = invocation.getArguments();
             String tokenId = (String) args[0];
             if (TOKEN_NOT_FOUND_TOKEN_ID.equals(tokenId)) {
-                throw new CodedException(TokenService.TOKEN_NOT_FOUND_FAULT_CODE, "did not find it");
+                throw new SignerException(ErrorCodes.X_TOKEN_NOT_FOUND, "did not find it");
             } else if (UNRECOGNIZED_FAULT_CODE_TOKEN_ID.equals(tokenId)) {
-                throw new CodedException("foo", "bar");
+                throw new SignerException("foo", "bar");
             } else {
                 log.debug("deactivate successful");
             }
@@ -126,7 +128,7 @@ public void setup() throws Exception {
             Object[] args = invocation.getArguments();
             String tokenId = (String) args[0];
             if (TOKEN_NOT_FOUND_TOKEN_ID.equals(tokenId)) {
-                throw new CodedException(TokenService.TOKEN_NOT_FOUND_FAULT_CODE, "did not find it");
+                throw new SignerException(ErrorCodes.X_TOKEN_NOT_FOUND, "did not find it");
             } else {
                 return tokenInfo;
             }
@@ -166,8 +168,8 @@ public void activateToken() throws Exception {
         try {
             tokenService.activateToken(UNKNOWN_LOGIN_FAIL_TOKEN_ID, password);
             fail("should have thrown exception");
-        } catch (CodedException expected) {
-            Assert.assertEquals(TokenService.LOGIN_FAILED_FAULT_CODE, expected.getFaultCode());
+        } catch (SignerException expected) {
+            Assert.assertTrue(expected.getFaultCode().endsWith("." + ErrorCodes.X_LOGIN_FAILED));
             assertEquals("dont know what happened", expected.getFaultString());
         }
 
@@ -181,7 +183,7 @@ public void activateToken() throws Exception {
             tokenService.activateToken(UNRECOGNIZED_FAULT_CODE_TOKEN_ID, password);
             fail("should have thrown exception");
         } catch (CodedException expected) {
-            assertEquals("foo", expected.getFaultCode());
+            assertEquals("Signer.foo", expected.getFaultCode());
             assertEquals("bar", expected.getFaultString());
         }
         tokenPinValidator.setTokenPinEnforced(false);
@@ -201,7 +203,7 @@ public void deactivateToken() throws Exception {
             tokenService.deactivateToken(UNRECOGNIZED_FAULT_CODE_TOKEN_ID);
             fail("should have thrown exception");
         } catch (CodedException expected) {
-            assertEquals("foo", expected.getFaultCode());
+            assertEquals("Signer.foo", expected.getFaultCode());
             assertEquals("bar", expected.getFaultString());
         }
     }
@@ -233,7 +235,7 @@ public void updateNonExistingTokenFriendlyName() throws Exception {
 
     @Test
     public void getUnknownSoftwareTokenInitStatus() throws Exception {
-        when(signerProxyFacade.getTokens()).thenThrow(new Exception());
+        when(signerProxyFacade.getTokens()).thenThrow(new SignerException("Error"));
         TokenInitStatusInfo tokenStatus = tokenService.getSoftwareTokenInitStatus();
         assertEquals(TokenInitStatusInfo.UNKNOWN, tokenStatus);
     }
@@ -279,7 +281,7 @@ private void mockPossibleActionsRuleEngineAllowAll() {
         possibleActionsRuleEngine = new PossibleActionsRuleEngine() {
             @Override
             public void requirePossibleTokenAction(PossibleActionEnum action, TokenInfo token) throws
-                    ActionNotPossibleException {
+                                                                                               ActionNotPossibleException {
                 // noop
             }
         };
diff --git a/src/security-server/admin-service/ui/src/components/ui/ContextualAlerts.vue b/src/security-server/admin-service/ui/src/components/ui/ContextualAlerts.vue
index 71ad413632..693955a66f 100644
--- a/src/security-server/admin-service/ui/src/components/ui/ContextualAlerts.vue
+++ b/src/security-server/admin-service/ui/src/components/ui/ContextualAlerts.vue
@@ -26,12 +26,12 @@
 <template>
   <!-- Error -->
   <v-container
-    v-if="errorNotifications && errorNotifications.length > 0"
+    v-if="notifications.errorNotifications && notifications.errorNotifications.length > 0"
     fluid
     class="alerts-container px-3"
   >
     <v-alert
-      v-for="notification in errorNotifications"
+      v-for="notification in notifications.errorNotifications"
       :key="notification.timeAdded"
       v-model="notification.show"
       data-test="contextual-alert"
@@ -57,7 +57,7 @@
 
             <!-- Show localised text by id from error object -->
             <div v-else-if="notification.errorCode">
-              {{ $t(`error_code.${notification.errorCode}`) }}
+              {{ $t(errorCodePrefix + notification.errorCode) }}
             </div>
 
             <!-- If error doesn't have a text or localisation key then just print the error object -->
@@ -69,21 +69,19 @@
             <template v-if="notification.errorCode === 'weak_pin'">
               <div>
                 {{
-                  $t(`error_code.${notification.metaData?.[0]}`) +
-                  `: ${notification.metaData?.[1]}`
+                  $t(errorCodePrefix + notification.metaData?.[0]) + ': ' + notification.metaData?.[1]
                 }}
               </div>
               <div>
                 {{
-                  $t(`error_code.${notification.metaData?.[2]}`) +
-                  `: ${notification.metaData?.[3]}`
+                  $t(errorCodePrefix + notification.metaData?.[2]) + ': ' + notification.metaData?.[3]
                 }}
               </div>
             </template>
 
             <!-- Show the error metadata if it exists -->
             <div v-for="meta in notification.metaData" v-else :key="meta">
-              {{ meta }}
+              {{ meta.startsWith(metaPrefix) ? $t(meta) : meta }}
             </div>
 
             <!-- Show validation errors -->
@@ -154,43 +152,33 @@
   </v-container>
 </template>
 
-<script lang="ts">
-import { defineComponent } from 'vue';
-import { mapActions, mapState } from 'pinia';
+<script lang="ts" setup>
 import { useNotifications } from '@/store/modules/notifications';
 import { toClipboard } from '@/util/helpers';
 import { Notification } from '@/ui-types';
 import { Colors } from '@/global';
-import {
-  XrdIconCopy,
-  XrdIconErrorNotification,
-  XrdIconWarning,
-} from '@niis/shared-ui';
+import { XrdIconCopy, XrdIconErrorNotification, XrdIconWarning } from '@niis/shared-ui';
 
-export default defineComponent({
-  components: { XrdIconWarning, XrdIconErrorNotification, XrdIconCopy },
-  // Component for contextual notifications
-  computed: {
-    ...mapState(useNotifications, ['errorNotifications']),
-  },
-  methods: {
-    notificationColor(notification: Notification) {
-      // TODO - how to import these values from colors.css?
-      return notification.isWarning ? Colors.Warning : Colors.Error;
-    },
-    ...mapActions(useNotifications, ['deleteNotification']),
+const errorCodePrefix = 'error_code.';
+const metaPrefix = 'meta.';
 
