Identify signing errors
If you encounter errors while working with DigiCert® KeyLocker client tools, follow the methods below.
Cryptographic library logs
When you encounter an error while signing via PKSC11, KSP, or JCE, follow the procedure below:
To set the log level to TRACE, run the command:
Run the signing command that failed again.
To identify where your logs are located, run:
echo %USERPROFILE%/.signingmanager/logs
Copy the output of the command to navigate to the logs location.
Identify one of the log files based on the signing tool that was used to sign:
Open the log file.
To identify the the most recent event, scroll to the end of the logs.
The last few lines should explain why the error occurred.
If you are unable to resolve the error based on the information provided, contact Support and provide the log file.
Common errors and solutions
Here are a few common signing errors.
KeyLocker user is not the designated signer
The following error may be shown to the KeyLocker Lead when attempting to sign in SMCTL:
SMCTL error
CKR_FUNCTION_FAILED\r\n - exit status 1
SMPKCS11 and KSP logs
level="error" msg="hash signing failed for hash: 03c1cedf4ebe2908c0894fbe756aa8cf565f83bbc8984ea9bd0106c8c24bd8f3, keypair_id: 180dd722-85f0-4996-a6db-2969b75637f7, signature_algorithm: SHA256withRSA: status_code=403, message={\"error\":{\"status\":\"access_denied\",\"message\":\"User - John Doe does not have privileges to access the keypair - key_686090048.\"}}, nested_error=<nil>" executable="jarsigner" func="securesigning/cli/pkcs11/service.(*service).Sign:622" pid="9820"Description
Error occurred because the user attempting to sign with the KeyLocker certificate is not allowed to sign with this certificate.
Solution
There are two solutions to this error:
Sign with a different certificate that you are allowed to sign with.
Reach out to your KeyLocker Lead and request that they add you as the designated signer for the certificate you want to sign with.
KeyLocker user is not the designated signer
The following error may be shown to the KeyLocker Signer when attempting to sign in SMCTL:
SMCTL error
CKR_FUNCTION_FAILED\r\n - exit status 1
SMCTL log error
level="error" msg="Error : jarsigner: Certificate chain not found for: key_686090048. key_686090048 must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.\r\n - exit status 1: " executable="smctl" func="securesigning/cli/cli/command/sign.runCommand:78" pid="6576"
Description
Error occurred because the user attempting to sign with the KeyLocker certificate is not allowed to sign with this certificate.
Solution
There are two solutions to this error:
Sign with a different certificate that you are allowed to sign with.
Reach out to your KeyLocker Lead and request that they add you as the designated signer for the certificate you want to sign with.
Signature limit reached
The following error may be shown to the KeyLocker Lead when attempting to sign:
SMCTL error
CKR_FUNCTION_FAILED\r\n - exit status 1
SMPKCS11 and KSP logs
level="error" msg="hash signing failed for hash: 03c1cedf4ebe2908c0894fbe756aa8cf565f83bbc8984ea9bd0106c8c24bd8f3, keypair_id: 3553a484-e2d4-4c63-a233-6574e828b777, signature_algorithm: SHA256withRSA: status_code=400, message={\"error\":{\"status\":\"signature_units\",\"message\":\"Max Signatures consumed for the keypair 3553a484-e2d4-4c63-a233-6574e828b777, alias key_686089859 associated with the CertCentral order Id 686,089,859.\"}}, nested_error=<nil>" executable="jarsigner" func="securesigning/cli/pkcs11/service.(*service).Sign:622" pid="15852"Description
Error occurred your certificate has reached the signature limit.
Solution
You can purchase additional signatures in increments of 1,000 from CertCentral.