Requirements

Two-factor authentication (2FA)

2FA is required when signing with a key stored in Software Trust Manager.

To enable 2FA:

Sign in to DigiCert ONE.
Navigate to the Manager menu icon (top right) > Accounts.
Select the Name of the account.
On the Account details page, navigate to the Sign-in settings for all-account-access users section.
Select the pencil icon next to Two-factor authentication.
Select the radio button next to Enable two-factor authentication.
Select Update two-factor authentication.

API key

An API key is a unique identifier generated by the server to authenticate a user or calling program to an API. The API key acts as the first factor of authentication when connecting to DigiCert® KeyLocker client tools.

Anmerkung

The permissions for the API token are based upon your user role set in DigiCert® KeyLocker.

To create an API key:

Sign in to DigiCert ONE.
Click Profile icon (top-right).
Select Admin Profile.
Identify the On this page section (right), select API tokens.
Select Create API token.

Client authentication certificate

A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API. The client authentication certificate acts as the second factor of authentication when connecting to DigiCert® KeyLocker client tools .

Anmerkung

The permissions for the client authentication certificate are based upon your user role set in DigiCert® KeyLocker.

To generate a client certificate:

Sign in to DigiCert ONE.
Click Profile icon (top-right).
Select Admin Profile.
Identify the On this page section (right), select Authentication Certificates.
Select Create authentication certificate.

Anmerkung

The client certificate password is only shown once after creating the client certificate, it cannot be accessed again. Copy and paste the password directly into this field. Securely store the passcode if you will require it later.

Host environment

During environment variable setup, you are required to provide the DigiCert ONE host value: https://clientauth.one.digicert.com.

Client tools

To download client tools:

Sign in to DigiCert ONE.
Select the Manager meu (top-right) > DigiCert® KeyLocker.
Navigate to: Resources > Client tool repository.
Download the appropriate files, move them to the appropriate client computer, and extract (or install).

The following client tools are available:

Beispiel 1. Windows

The following clients tools are available for signing on Windows:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI) that facilitates manual or automated private key, certificate management, and signing with or without the need for human intervention.
DigiCert® Click-to-sign
DigiCert Click-to-sign provides Windows customers with a simple UI-based signing workflow that does not require use of the SMCTL. After you specify your signing preferences in the DigiCert Click-to-sign installation wizard, you simply need to right-click on a file or folder to sign.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.
KSP library
KSP is a Microsoft CNG (Cryptographic: Next Generation) library-based client-side tool

Beispiel 2. Linux

The following clients tools are available for signing on Linux:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI) that facilitates manual or automated private key, certificate management, and signing with or without the need for human intervention.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.

Beispiel 3. macOS

The following clients tools are available for signing on macOS:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI) that facilitates manual or automated private key, certificate management, and signing with or without the need for human intervention.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.

Set PATH environment variables

Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.

Anmerkung

Client tools must be available in the PATH variable for the environment to invoke the client control from CI/CD integration without specifying the path. For the examples given, it is assumed that the path to the client control tools has been set in the path.

Beispiel 4. Windows

You can set the PATH environment variable using command line or via the environment variables.

To set the path to your signing tools via command line:

set PATH=%path%;<path to client tools>

To set the path to your signing tools for your system or account:

Search for environment variables in the Windows start menu.
Select Edit environment variables for your account or Edit system environment variables.
Double click on the Path variable.
Click New.
Select Browse.
Select the path to the client tools.
Click OK to save the path.
Click on OK to close the dialog.

Beispiel 5. Linux

To set the path to your signing tools via command line:

Launch the Terminal application.
Open the file in an editor:
```
nano ~/.profile
```
Add any exports definitions you need:
```
export PATH=<Path to client tools>
```
Click CTRL+X to exit.
Click Y to save.
Click Enter to keep the same file name.
Execute the new .profile by restarting Terminal or using:
```
 source ~/.profile
```

Beispiel 6. macOS

To set the path to your signing tools via command line:

Launch the Terminal application.
Create a profile file:
```
touch ~/.zprofile
```
Open the file in an editor:
```
open ~/.zprofile
```
Add any exports definitions you need, such as:
```
export PATH=<Path to client tools>
```
To save the new .zprofile, click File > Save (CMD + S).
Close the terminal window and reopen to use new saved variables.

Secure your credentials

Your DigiCert ONE host environment, API key, client authentication certificate and password makes up your environment variables and are required to access DigiCert® KeyLocker client tools. Use one of the methods provided below to securely store your credentials based on your operating system.

Beispiel 7. Windows

The most secure method is to store your API key and client authentication certificate password in Windows Credential Manager, an encrypted vault, protected from unauthorized access.

Beispiel 8. Linux

The most secure method is to store your API key and client authentication certificate password in Linux Pass, a password manager that uses GnuPG for encryption and decryption of stored information.

Beispiel 9. macOS

The most secure method is to store your API key and client authentication certificate password in Keychain Access, an application that stores your passwords and account information.

In diesem Abschnitt:

Requirements

Two-factor authentication (2FA)

API key

Anmerkung

Client authentication certificate

Anmerkung

Anmerkung

Host environment

Client tools

Set PATH environment variables

Anmerkung

Secure your credentials

Suchresultat