-    closeError(id: number): void {
-      this.deleteNotification(id);
-    },
-    copyId(notification: Notification): void {
-      const id = notification.errorId;
-      if (id) {
-        toClipboard(id);
-      }
-    },
-  },
-});
+const notifications = useNotifications();
+
+function notificationColor(notification: Notification) {
+  // TODO - how to import these values from colors.css?
+  return notification.isWarning ? Colors.Warning : Colors.Error;
+}
+
+function closeError(id: number): void {
+  notifications.deleteNotification(id);
+}
+
+function copyId(notification: Notification): void {
+  const id = notification.errorId;
+  if (id) {
+    toClipboard(id);
+  }
+}
 </script>
 
 <style lang="scss" scoped>
@@ -229,6 +217,7 @@ export default defineComponent({
     margin-right: 12px;
     color: colors.$Error;
   }
+
   .warning-icon {
     margin-right: 12px;
     color: colors.$Warning;
diff --git a/src/security-server/admin-service/ui/src/locales/en.json b/src/security-server/admin-service/ui/src/locales/en.json
index d2b221aa79..52a7ee29c1 100644
--- a/src/security-server/admin-service/ui/src/locales/en.json
+++ b/src/security-server/admin-service/ui/src/locales/en.json
@@ -346,6 +346,7 @@
       },
       "Signer": {
         "CertNotFound": "Certification is not found",
+        "NetworkError": "Signer is not currently reachable.",
         "KeyNotFound": "Key is not found",
         "TokenNotAvailable": "Token is not available",
         "TokenNotFound": "Token is not found",
@@ -366,6 +367,7 @@
     "illegal_generated_endpoint_update": "Updating the generated endpoint is not allowed",
     "import_internal_cert_failed": "Importing internal certificate failed",
     "internal_anchor_upload_invalid_instance_id": "Anchor has an invalid instance id",
+    "internal_error": "Internal error. See the Security Server application logs for more details.",
     "internal_key_cert_interrupted": "Internal key certificate interrupted",
     "invalid_cert": "Invalid certificate",
     "invalid_characters_pin": "PIN has invalid characters",
@@ -411,7 +413,6 @@
     "service_description_not_found": "Service description not found",
     "service_not_found": "service not found",
     "sign_cert_not_supported": "Signing certificate is not supported",
-    "signer_not_reachable": "Signer is not currently reachable. Please check the signer log for details.",
     "software_token_init_failed": "Software token initialisation failed",
     "timestamping_service_already_configured": "Timestamping service is already configured",
     "timestamping_service_not_found": "Timestamping service not found",
diff --git a/src/security-server/admin-service/ui/src/locales/es.json b/src/security-server/admin-service/ui/src/locales/es.json
index 23cf85eec7..b02f3fd509 100644
--- a/src/security-server/admin-service/ui/src/locales/es.json
+++ b/src/security-server/admin-service/ui/src/locales/es.json
@@ -347,6 +347,7 @@
       "Signer": {
         "CertNotFound": "No se encuentra el certificado",
         "KeyNotFound": "No se encuentra la clave",
+        "NetworkError": "El firmante no es actualmente accesible.",
         "TokenNotAvailable": "El token no está disponible",
         "TokenNotFound": "No se encuentra el token",
         "UnknownMember": "X -Road Core - Signer: miembro desconocido"
@@ -411,7 +412,6 @@
     "service_description_not_found": "Descripción del servicio no encontrada",
     "service_not_found": "servicio no encontrado",
     "sign_cert_not_supported": "El certificado de firma no es compatible",
-    "signer_not_reachable": "El firmante no es actualmente accesible. Consulte el registro (log) del firmante para más detalles.",
     "software_token_init_failed": "Error al inicializar el token de software",
     "timestamping_service_already_configured": "El servicio de marca de tiempo ya está configurado",
     "timestamping_service_not_found": "Servicio de marca de tiempo no encontrado",
@@ -999,4 +999,4 @@
       "unregistered_member": "Miembro no registrado"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/security-server/admin-service/ui/src/views/KeysAndCertificates/SignAndAuthKeys/RegisterCertificateDialog.vue b/src/security-server/admin-service/ui/src/views/KeysAndCertificates/SignAndAuthKeys/RegisterCertificateDialog.vue
index 08b915b546..822177b2ae 100644
--- a/src/security-server/admin-service/ui/src/views/KeysAndCertificates/SignAndAuthKeys/RegisterCertificateDialog.vue
+++ b/src/security-server/admin-service/ui/src/views/KeysAndCertificates/SignAndAuthKeys/RegisterCertificateDialog.vue
@@ -40,6 +40,7 @@
           variant="underlined"
           :error-messages="errors"
           class="dlg-row-input"
+          autofocus
         />
       </div>
     </template>
diff --git a/src/shared-ui/src/language-helper.ts b/src/shared-ui/src/language-helper.ts
index 2be42e90dc..e11ca52458 100644
--- a/src/shared-ui/src/language-helper.ts
+++ b/src/shared-ui/src/language-helper.ts
@@ -29,6 +29,7 @@ import { createI18n } from 'vue-i18n';
 import merge from 'deepmerge';
 import enSharedMessages from './locales/en.json';
 import enValidationMessages from '@vee-validate/i18n/dist/locale/en.json';
+import axios from 'axios';
 
 interface MessageLoader {
   (language: string): Promise<any>
@@ -83,6 +84,9 @@ export function prepareI18n(fallbackMessages: any, ...loaders: MessageLoader[])
   async function selectLanguage(language: string) {
     await loadLanguage(language);
     i18n.global.locale.value = language;
+
+    axios.defaults.headers.common['Accept-Language'] = language
+    document.querySelector('html').setAttribute('lang', language)
   }
 
   const languageHelper: LanguageHelper = {
diff --git a/src/shared-ui/src/locales/en.json b/src/shared-ui/src/locales/en.json
index a63c528873..1e35237832 100644
--- a/src/shared-ui/src/locales/en.json
+++ b/src/shared-ui/src/locales/en.json
@@ -158,12 +158,14 @@
     "backup_generation_failed": "Failed to generate backup",
     "backup_restore_interrupted": "Backup restoration has been interrupted",
     "generate_backup_interrupted": "Backup generation has been interrupted",
+    "internal_error": "Internal error. See server logs for more details",
     "invalid_backup_file": "Invalid backup file",
     "invalid_distinguished_name": "Distinguished name is invalid",
     "invalid_filename": "Invalid filename",
     "resource_read_failed": "Failed to read resource",
     "restore_process_failed": "Restore process failed",
-    "token_not_found": "Token not found",
+    "token_fetch_failed": "Error getting tokens.",
+    "token_not_found": "Token not found.",
     "validation_failure": "Validation failure"
   },
   "fields": {
@@ -201,6 +203,9 @@
     "idleWarning": "You have been idle for 30 minutes and your session has expired. For security reasons, you will be logged out.",
     "sessionExpired": "Session expired"
   },
+  "meta": {
+    "check_signer_logs": "Please check the signer log for details."
+  },
   "noData": {
     "loading": "Loading... Please wait",
     "noBackups": "No backups yet",
diff --git a/src/shared-ui/src/locales/es.json b/src/shared-ui/src/locales/es.json
index 50a088fa78..403104730e 100644
--- a/src/shared-ui/src/locales/es.json
+++ b/src/shared-ui/src/locales/es.json
@@ -163,6 +163,7 @@
     "invalid_filename": "Nombre de archivo no válido",
     "resource_read_failed": "No se pudo leer el recurso",
     "restore_process_failed": "El proceso de restauración falló",
+    "token_fetch_failed": "Error al obtener el token",
     "token_not_found": "Token no encontrado",
     "validation_failure": "Falla de validación"
   },
@@ -201,6 +202,9 @@
     "idleWarning": "Has estado inactivo durante 30 minutos y tu sesión ha expirado. Por razones de seguridad, deberás autenticarte nuevamente.",
     "sessionExpired": "Sesión expirada"
   },
+  "meta": {
+    "check_signer_logs": "Consulte el registro (log) del firmante para más detalles."
+  },
   "noData": {
     "loading": "Cargando ... por favor espera",
     "noBackups": "No hay copias de seguridad todavía",
@@ -248,4 +252,4 @@
       "address": "El campo {campo} contiene caracteres no válidos"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/shared-ui/src/locales/et.json b/src/shared-ui/src/locales/et.json
index 1ce2d42842..2df13002d9 100644
--- a/src/shared-ui/src/locales/et.json
+++ b/src/shared-ui/src/locales/et.json
@@ -201,6 +201,9 @@
     "idleWarning": "Olete olnud eemal 30 minutit ja teie seanss on aegunud. Turvapõhjustel logitakse teid välja.",
     "sessionExpired": "Seanss on aegunud"
   },
+  "meta": {
+    "check_signer_logs": "Vt täpsemalt vt signeerija logi."
+  },
   "noData": {
     "loading": "Laadimine... Palun oodake",
     "noBackups": "Varukoopiaid pole",
diff --git a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
index 444e7ce693..1832af3fa8 100644
--- a/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
+++ b/src/signer-console/src/main/java/ee/ria/xroad/signer/console/SignerCLI.java
@@ -704,7 +704,7 @@ public void generateCertRequest(@Param(name = "keyId", description = "Key ID") S
 
