DigiCert KeyLocker

You may have been notified about an updated version of KeyLocker tools. However, if you have already downloaded version 1.41.0 of the KeyLocker client tools, there is no need to update your client tools to the latest version, as the changes made do not affect KeyLocker users.

Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).

You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.

How to enable two-factor authentication in Account Manager.

The SMCTL desync command previously only desynced the expired and revoked certificates associated with a keypair from the local Windows store. We have improved the functionality of this command to allow you to additionally specify invalid or all as a parameter in the Windows desync command so that all certificates associated with the keypair would be desynced.

The SMCTL verify signature command has previously provided a lengthy output that made it difficult to identify if the verification of the signature was a success or failure. We have introduced a new parameter called --quiet that can be added to the verify signature command to limit the output of the command to one sentence confirming if the verification of the signature is a success or failure.

DigiCert​​®​​ KeyLocker client tools previously only worked on old versions of MacOS with x86_64 architecture. To support the newer versions of macOS with arm64 architecture we upgraded our macOS client tools to support signing on both macOS x86_64 and arm64 architecture.

New DigiCert​​®​​ KeyLocker accounts were unable to connect to CertCentral using a CertCentral API key. This issue has been fixed and new DigiCert​​®​​ KeyLocker accounts are successfully able to connect to CertCentral using a CertCentral API key.

On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.

New plans:

For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.

How does this affect me?

To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.

How the limited-time upgrade works:

DigiCert​​®​​ KeyLocker now supports signing on macOS. You can continue to sign directly with third-party signing tools or use Signing Manager Controller (SMCTL), a command line interface (CLI) that offers simplified signing integrated with third-party signing tools. Download macOS clients to enable signing. To identify the third-party signing tools required to sign, refer to file types supported for signing.

Fixed tool descriptions to specify that DigiCert Click-to-sign is only compatible with Windows 10.

When creating an API token or client authentication certificate from the KeyLocker wizard, users had to select a hyperlink. We found that this was not intuitive enough and resulted in users selecting Next without creating an API token or client authentication certificate. Added a Create button to streamline the process.

Signing commands often require the keypair alias and/or the certificate alias. These aliases are case-sensitive. To prevent unnecessary errors during signing, we have ensured that all certificate and keypair aliases are assigned in lowercase and have assigned the keypair and certificate aliases in a predictable format. Example:

CertCentral order number: 12345

Keypair alias: key_12345

Certificate alias: cert_12345

When a user requested a code signing certificate with KeyLocker provisioning in CertCentral, the master administrator for the CertCentral account was used to create the KeyLocker lead. This workflow caused KeyLocker account creation to fail when CertCentral accounts had no master administrator assigned to their account. In future, when a user requests a code signing certificate with KeyLocker provisioning in CertCentral, the user who approves the certificate request will become the KeyLocker lead.

Fixed an issue that loaded and incorrect page when loading the KeyLocker wizard, then redirected to the correct page. When selecting Get Started in KeyLocker, the wizard now correctly displays without the redirect.

Fixed an issue where a banner message failed to confirm the tools the user could use to sign after running the smctl healthcheck command in step 3 of the KeyLocker wizard. Running the healthcheck command and selecting the Check status button now displays a banner confirming which signing tools the user has integrated with and can use to sign.

Link users to online documentation for KeyLocker workflows from resources section of the UI. Remove documentation links to API for KeyLocker customers in resources section of the UI.

Resolved a processing bug whereby when a CertCentral order request failed, it caused other orders for the account also to not processed. This issue is resolved with this release.

Implemented several content fixes and workflow improvements to the user setup wizard to help improve the overall experience when first using KeyLocker.

Enabled multi-factor authentication for all KeyLocker accounts at time of account setup.

Changed format of key alias from Key(CountOfKeysForAccount) to Key_CC_orderID.

KeyLocker now saves CertCentral order details in Keylocker even if the following occur:

Instead, you now receive the following error in CertCentral for one of the above failures: "CSR update failed for order ID. The requested action could not be completed at this time due to a resource conflict. Please try again after previous actions have completed."

DigiCert ONE is launching support for KeyLocker. KeyLocker is DigiCert's cloud-based key storage solution, compliant with CA/B Forum requirements for storing private keys for code signing and EV code signing certificates.

In this release, we are enabling service-to-service APIs to support key generation and check for feature flag enablement of DigiCert ONE accounts for the KeyLocker use case.

More features will follow in future releases.