             AuditLogger.log(GENERATE_A_CERT_REQUEST_EVENT, XROAD_USER, null, logData);
 
-            bytesToFile(keyId + ".csr", generatedCertRequestInfo.getCertRequest());
+            bytesToFile(keyId + ".csr", generatedCertRequestInfo.certRequest());
         } catch (Exception e) {
             AuditLogger.log(GENERATE_A_CERT_REQUEST_EVENT, XROAD_USER, null, e.getMessage(), logData);
             throw e;
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
index 420a921262..f80d275aee 100644
--- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java
@@ -25,12 +25,15 @@
  */
 package ee.ria.xroad.signer;
 
+import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.ErrorCodes;
 import ee.ria.xroad.common.crypto.identifier.KeyAlgorithm;
 import ee.ria.xroad.common.crypto.identifier.SignAlgorithm;
 import ee.ria.xroad.common.crypto.identifier.SignMechanism;
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.PasswordStore;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
 import ee.ria.xroad.signer.protocol.dto.AuthKeyInfo;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
@@ -44,7 +47,6 @@
 import com.google.protobuf.ByteString;
 import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
-import lombok.Value;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.signer.proto.ActivateCertReq;
 import org.niis.xroad.signer.proto.ActivateTokenReq;
@@ -63,7 +65,6 @@
 import org.niis.xroad.signer.proto.GetMemberSigningInfoReq;
 import org.niis.xroad.signer.proto.GetOcspResponsesReq;
 import org.niis.xroad.signer.proto.GetSignMechanismReq;
-import org.niis.xroad.signer.proto.GetSignMechanismResp;
 import org.niis.xroad.signer.proto.GetTokenBatchSigningEnabledReq;
 import org.niis.xroad.signer.proto.GetTokenByCertHashReq;
 import org.niis.xroad.signer.proto.GetTokenByCertRequestIdReq;
@@ -71,7 +72,6 @@
 import org.niis.xroad.signer.proto.GetTokenByKeyIdReq;
 import org.niis.xroad.signer.proto.ImportCertReq;
 import org.niis.xroad.signer.proto.InitSoftwareTokenReq;
-import org.niis.xroad.signer.proto.ListTokensResp;
 import org.niis.xroad.signer.proto.RegenerateCertRequestReq;
 import org.niis.xroad.signer.proto.SetCertStatusReq;
 import org.niis.xroad.signer.proto.SetKeyFriendlyNameReq;
@@ -92,6 +92,7 @@
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
+import java.util.function.Function;
 import java.util.stream.Collectors;
 
 import static ee.ria.xroad.common.util.CertUtils.isAuthCert;
@@ -107,34 +108,63 @@
 public final class SignerProxy {
     public static final String SSL_TOKEN_ID = "0";
 
+    private static void tryToRun(Action action) throws SignerException {
+        try {
+            action.run();
+        } catch (SignerException e) {
+            throw e;
+        } catch (CodedException e) {
+            throw new SignerException(e);
+        } catch (Exception e) {
+            throw new SignerException(ErrorCodes.X_INTERNAL_ERROR, e);
+        }
+    }
+
+    private static <R, T> T tryToRun(ActionWithResult<R> action, Function<R, T> mapper) throws SignerException {
+        return tryToRun(() -> mapper.apply(action.run()));
+    }
+
+    private static <T> T tryToRun(ActionWithResult<T> action) throws SignerException {
+        try {
+            return action.run();
+        } catch (SignerException e) {
+            throw e;
+        } catch (CodedException e) {
+            throw new SignerException(e);
+        } catch (Exception e) {
+            throw new SignerException(ErrorCodes.X_INTERNAL_ERROR, e);
+        }
+    }
+
     /**
      * Initialize the software token with the given password.
      *
      * @param password software token password
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void initSoftwareToken(char[] password) throws Exception {
+    public static void initSoftwareToken(char[] password) throws SignerException {
         log.trace("Initializing software token");
-
-        RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
-                .initSoftwareToken(InitSoftwareTokenReq.newBuilder()
-                        .setPin(new String(password))
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
+                        .initSoftwareToken(InitSoftwareTokenReq.newBuilder()
+                                .setPin(new String(password))
+                                .build()))
+        );
     }
 
     /**
      * Gets information about all configured tokens.
      *
      * @return a List of TokenInfo objects
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static List<TokenInfo> getTokens() throws Exception {
-        ListTokensResp response = RpcSignerClient.execute(ctx ->
-                ctx.getBlockingTokenService().listTokens(Empty.newBuilder().build()));
-
-        return response.getTokensList().stream()
-                .map(TokenInfo::new)
-                .collect(Collectors.toList());
+    public static List<TokenInfo> getTokens() throws SignerException {
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService().listTokens(Empty.newBuilder().build()))
+                        .getTokensList().stream()
+                        .map(TokenInfo::new)
+                        .collect(Collectors.toList())
+        );
     }
 
     /**
@@ -142,13 +172,16 @@ public static List<TokenInfo> getTokens() throws Exception {
      *
      * @param tokenId ID of the token
      * @return TokenInfo
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static TokenInfo getToken(String tokenId) throws Exception {
-        return RpcSignerClient.execute(ctx -> new TokenInfo(ctx.getBlockingTokenService()
-                .getTokenById(GetTokenByIdReq.newBuilder()
-                        .setTokenId(tokenId)
-                        .build())));
+    public static TokenInfo getToken(String tokenId) throws SignerException {
+
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> new TokenInfo(ctx.getBlockingTokenService()
+                        .getTokenById(GetTokenByIdReq.newBuilder()
+                                .setTokenId(tokenId)
+                                .build())))
+        );
     }
 
     /**
@@ -156,13 +189,17 @@ public static TokenInfo getToken(String tokenId) throws Exception {
      *
      * @param tokenId  ID of the token
      * @param password token password
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void activateToken(String tokenId, char[] password) throws Exception {
-        PasswordStore.storePassword(tokenId, password);
+    public static void activateToken(String tokenId, char[] password) throws SignerException {
+        tryToRun(() -> internalActivateToken(tokenId, password));
+    }
 
+    private static void internalActivateToken(String tokenId, char[] password) throws Exception {
         log.trace("Activating token '{}'", tokenId);
 
+        PasswordStore.storePassword(tokenId, password);
+
         RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .activateToken(ActivateTokenReq.newBuilder()
                         .setTokenId(tokenId)
@@ -176,30 +213,36 @@ public static void activateToken(String tokenId, char[] password) throws Excepti
      * @param tokenId ID of the token
      * @param oldPin  the old (current) pin of the token
      * @param newPin  the new pin
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void updateTokenPin(String tokenId, char[] oldPin, char[] newPin) throws Exception {
+    public static void updateTokenPin(String tokenId, char[] oldPin, char[] newPin) throws SignerException {
         log.trace("Updating token pin '{}'", tokenId);
 
-        RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
-                .updateSoftwareTokenPin(UpdateSoftwareTokenPinReq.newBuilder()
-                        .setTokenId(tokenId)
-                        .setOldPin(new String(oldPin))
-                        .setNewPin(new String(newPin))
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
+                        .updateSoftwareTokenPin(UpdateSoftwareTokenPinReq.newBuilder()
+                                .setTokenId(tokenId)
+                                .setOldPin(new String(oldPin))
+                                .setNewPin(new String(newPin))
+                                .build()))
+        );
     }
 
     /**
      * Deactivates the token with the given ID.
      *
      * @param tokenId ID of the token
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void deactivateToken(String tokenId) throws Exception {
-        PasswordStore.storePassword(tokenId, null);
+    public static void deactivateToken(String tokenId) throws SignerException {
+        tryToRun(() -> internalDeactivateToken(tokenId));
+    }
 
+    private static void internalDeactivateToken(String tokenId) throws Exception {
         log.trace("Deactivating token '{}'", tokenId);
 
+        PasswordStore.storePassword(tokenId, null);
+
         RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
                 .activateToken(ActivateTokenReq.newBuilder()
                         .setTokenId(tokenId)
@@ -212,16 +255,18 @@ public static void deactivateToken(String tokenId) throws Exception {
      *
      * @param tokenId      ID of the token
      * @param friendlyName new friendly name of the token
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void setTokenFriendlyName(String tokenId, String friendlyName) throws Exception {
+    public static void setTokenFriendlyName(String tokenId, String friendlyName) throws SignerException {
         log.trace("Setting friendly name '{}' for token '{}'", friendlyName, tokenId);
 
-        RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
-                .setTokenFriendlyName(SetTokenFriendlyNameReq.newBuilder()
-                        .setTokenId(tokenId)
-                        .setFriendlyName(friendlyName)
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
+                        .setTokenFriendlyName(SetTokenFriendlyNameReq.newBuilder()
+                                .setTokenId(tokenId)
+                                .setFriendlyName(friendlyName)
+                                .build()))
+        );
     }
 
     /**
@@ -229,16 +274,18 @@ public static void setTokenFriendlyName(String tokenId, String friendlyName) thr
      *
      * @param keyId        ID of the key
      * @param friendlyName new friendly name of the key
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void setKeyFriendlyName(String keyId, String friendlyName) throws Exception {
+    public static void setKeyFriendlyName(String keyId, String friendlyName) throws SignerException {
         log.trace("Setting friendly name '{}' for key '{}'", friendlyName, keyId);
 
-        RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
-                .setKeyFriendlyName(SetKeyFriendlyNameReq.newBuilder()
-                        .setKeyId(keyId)
-                        .setFriendlyName(friendlyName)
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
+                        .setKeyFriendlyName(SetKeyFriendlyNameReq.newBuilder()
+                                .setKeyId(keyId)
+                                .setFriendlyName(friendlyName)
+                                .build()))
+        );
     }
 
     /**
@@ -248,9 +295,13 @@ public static void setKeyFriendlyName(String keyId, String friendlyName) throws
      * @param keyLabel label of the key
      * @param algorithm algorithm to use, RSA or EC
      * @return generated key KeyInfo object
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) throws Exception {
+    public static KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) throws SignerException {
+        return tryToRun(() -> internalGenerateKey(tokenId, keyLabel, algorithm));
+    }
+
+    private static KeyInfo internalGenerateKey(String tokenId, String keyLabel, KeyAlgorithm algorithm) throws Exception {
         log.trace("Generating key for token '{}'", tokenId);
 
         var builder = GenerateKeyReq.newBuilder()
@@ -279,10 +330,15 @@ public static KeyInfo generateKey(String tokenId, String keyLabel, KeyAlgorithm
      * @param notBefore  date the certificate becomes valid
      * @param notAfter   date the certificate becomes invalid
      * @return byte content of the generated certificate
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
     public static byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId, KeyUsageInfo keyUsage,
-                                                String commonName, Date notBefore, Date notAfter) throws Exception {
+                                                String commonName, Date notBefore, Date notAfter) throws SignerException {
+        return tryToRun(() -> internalGenerateSelfSignedCert(keyId, memberId, keyUsage, commonName, notBefore, notAfter));
+    }
+
+    private static byte[] internalGenerateSelfSignedCert(String keyId, ClientId.Conf memberId, KeyUsageInfo keyUsage,
+                                                         String commonName, Date notBefore, Date notAfter) throws Exception {
         log.trace("Generate self-signed cert for key '{}'", keyId);
 
         var builder = GenerateSelfSignedCertReq.newBuilder()
@@ -313,9 +369,15 @@ public static byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId
      * @param initialStatus initial status of the certificate
      * @param clientId      client ID of the certificate owner
      * @return key ID of the new certificate as a String
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static String importCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId, boolean activate) throws Exception {
+    public static String importCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId, boolean activate)
+            throws SignerException {
+        return tryToRun(() -> internalImportCert(certBytes, initialStatus, clientId, activate));
+    }
+
+    private static String internalImportCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId, boolean activate)
+            throws Exception {
         log.trace("Importing cert from file with length of '{}' bytes", certBytes.length);
 
         final ImportCertReq.Builder builder = ImportCertReq.newBuilder()
@@ -332,41 +394,47 @@ public static String importCert(byte[] certBytes, String initialStatus, ClientId
         return response.getKeyId();
     }
 
-    public static String importCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId) throws Exception {
-        X509Certificate x509Certificate = readCertificate(certBytes);
-        return importCert(certBytes, initialStatus, clientId, !isAuthCert(x509Certificate));
+    public static String importCert(byte[] certBytes, String initialStatus, ClientId.Conf clientId) throws SignerException {
+        return tryToRun(() -> {
+            X509Certificate x509Certificate = readCertificate(certBytes);
+            return importCert(certBytes, initialStatus, clientId, !isAuthCert(x509Certificate));
+        });
     }
 
     /**
      * Activates the certificate with the given ID.
      *
      * @param certId ID of the certificate
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void activateCert(String certId) throws Exception {
+    public static void activateCert(String certId) throws SignerException {
         log.trace("Activating cert '{}'", certId);
 
-        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
-                .activateCert(ActivateCertReq.newBuilder()
-                        .setCertIdOrHash(certId)
-                        .setActive(true)
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
+                        .activateCert(ActivateCertReq.newBuilder()
+                                .setCertIdOrHash(certId)
+                                .setActive(true)
+                                .build()))
+        );
     }
 
     /**
      * Deactivates the certificate with the given ID.
      *
      * @param certId ID of the certificate
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void deactivateCert(String certId) throws Exception {
+    public static void deactivateCert(String certId) throws SignerException {
         log.trace("Deactivating cert '{}'", certId);
 
-        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
-                .activateCert(ActivateCertReq.newBuilder()
-                        .setCertIdOrHash(certId)
-                        .setActive(false)
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
+                        .activateCert(ActivateCertReq.newBuilder()
+                                .setCertIdOrHash(certId)
+                                .setActive(false)
+                                .build()))
+        );
     }
 
     /**
@@ -378,14 +446,16 @@ public static void deactivateCert(String certId) throws Exception {
      * @param subjectName subject name of the certificate
      * @param format      the format of the request
      * @return GeneratedCertRequestInfo containing details and content of the certificate request
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
     public static GeneratedCertRequestInfo generateCertRequest(String keyId,
                                                                ClientId.Conf memberId,
                                                                KeyUsageInfo keyUsage,
                                                                String subjectName,
-                                                               CertificateRequestFormat format) throws Exception {
-        return generateCertRequest(keyId, memberId, keyUsage, subjectName, null, format, null);
+                                                               CertificateRequestFormat format) throws SignerException {
+        return tryToRun(
+                () -> generateCertRequest(keyId, memberId, keyUsage, subjectName, null, format, null)
+        );
     }
 
     /**
@@ -397,11 +467,20 @@ public static GeneratedCertRequestInfo generateCertRequest(String keyId,
      * @param subjectAltName subject alternative name of the certificate
      * @param format the format of the request
      * @return GeneratedCertRequestInfo containing details and content of the certificate request
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
     public static GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId.Conf memberId,
                                                                KeyUsageInfo keyUsage, String subjectName, String subjectAltName,
                                                                CertificateRequestFormat format, String certificateProfile)
+            throws SignerException {
+        return tryToRun(
+                () -> internalGenerateCertRequest(keyId, memberId, keyUsage, subjectName, subjectAltName, format, certificateProfile)
+        );
+    }
+
+    private static GeneratedCertRequestInfo internalGenerateCertRequest(String keyId, ClientId.Conf memberId,
+                                                                        KeyUsageInfo keyUsage, String subjectName, String subjectAltName,
+                                                                        CertificateRequestFormat format, String certificateProfile)
             throws Exception {
 
         var reqBuilder = GenerateCertRequestReq.newBuilder()
@@ -443,10 +522,15 @@ public static GeneratedCertRequestInfo generateCertRequest(String keyId, ClientI
      * @param certRequestId csr ID
      * @param format        the format of the request
      * @return GeneratedCertRequestInfo containing details and content of the certificate request
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
     public static GeneratedCertRequestInfo regenerateCertRequest(String certRequestId,
-                                                                 CertificateRequestFormat format) throws Exception {
+                                                                 CertificateRequestFormat format) throws SignerException {
+        return tryToRun(() -> internalRegenerateCertRequest(certRequestId, format));
+    }
+
+    private static GeneratedCertRequestInfo internalRegenerateCertRequest(String certRequestId,
+                                                                          CertificateRequestFormat format) throws Exception {
 
         var response = RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
                 .regenerateCertRequest(RegenerateCertRequestReq.newBuilder()
@@ -464,46 +548,39 @@ public static GeneratedCertRequestInfo regenerateCertRequest(String certRequestI
                 response.getKeyUsage());
     }
 
-    /**
-     * DTO since we don't want to leak signer message objects out
-     */
-    @Value
-    public static class GeneratedCertRequestInfo {
-        String certReqId;
-        byte[] certRequest;
-        CertificateRequestFormat format;
-        ClientId memberId;
-        KeyUsageInfo keyUsage;
-    }
 
     /**
      * Delete the certificate request with the given ID.
      *
      * @param certRequestId ID of the certificate request
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void deleteCertRequest(String certRequestId) throws Exception {
+    public static void deleteCertRequest(String certRequestId) throws SignerException {
         log.trace("Deleting cert request '{}'", certRequestId);
 
-        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
-                .deleteCertRequest(DeleteCertRequestReq.newBuilder()
-                        .setCertRequestId(certRequestId)
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
+                        .deleteCertRequest(DeleteCertRequestReq.newBuilder()
+                                .setCertRequestId(certRequestId)
+                                .build()))
+        );
     }
 
     /**
      * Delete the certificate with the given ID.
      *
      * @param certId ID of the certificate
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void deleteCert(String certId) throws Exception {
+    public static void deleteCert(String certId) throws SignerException {
         log.trace("Deleting cert '{}'", certId);
 
-        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
-                .deleteCert(DeleteCertReq.newBuilder()
-                        .setCertId(certId)
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
+                        .deleteCert(DeleteCertReq.newBuilder()
+                                .setCertId(certId)
+                                .build()))
+        );
     }
 
     /**
@@ -512,16 +589,18 @@ public static void deleteCert(String certId) throws Exception {
      *
      * @param keyId           ID of the certificate request
      * @param deleteFromToken whether the key should be deleted from the token
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void deleteKey(String keyId, boolean deleteFromToken) throws Exception {
+    public static void deleteKey(String keyId, boolean deleteFromToken) throws SignerException {
         log.trace("Deleting key '{}', from token = {}", keyId, deleteFromToken);
 
-        RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
-                .deleteKey(DeleteKeyReq.newBuilder()
-                        .setKeyId(keyId)
-                        .setDeleteFromDevice(deleteFromToken)
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
+                        .deleteKey(DeleteKeyReq.newBuilder()
+                                .setKeyId(keyId)
+                                .setDeleteFromDevice(deleteFromToken)
+                                .build()))
+        );
     }
 
     /**
@@ -529,34 +608,37 @@ public static void deleteKey(String keyId, boolean deleteFromToken) throws Excep
      *
      * @param certId ID of the certificate
      * @param status new status of the certificate
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void setCertStatus(String certId, String status) throws Exception {
+    public static void setCertStatus(String certId, String status) throws SignerException {
         log.trace("Setting cert ('{}') status to '{}'", certId, status);
 
-        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
-                .setCertStatus(SetCertStatusReq.newBuilder()
-                        .setCertId(certId)
-                        .setStatus(status)
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
+                        .setCertStatus(SetCertStatusReq.newBuilder()
+                                .setCertId(certId)
+                                .setStatus(status)
+                                .build()))
+        );
     }
 
-
     /**
      * Sets the hash of the renewed certificate with the given old cert ID.
      *
      * @param certId ID of the old certificate
      * @param hash new hash of the renewed certificate
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void setRenewedCertHash(String certId, String hash) throws Exception {
+    public static void setRenewedCertHash(String certId, String hash) throws SignerException {
         log.trace("Setting cert ('{}') renewed cert hash to '{}'", certId, hash);
 
-        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
-                .setRenewedCertHash(SetRenewedCertHashReq.newBuilder()
-                        .setCertId(certId)
-                        .setHash(hash)
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
+                        .setRenewedCertHash(SetRenewedCertHashReq.newBuilder()
+                                .setCertId(certId)
+                                .setHash(hash)
+                                .build()))
+        );
     }
 
     /**
@@ -564,16 +646,18 @@ public static void setRenewedCertHash(String certId, String hash) throws Excepti
      *
      * @param certId ID of the certificate to be renewed
      * @param errorMessage message of the error that was thrown when trying to renew the given certificate
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void setRenewalError(String certId, String errorMessage) throws Exception {
+    public static void setRenewalError(String certId, String errorMessage) throws SignerException {
         log.trace("Setting cert ('{}') renewal error to '{}'", certId, errorMessage);
 
-        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
-                .setRenewalError(SetRenewalErrorReq.newBuilder()
-                        .setCertId(certId)
-                        .setErrorMessage(errorMessage)
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
+                        .setRenewalError(SetRenewalErrorReq.newBuilder()
+                                .setCertId(certId)
+                                .setErrorMessage(errorMessage)
+                                .build()))
+        );
     }
 
     /**
@@ -581,31 +665,35 @@ public static void setRenewalError(String certId, String errorMessage) throws Ex
      *
      * @param certId ID of the certificate to be renewed
      * @param nextRenewalTime message of the error that was thrown when trying to renew the given certificate
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static void setNextPlannedRenewal(String certId, Instant nextRenewalTime) throws Exception {
+    public static void setNextPlannedRenewal(String certId, Instant nextRenewalTime) throws SignerException {
         log.trace("Setting cert ('{}') next planned renewal time to '{}'", certId, nextRenewalTime);
-
-        com.google.protobuf.Timestamp nextRenewalTimestamp = com.google.protobuf.Timestamp.newBuilder()
-                .setSeconds(nextRenewalTime.getEpochSecond())
-                .setNanos(nextRenewalTime.getNano())
-                .build();
-        RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
-                .setNextPlannedRenewal(SetNextPlannedRenewalReq.newBuilder()
-                        .setCertId(certId)
-                        .setNextRenewalTime(nextRenewalTimestamp)
-                        .build()));
+        tryToRun(() -> {
+            com.google.protobuf.Timestamp nextRenewalTimestamp = com.google.protobuf.Timestamp.newBuilder()
+                    .setSeconds(nextRenewalTime.getEpochSecond())
+                    .setNanos(nextRenewalTime.getNano())
+                    .build();
+            RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
+                    .setNextPlannedRenewal(SetNextPlannedRenewalReq.newBuilder()
+                            .setCertId(certId)
+                            .setNextRenewalTime(nextRenewalTimestamp)
+                            .build()));
+        });
     }
 
-
     /**
      * Get a cert by it's hash
      *
      * @param hash cert hash. Will be converted to lowercase, which is what signer uses internally
      * @return CertificateInfo
-     * @throws Exception if any error occur
+     * @throws SignerException if any error occur
      */
-    public static CertificateInfo getCertForHash(String hash) throws Exception {
+    public static CertificateInfo getCertForHash(String hash) throws SignerException {
+        return tryToRun(() -> internalGetCertForHash(hash));
+    }
+
+    private static CertificateInfo internalGetCertForHash(String hash) throws Exception {
         final String finalHash = hash.toLowerCase();
         log.trace("Getting cert by hash '{}'", hash);
 
@@ -624,9 +712,13 @@ public static CertificateInfo getCertForHash(String hash) throws Exception {
      *
      * @param hash cert hash. Will be converted to lowercase, which is what signer uses internally
      * @return Key id and sign mechanism
-     * @throws Exception
+     * @throws SignerException
      */
-    public static KeyIdInfo getKeyIdForCertHash(String hash) throws Exception {
+    public static KeyIdInfo getKeyIdForCertHash(String hash) throws SignerException {
+        return tryToRun(() -> internalGetKeyIdForCertHash(hash));
+    }
+
+    private static KeyIdInfo internalGetKeyIdForCertHash(String hash) throws Exception {
         final String finalHash = hash.toLowerCase();
         log.trace("Getting cert by hash '{}'", finalHash);
 
@@ -645,9 +737,13 @@ public static KeyIdInfo getKeyIdForCertHash(String hash) throws Exception {
      *
      * @param hash cert hash. Will be converted to lowercase, which is what signer uses internally
      * @return TokenInfoAndKeyId
-     * @throws Exception
+     * @throws SignerException
      */
-    public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) throws Exception {
+    public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) throws SignerException {
+        return tryToRun(() -> internalGetTokenAndKeyIdForCertHash(hash));
+    }
+
+    private static TokenInfoAndKeyId internalGetTokenAndKeyIdForCertHash(String hash) throws Exception {
         String hashLowercase = hash.toLowerCase();
         log.trace("Getting token and key id by cert hash '{}'", hashLowercase);
 
@@ -666,9 +762,13 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertHash(String hash) throws
      * @param certHashes cert hashes to find OCSP responses for
      * @return base64 encoded OCSP responses. Each array item is OCSP response for
      * corresponding cert in {@code certHashes}
-     * @throws Exception if something failed
+     * @throws SignerException if something failed
      */
-    public static String[] getOcspResponses(String[] certHashes) throws Exception {
+    public static String[] getOcspResponses(String[] certHashes) throws SignerException {
+        return tryToRun(() -> internalGetOcspResponses(certHashes));
+    }
+
+    private static String[] internalGetOcspResponses(String[] certHashes) throws Exception {
 
         var response = RpcSignerClient.execute(ctx -> ctx.getBlockingOcspService()
                 .getOcspResponses(GetOcspResponsesReq.newBuilder()
@@ -687,11 +787,13 @@ public static String[] getOcspResponses(String[] certHashes) throws Exception {
     }
 
     public static void setOcspResponses(String[] certHashes, String[] base64EncodedResponses) throws Exception {
-        RpcSignerClient.execute(ctx -> ctx.getBlockingOcspService()
-                .setOcspResponses(SetOcspResponsesReq.newBuilder()
-                        .addAllCertHashes(asList(certHashes))
-                        .addAllBase64EncodedResponses(asList(base64EncodedResponses))
-                        .build()));
+        tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingOcspService()
+                        .setOcspResponses(SetOcspResponsesReq.newBuilder()
+                                .addAllCertHashes(asList(certHashes))
+                                .addAllBase64EncodedResponses(asList(base64EncodedResponses))
+                                .build()))
+        );
     }
 
     private static List<String> toLowerCase(String[] certHashes) {
@@ -705,18 +807,19 @@ private static List<String> toLowerCase(String[] certHashes) {
      *
      * @param serverId securityServerId
      * @return authKeyInfo
-     * @throws Exception
+     * @throws SignerException
      */
-    public static AuthKeyInfo getAuthKey(SecurityServerId serverId) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
-                .getAuthKey(GetAuthKeyReq.newBuilder()
-                        .setSecurityServer(SecurityServerIdMapper.toDto(serverId))
-                        .build()));
-
-        return new AuthKeyInfo(response.getAlias(),
-                response.getKeyStoreFileName(),
-                response.getPassword().toCharArray(),
-                new CertificateInfo(response.getCert()));
+    public static AuthKeyInfo getAuthKey(SecurityServerId serverId) throws SignerException {
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
+                        .getAuthKey(GetAuthKeyReq.newBuilder()
+                                .setSecurityServer(SecurityServerIdMapper.toDto(serverId))
+                                .build())),
+                response -> new AuthKeyInfo(response.getAlias(),
+                        response.getKeyStoreFileName(),
+                        response.getPassword().toCharArray(),
+                        new CertificateInfo(response.getCert()))
+        );
     }
 
     /**
@@ -724,19 +827,20 @@ public static AuthKeyInfo getAuthKey(SecurityServerId serverId) throws Exception
      *
      * @param certRequestId
      * @return TokenInfoAndKeyId
-     * @throws Exception
+     * @throws SignerException
      */
-    public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequestId) throws Exception {
+    public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequestId) throws SignerException {
         log.trace("Getting token and key id by cert request id '{}'", certRequestId);
-
-        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
-                .getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdReq.newBuilder()
-                        .setCertRequestId(certRequestId)
-                        .build()));
-
-        log.trace("Token and key id with cert request id '{}' found", certRequestId);
-
-        return new TokenInfoAndKeyId(new TokenInfo(response.getTokenInfo()), response.getKeyId());
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
+                        .getTokenAndKeyIdByCertRequestId(GetTokenByCertRequestIdReq.newBuilder()
+                                .setCertRequestId(certRequestId)
+                                .build())),
+                response -> {
+                    log.trace("Token and key id with cert request id '{}' found", certRequestId);
+                    return new TokenInfoAndKeyId(new TokenInfo(response.getTokenInfo()), response.getKeyId());
+                }
+        );
     }
 
     /**
@@ -744,92 +848,117 @@ public static TokenInfoAndKeyId getTokenAndKeyIdForCertRequestId(String certRequ
      *
      * @param keyId id of the key
      * @return TokenInfo
-     * @throws Exception if any errors occur
+     * @throws SignerException if any errors occur
      */
-    public static TokenInfo getTokenForKeyId(String keyId) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
-                .getTokenByKey(GetTokenByKeyIdReq.newBuilder().setKeyId(keyId).build()));
-
-        return new TokenInfo(response);
+    public static TokenInfo getTokenForKeyId(String keyId) throws SignerException {
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
+                        .getTokenByKey(GetTokenByKeyIdReq.newBuilder().setKeyId(keyId).build())),
+                TokenInfo::new
+        );
+    }
+
+    public static SignMechanism getSignMechanism(String keyId) throws SignerException {
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
+                        .getSignMechanism(GetSignMechanismReq.newBuilder()
+                                .setKeyId(keyId)
+                                .build())),
+                response -> SignMechanism.valueOf(response.getSignMechanismName())
+        );
+    }
+
+    public static byte[] sign(String keyId, SignAlgorithm signatureAlgorithmId, byte[] digest) throws SignerException {
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
+                                .sign(SignReq.newBuilder()
+                                        .setKeyId(keyId)
+                                        .setSignatureAlgorithmId(signatureAlgorithmId.name())
+                                        .setDigest(ByteString.copyFrom(digest))
+                                        .build()))
+                        .getSignature().toByteArray()
+        );
+    }
+
+    public static Boolean isTokenBatchSigningEnabled(String keyId) throws SignerException {
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
+                                .getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledReq.newBuilder()
+                                        .setKeyId(keyId)
+                                        .build()))
+                        .getBatchingSigningEnabled()
+        );
+    }
+
+    public static MemberSigningInfoDto getMemberSigningInfo(ClientId clientId) throws SignerException {
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
+                        .getMemberSigningInfo(GetMemberSigningInfoReq.newBuilder()
+                                .setMemberId(ClientIdMapper.toDto(clientId))
+                                .build())),
+                response -> new MemberSigningInfoDto(response.getKeyId(),
+                        new CertificateInfo(response.getCert()),
+                        SignMechanism.valueOf(response.getSignMechanismName()))
+        );
+    }
+
+    public static List<CertificateInfo> getMemberCerts(ClientId memberId) throws SignerException {
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
+                                .getMemberCerts(GetMemberCertsReq.newBuilder()
+                                        .setMemberId(ClientIdMapper.toDto(memberId))
+                                        .build()))
+                        .getCertsList().stream()
+                        .map(CertificateInfo::new)
+                        .collect(Collectors.toList())
+        );
+    }
+
+    public static boolean isHSMOperational() throws SignerException {
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
+                                .getHSMOperationalInfo(Empty.getDefaultInstance()))
+                        .getOperational()
+        );
     }
 
-    public static SignMechanism getSignMechanism(String keyId) throws Exception {
-        GetSignMechanismResp response = RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
-                .getSignMechanism(GetSignMechanismReq.newBuilder()
-                        .setKeyId(keyId)
-                        .build()));
-
-        return SignMechanism.valueOf(response.getSignMechanismName());
-    }
-
-    public static byte[] sign(String keyId, SignAlgorithm signatureAlgorithmId, byte[] digest) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
-                .sign(SignReq.newBuilder()
-                        .setKeyId(keyId)
-                        .setSignatureAlgorithmId(signatureAlgorithmId.name())
-                        .setDigest(ByteString.copyFrom(digest))
-                        .build()));
-
-        return response.getSignature().toByteArray();
-    }
-
-    public static Boolean isTokenBatchSigningEnabled(String keyId) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
-                .getTokenBatchSigningEnabled(GetTokenBatchSigningEnabledReq.newBuilder()
-                        .setKeyId(keyId)
-                        .build()));
-
-        return response.getBatchingSigningEnabled();
-    }
-
-    public static MemberSigningInfoDto getMemberSigningInfo(ClientId clientId) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
-                .getMemberSigningInfo(GetMemberSigningInfoReq.newBuilder()
-                        .setMemberId(ClientIdMapper.toDto(clientId))
-                        .build()));
-
-        return new MemberSigningInfoDto(response.getKeyId(),
-                new CertificateInfo(response.getCert()),
-                SignMechanism.valueOf(response.getSignMechanismName()));
+    public static byte[] signCertificate(String keyId, SignAlgorithm signatureAlgorithmId, String subjectName, PublicKey publicKey)
+            throws SignerException {
+        return tryToRun(
+                () -> RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
+                                .signCertificate(SignCertificateReq.newBuilder()
+                                        .setKeyId(keyId)
+                                        .setSignatureAlgorithmId(signatureAlgorithmId.name())
+                                        .setSubjectName(subjectName)
+                                        .setPublicKey(ByteString.copyFrom(publicKey.getEncoded()))
+                                        .build()))
+                        .getCertificateChain().toByteArray()
+        );
     }
 
-    public static List<CertificateInfo> getMemberCerts(ClientId memberId) throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingCertificateService()
-                .getMemberCerts(GetMemberCertsReq.newBuilder()
-                        .setMemberId(ClientIdMapper.toDto(memberId))
-                        .build()));
-
-        return response.getCertsList().stream()
-                .map(CertificateInfo::new)
-                .collect(Collectors.toList());
+    /**
+     * DTO since we don't want to leak signer message objects out
+     * @param certReqId
+     * @param certRequest
+     * @param format
+     * @param memberId
+     * @param keyUsage
+     */
+    public record GeneratedCertRequestInfo(String certReqId, byte[] certRequest, CertificateRequestFormat format, ClientId memberId,
+                                           KeyUsageInfo keyUsage) {
     }
 
-    public static boolean isHSMOperational() throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingTokenService()
-                .getHSMOperationalInfo(Empty.getDefaultInstance()));
-
-        return response.getOperational();
+    public record MemberSigningInfoDto(String keyId, CertificateInfo cert, SignMechanism signMechanismName) {
     }
 
-    public static byte[] signCertificate(String keyId, SignAlgorithm signatureAlgorithmId, String subjectName, PublicKey publicKey)
-            throws Exception {
-        var response = RpcSignerClient.execute(ctx -> ctx.getBlockingKeyService()
-                .signCertificate(SignCertificateReq.newBuilder()
-                        .setKeyId(keyId)
-                        .setSignatureAlgorithmId(signatureAlgorithmId.name())
-                        .setSubjectName(subjectName)
-                        .setPublicKey(ByteString.copyFrom(publicKey.getEncoded()))
-                        .build()));
-
-        return response.getCertificateChain().toByteArray();
+    public record KeyIdInfo(String keyId, SignMechanism signMechanismName) {
     }
 
-
-    public record MemberSigningInfoDto(String keyId, CertificateInfo cert, SignMechanism signMechanismName) {
+    private interface ActionWithResult<T> {
+        T run() throws Exception;
     }
 
-
-    public record KeyIdInfo(String keyId, SignMechanism signMechanismName) {
+    private interface Action {
+        void run() throws Exception;
     }
-
 }
diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/exception/SignerException.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/exception/SignerException.java
new file mode 100644
index 0000000000..6fe3eb84a1
--- /dev/null
+++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/exception/SignerException.java
@@ -0,0 +1,139 @@
+/*
+ * The MIT License
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ * <p>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * <p>
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * <p>
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.signer.exception;
+
+import ee.ria.xroad.common.CodedException;
+
+import static ee.ria.xroad.common.ErrorCodes.SIGNER_X;
+import static ee.ria.xroad.common.ErrorCodes.X_CERT_EXISTS;
+import static ee.ria.xroad.common.ErrorCodes.X_CERT_NOT_FOUND;
+import static ee.ria.xroad.common.ErrorCodes.X_CSR_NOT_FOUND;
+import static ee.ria.xroad.common.ErrorCodes.X_INCORRECT_CERTIFICATE;
+import static ee.ria.xroad.common.ErrorCodes.X_KEY_NOT_FOUND;
+import static ee.ria.xroad.common.ErrorCodes.X_LOGIN_FAILED;
+import static ee.ria.xroad.common.ErrorCodes.X_PIN_INCORRECT;
+import static ee.ria.xroad.common.ErrorCodes.X_TOKEN_NOT_FOUND;
+import static ee.ria.xroad.common.ErrorCodes.X_WRONG_CERT_USAGE;
+
+public class SignerException extends CodedException {
+    public static final String CKR_PIN_INCORRECT_MESSAGE = "Login failed: CKR_PIN_INCORRECT";
+
+    public SignerException(CodedException ce) {
+        super(ce.getFaultCode(), ce, ce.getFaultString());
+        withPrefix(SIGNER_X);
+        translationCode = ce.getTranslationCode();
+        arguments = ce.getArguments();
+    }
+
+    public SignerException(String faultCode) {
+        super(faultCode);
+        withPrefix(SIGNER_X);
+    }
+
+    public SignerException(String faultCode, String faultMessage, Object... arguments) {
+        super(faultCode, faultMessage, arguments);
+        withPrefix(SIGNER_X);
+    }
+
+
+    public SignerException(String faultCode, Throwable cause) {
+        super(faultCode, cause);
+        withPrefix(SIGNER_X);
+    }
+
+    public SignerException(String faultCode, String faultMessage, Throwable cause) {
+        super(faultCode, cause, faultMessage);
+        withPrefix(SIGNER_X);
+    }
+
+    private boolean isCausedBy(String faultCode) {
+        return getFaultCode().endsWith("." + faultCode);
+    }
+
+    public boolean isCausedByCertNotFound() {
+        return isCausedBy(X_CERT_NOT_FOUND);
+    }
+
+    public boolean isCausedByTokenNotFound() {
+        return isCausedBy(X_TOKEN_NOT_FOUND);
+    }
+
+    public boolean isCausedByKeyNotFound() {
+        return isCausedBy(X_KEY_NOT_FOUND);
+    }
+
+    public boolean isCausedByCsrNotFound() {
+        return isCausedBy(X_CSR_NOT_FOUND);
+    }
+
+    public boolean isCausedByCertificateWrongUsage() {
+        return isCausedBy(X_WRONG_CERT_USAGE);
+    }
+
+    public boolean isCausedByIncorrectCertificate() {
+        return isCausedBy(X_INCORRECT_CERTIFICATE);
+    }
+
+    public boolean isCausedByDuplicateCertificate() {
+        return isCausedBy(X_CERT_EXISTS);
+    }
+
+    public boolean isCausedByIncorrectPin() {
+        if (isCausedBy(X_PIN_INCORRECT)) {
+            return true;
+        } else if (isCausedBy(X_LOGIN_FAILED)) {
+            // only way to detect HSM pin incorrect is by matching to codedException
+            // fault string.
+            return CKR_PIN_INCORRECT_MESSAGE.equals(getFaultString());
+        }
+        return false;
+    }
+
+    /**
+     * Creates new exception with translation code for i18n.
+     * @param faultCode the fault code
+     * @param trCode the translation code
+     * @param faultMessage the message
+     * @return CodedException
+     */
+    public static SignerException tr(String faultCode, String trCode,
+                                     String faultMessage) {
+        SignerException ret = new SignerException(faultCode, faultMessage);
+
+        ret.translationCode = trCode;
+
+        return ret;
+    }
+
+    public static SignerException tr(String faultCode, String trCode,
+                                     String faultMessage, Object... args) {
+        SignerException ret = new SignerException(faultCode, faultMessage, args);
+
+        ret.translationCode = trCode;
+
+        return ret;
+    }
+
+}
diff --git a/src/signer/core/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java b/src/signer/core/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
index 348d2a1eea..67dabaa8a3 100644
--- a/src/signer/core/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
+++ b/src/signer/core/src/intTest/java/org/niis/xroad/signer/test/glue/SignerStepDefs.java
@@ -36,6 +36,7 @@
 import ee.ria.xroad.common.identifier.ClientId;
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.signer.SignerProxy;
+import ee.ria.xroad.signer.exception.SignerException;
 import ee.ria.xroad.signer.protocol.RpcSignerClient;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
 import ee.ria.xroad.signer.protocol.dto.KeyInfo;
@@ -319,10 +320,10 @@ public void certRequestIsGeneratedForTokenKey(String keyUsage, String friendlyNa
                 KeyUsageInfo.valueOf(keyUsage),
                 "CN=key-" + keyName, CertificateRequestFormat.DER);
 
-        this.scenarioCsrId = csrInfo.getCertReqId();
+        this.scenarioCsrId = csrInfo.certReqId();
 
         File csrFile = File.createTempFile("tmp", keyUsage.toLowerCase() + "_csr" + System.currentTimeMillis());
-        FileUtils.writeByteArrayToFile(csrFile, csrInfo.getCertRequest());
+        FileUtils.writeByteArrayToFile(csrFile, csrInfo.certRequest());
         putStepData(StepDataKey.DOWNLOADED_FILE, csrFile);
     }
 
@@ -706,8 +707,8 @@ public void signerClientReinitializedWithTimeoutMilliseconds(int timeoutMillis)
     @Step("getTokens fails with timeout exception")
     public void signerGetTokensFailsWithTimeoutException() {
         assertThatThrownBy(SignerProxy::getTokens)
-                .isInstanceOf(CodedException.class)
-                .hasMessageContaining("Signer: Signer client timed out.");
+                .isInstanceOf(SignerException.class)
+                .hasMessageContaining("Signer.NetworkError: Signer client timed out.");
     }
 
     @ParameterType("RSA|EC")